Yeah, "here's an executable you run it." is not a great approach.
I have seen a "killswitch" in action deployed en mass. You want to hook the .dll (possibly even replace the windows version of the .dll). By grabbing it at the OS level there is a less noticeable action/reaction to the plugging in of usb devices. If the machine just turns off the port/device then mitigation has occurred. Have windows log the time, users logged into the machine and other details for automated reporting. The "attacker," who could be a disgruntled employee, will think the machine is locked down, or even that his attack was successfully silent.