Self-protection

v1 enforcement is user-mode. We're upfront about that — a determined local administrator with elevated PowerShell can defeat it. v2 closes that gap with kernel-mode enforcement. v1 raises the bar against casual tampering with three mechanisms:

Service ACL

On install, the service security descriptor is set to deny STOP / PAUSE / CHANGE_CONFIG to non-administrators. A regular user can't Stop-Service PermitUSB.Agent from a non-elevated PowerShell. An administrator with elevated PowerShell still can — that's the user-mode limit.

Watchdog

Every ~30 seconds, the agent walks its known set of disabled USB devices viaWin32_PnPEntity. For each device the agent itself has previously disabled, if it's now enabled, the watchdog re-disables it and emits a watchdog_re_disable tamper event.

The set is only the devices the agent itself disabled. Devices that existed before the agent ever ran (mice, keyboards, internal peripherals) are never touched by the watchdog. This prevents "the agent disabled my mouse" failure modes.

Stale-policy fail-closed

If the agent can't reach the cloud for longer than the configured staleness window (default 7 days), it ignores its cached policy and falls back to default-block. The tray shows "Policy stale" amber. See stale-policy for the full mechanism.

What this catches

  • Casual users running Stop-Service from a normal terminal
  • Admins re-enabling a blocked device via Device Manager (re-disabled within 30s + tamper logged)
  • Refresh-token replay attempts (caught by the rotation counter; tenant locked + tamper logged)
  • Long offline periods used to "outwait" enforcement (stale-policy default-blocks)

What it doesn't catch

  • An elevated admin running sc stop PermitUSB.Agent — the SDDL allows that.
  • An elevated admin uninstalling the agent entirely. (You'll see the endpoint stop sending events; alerting can flag this.)
  • An attacker with kernel-mode access. v2 driver mode is the answer.

Tamper events surface in the dashboard at /tamper-events with severity badges. Configure email / webhook alerts on thewatchdog_re_disable, service_stop_attempt,refresh_token_replay, and policy_stale kinds for proactive notification.

Self-protection — PermitUSB docs