Submit a ticketCall us

Training Class Getting Started with SolarWinds Backup - February 28

This course offers customers an introduction to SolarWinds Backup, focusing on configuring the backup technology, taking backups, data restoration and data security. It is a great primer and will get you up to speed quickly on SolarWinds Backup.
Register for class.

Home > Success Center > Log & Event Manager (LEM) > USB Defender Local Policy Advanced Operation

USB Defender Local Policy Advanced Operation

Table of contents

Updated November 2, 2017


This article describes additional functionality and options available in the configuration of the USB Defender Local Policy Connector white list file. Beyond adding only the username or the PID of the USB device, there are other fields contained within the Windows Application event log data that can be included in the UDLP white list file.


This article provides advanced information for additional features. The steps for Configuring UDLP initially are covered here.


  • LEM, all versions

  • Agents with USB Defender Installed and the USB Defender Local Policy Connector enabled


USB Defender writes events to the Windows Application Log for parsing via the Windows Application connector and use with the UDLP connector.  Within the Application log event there is additional detail that is not normalized and sent to the LEM, but can be used with the UDLP white list file to create more complex comparisons and a more restricted policy.


First, an example of the event:


USB Device Found at Service Start
Device ID: USB\VID_08E6&PID_3437\5&2EED174E&0&2
Serial number: 5&2EED174E&0&2
Device name: \\?\usb#vid_08e6&pid_3437#5&2eed174e&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Device path: \\?\usb#vid_08e6&pid_3437#5&2eed174e&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Friendly name:
Description: USB Smart Card Reader
Manufacturer: Gemplus
Device setup class: SmartCardReader
Setup class guid: {50DD5230-BA8A-11D1-BF5D-0000F805F530}
    Lock supported: No
    Eject supported: No
    Removable: Yes
    Dock device: No
    Unique ID: No
   Silent install: No
    Raw device ok: No
    Surprise removal ok: Yes
    Hardware disabled: No
    Nondynamic: No
    Disabled: No
    Removed: No
    Manual install: No
    Ignore boot: No
    Net boot: No
    Reinstall: No
    Failed install: No
    Cannot stop a child: No
    Can remove ROM: No
    No remove at exit: No
    Finish install: No
    Needs forced configuration: No
    Partial log configuration: No
Driver software key: {50DD5230-BA8A-11D1-BF5D-0000F805F530}\0000
Service name: GTwinUSB
Device address: 2
Bus number: 0
Bus type guid: {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A}
Device type:
Enumerator name: USB
Legacy bus type: 15
Hardware location: USB SmartCard Reader
Physical device object name: \Device\USBPDO-5
Security descriptor:
Hardware IDs::
Compatible IDs:


Beyond using simply the username or Device ID (PID) as covered in the Configuration article, additional fields from the event can be used. For example:


  • Device ID
  • Serial number
  • Domain
  • User
  • Computer
  • Device setup class


UDLP also supports comments. Blank lines and comments are ignored by the tool. Comment lines can be defined by beginning with two forward slashes. Additionally, the USB Defender Local Policy supports operators for more restrictive lists. Each individual line is considered an OR statement. Each line can be turned into a complex line supporting AND statements with the usage of |&| with examples below:


// Specify allowed usb flash drive and only then when logged in user is Joe Bigshot

Serial number: 5&2EED174E&0&2|&|User: jbigshot

// All Smart Card Readers are allowed:

Device setup class: SmartCardReader

// Allow all devices when this particular user is logged onto this particular computer

domain: MYNETWORK|&|user: ksmith|&|computer: workstation12


USB-Defender automatically detects changes to the White List file and reloads it when the manager distributes an updated file to the agent. The USB-Defender service does not need to be restarted.


Note:  The file is sensitive to spacing. Include the property name, colon (:), a space, and then the property value as outlined in the examples above.




Last modified