Tweet
USB Write-Block Feature – Limitations & Findings
We recently introduced the USB Write-Block feature in OSForensics, which relies on registry-based write protection. During testing, we identified some limitations users should be aware of.
Observed Limitations
- Enabling USB write-block only affects USB devices that have been plugged into the machine after the enabling
- Any USB keys that were already plugged in at the time of the enabling remain writable
- If write blocking is required for those devices then they need to be unplugged and plugged back in
- Ideally a device would be plugged in only after the write-blocking was enabled
- OSForensics Sometimes Displays "Unknown" Write-block State
- OSForensics will ask the user if it may perform a write test on the USB device to determine whether write-blocking is enabled as far as that device is concerned
- Sometimes that information can be out of date and therefore incorrect
- Disabling USB write-block will attempt to reinitialize the device after the disabling to make the change effective on that drive
- On some devices the re-initialization will succeed and the disabling will take effect
- On other devices the disabling will not take effect until they have been unplugged and plugged back in
It is also possible to disable USB write blocking with the following registry modifications (even if you can't launch OSF):
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
"Deny_Write"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
"WriteProtect"=dword:00000000