How To Enable Or Disable Write Protection For USB Devices In Windows

by Sunny Hoi

Introduction

Prior to connecting the suspect drive to your own digital forensic workstation, it is essential to enable write-blocking protection on your USB drives since operating systems will write data and alter existing metadata available on disks and USB devices in the time of booting.

In this tutorial, we will illustrate how to carry out write-protection to USB external hard drives to hinder Windows from contaminating your evidence drives.

Evidently, there are hardware devices that can carry out the same capability, though our main focus in this tutorial will be deploying software to achieve the same results without spending any money.

The Manual Approach

The instructions in this section are for users who are using Windows XP, Vista, and Windows 7.

If you are using Windows 8 and Windows 10, you will want to skip this section and visit the “Windows 8 & 10” section to read instructions on the process of altering the Windows Registry to enable write protection which will differ slightly.

In the Windows search bar, either type “regedit” to access the Windows Registry Editor or type “run” and click to open the “Run” application.

If using the second method, you will want to type “regedit” in the Run application and click on “OK” to proceed.

Method 1
Method 2
Method 2

Browse the registry to the following location:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In the right pane of “USBSTOR“, we will locate the “Start” property. To proceed, right-click on “Start” and choose “Modify“, alter its “Value data” to “4” in order to disable writing to USB devices.

Note that by default the value data is set to “3” which allows writing to USB drives.

To test the registry modifications, plug your USB device into your computer, and the computer will be unable to recognize it now.

To enable the functionality, change the “Start” property’s “Value data” back to “3“.

Windows 8 & 10

If you are using Windows 8 and Windows 10, the entire process to modify the Windows Registry to enable write protection will differ slightly.

Browse the registry to the following location:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies

In the right pane of “StorageDevicePolicies“, we will locate the “WriteProtect” property. To proceed, right-click on “WriteProtect” and choose “Modify“, alter its “Value data” to “1” in order to enable write protection from a USB drive.

To remove write protection, alter the value from “1” to “0“.

Bear in mind that if you cannot locate the “StorageDevicePolicies” folder, you will have to make a StorageDevicesPolicies key and a WriteProtect DWORD value. We will illustrate how to create a StorageDevicesPolicies key and a WriteProtectDWORD Value in the following section.

After applying the registry modifications, you’ll want to close the Windows Registry Editor and restart your computer.

Creating A StorageDevicesPolicies Key & A WriteProtectDWORD Value

Browse the registry to the following location:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

In the right pane of “Control“, we will proceed by right-clicking empty white space, click on “New“, and then select “Key“.

In the left pane of Folders, label the key “StorageDevicePolicies” and press Enter.

Under the Folders pane, choose “StorageDevicePolicies“.

In the right pane of “StorageDevicePolicies“, we will proceed by right-clicking empty white space, click on “New“, and then select “DWORD (32-bit) Value“.

Label the value “WriteProtect” and press Enter.

Proceed by double-clicking the “WriteProtect” value to open the “Edit DWORD” dialog box and enable write protection by changing its value from “0” to “1“.

The Automatic Approach

Removable Access Tool

Removable Access Tool (Ratool) is a simple to deploy portable freeware application that assists in controlling external storage devices. The software supports Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10.

Ratool v1.3 may disable USB storage access or enable write protection on each USB flash drive which will hinder data from being altered or deleted.

There are three options available to choose from:

  1. Allow Read & Write (Default). This is the default option and provides regular access to USB devices.
  2. Allow Read Only. This option restrains users from writing anything on the USB device but permits them to access any information kept on it.
  3. Disable USB Disks Detection. This option disables any USB storage access to your computer.

Bear in mind that after you apply the modifications, you will be required to restart your computer in order to apply the changes.

DiskPart

DiskPart is a utility included in Microsoft operating systems.

In the Windows search bar, type “diskpart” to access the utility in an elevated command prompt.

In the elevated command prompt, type “diskpart” and press Enter.

Type “list disk” and press Enter.

You will see a list of mounted disks show up in the elevated command prompt. You will proceed by locating your USB drive and make a note of the disk number (Example: Disk 1) for the disk you wish to enable or disable write protection for.

Enter the command “select disk #” and press Enter. Replace “#” in the command with the “disk #” you wish to enable or disable write protection for.

After the disk is selected, DiskPart reveals a message stating that the disk is now the selected disk.

To enable write-protection for the disk, enter the command “attributes disk set readonly“. Once write-protection has been enabled for the disk, DiskPart will show a message stating that “Disk attributes cleared successfully” which indicates that the disk is now write-protected.

To disable write-protection for the disk, enter the command “attributes disk clear readonly“. Once write-protection has been removed from the disk, DiskPart will show a message stating that “Disk attributes cleared successfully” which indicates that the disk is no longer write-protected.

When you are finished, type “exit” and press Enter to close the elevated command prompt.

USB Disabler

USB Disabler is a program that permits you to enable or disable USB storage access on your Windows system. The software supports Windows 7/Windows Vista/Windows XP.

You may select the “Disabled” option to disable write blocking to the USB device.

Alternatively, you may select “Read Only” to permit only reading the USB device’s contents.

The “Normal” option permits you to read and write to the USB device.

Zokif USB Flash Disabler/Enabler

Zokif USB Flash Disabler/Enabler is a light utility that permits you to enable or disable writing to USB devices easily without requiring direct access to the system’s registry. The software supports Windows Vista and Windows 7.

The application will modify the “Start” property “Value data” to either “3” (To enable writing to USB devices.) or “4” (To disable writing to USB devices.)

Conclusion

As we can see, digital forensic professionals can apply write-protection to USB devices easily by either manually altering their registry or using software to prevent the operating system from potentially contaminating their evidence drives. These discussed methods will permit the forensic professional to produce a valid forensic image as part of an investigation.

Forensic investigators may also deploy hardware write-blockers which permit them to easily connect the suspect drive to their forensic workstations and boot the operating system as usual.

Evidently, there are times where a hardware write-blocker is not available or a student is on a tight budget. In such cases, manually modifying the registry or deploying software will be more convenient and cost-free.

Related Posts