Write Blocking Using the Windows Registry

It is possible to use the Windows registry to write protect USB mass storage devices.  An investigator can combine this USB write-blocking trick with an USB-IDE or USB-SATA adapter to protect the vast majority of evidence drives that he or she might encounter.  The write-blocking functionality was added with Windows XP SP2, and has worked with all subsequent Windows versions, including Windows Vista (but I have not tested this with Windows 7).   Below is a step by step guide to create a write-protect switch for USB devices on Windows.

  1. Select Start > Run or press Window's Key + R
  2. Type regedit in the box that pops up.  This opens up the Window’s Registry Editor.
  3. In the tree in the left pane of the editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet and highlight the ‘Control’ key by clicking on it.
  4. Right-Click on the ‘Control’ key and select New > Key
  5. Name the new key StorageDevicePolicies
  6. Right-Click on StorageDevicePolicies and select New > DWORD
  7. Name it WriteProtect
  8. Right-Click on WriteProtect and select Modify
  9. Change the value of WriteProtect to a 1; this enables write protection
  10. Right-Click on StorageDevicePolicies and select Export.  This creates a .reg file that will apply this key to the registry when double-clicked.  Save this file on your Desktop as ‘USB Write Protection On’.
  11. Right-Click on WriteProtect and select Modify; change the value to 0.  This allows writes to occur once more.
  12. Right-Click on StorageDevicePolicies and select Export again.  Save this .reg file on your Desktop as ‘USB Write Protection Off’.
  13. Now simply double-click on either .reg file to enable or disable USB write protection.

Note: From my experience the write-protection only applies to devices plugged into the computer after the registry changes have been applied.  It may still be possible to write to the disk if it was attached prior to the “USB Write Protection On” file being applied.  Be sure to always apply this setting before plugging in any evidence items.

V. Write-blocking Using the Windows Registry

As mentioned earlier, it is possible to use the Windows registry to write protect USB mass storage devices. This functionality was added in with Windows XP SP2, and works with all subsequent Windows versions, including Windows Vista. Below is a step by step guide to create a write-protect switch for USB devices on Windows.

1. Select Start > Run or press

2. Type regedit in the box that pops up. This opens up the Window’s Registry Editor.

3. In the tree in the left pane of the editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet and highlight the ‘Control’ key by clicking on it.

4. Right-Click on the ‘Control’ key and select New > Key

5. Name the new key StorageDevicePolicies

6. Right-Click on StorageDevicePolicies and select New > DWORD

7. Name it WriteProtect

8. Right-Click on WriteProtect and select Modify

9. Change the value of WriteProtect to a 1; this enables write protection

10. Right-Click on StorageDevicePolicies and select Export. This creates a .reg file that will apply this key to the registry when double-clicked. Save this file on your Desktop as ‘USB Write Protection On’.

11. Right-Click on WriteProtect and select Modify; change the value to 0. This allows writes to occur once more.

12. Right-Click on StorageDevicePolicies and select Export again. Save this .reg file on your Desktop as ‘USB Write Protection Off’.

13. Now simply double-click on either .reg file to enable or disable USB write protection.

Note: from my experience write-protection only applies to devices plugged into the computer after the registry changes have been applied. It may still be possible to write to the disk if it was attached prior to the “USB Write Protection On” file being applied. Be sure to always apply this setting before plugging in any evidence items.

Advertisements

One thought on “Write Blocking Using the Windows Registry”

  1. Create two shortcuts on desktop and point to location of exported write block on/off configurations. If it persists on opening in text editor then right click, select properties, and change “open with” to “Registry Editor” and the on/off blocking will toggle with the registry value (i.e. on or off) selected. Only applies to newly connected devices that are not plugged in at time of toggling write block on or off, which is useful but beyond the scope of discussion here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s