Monday, January 20, 2014

Daily Blog #211: Sunday Funday 1/19/14 Winner!

Hello Reader,
           Another Sunday Funday come and gone, more great information for everyone to benefit from. I liked this answer because it went into depth on differences between different versions of the OS and directly spoke to the questions being asked. I've been doing my own research into this issue that I'll be blogging out after the MTP series is finally completed but this weeks Anonymous winning answer best responded to the challenge posed.

The Challenge:
Since Windows XP we've been able to create a registry key that will treat USB devices as a read only. Answer any or all of the following questions to show how well you understand that functionality:

1. How does the write blocking become effective between XP, Vista and 7? What steps between applying the registry key and the write protection coming into effect need to take place.
2. What windows subsystem is enforcing the write protection?
3. What happens to USB devices already plugged in when the write protection?
4. Can anything bypass the write protection offered by this registry key?
5. Does this registry key protect MTP USB Devices?
6.  Why does this registry key not protect non USB Devices?

The Winning Answer:
Anonymous



  1. How does the write blocking become effective between XP, Vista and 7? What steps between applying the registry key and the write protection coming into effect need to take place.
In Windows XP and later a user can add/modify the registry value “WriteProtect” found in HKLM\System\CurrentControlSet\Control\StorageDevicePolicies to enable write blocking for USB devices.
The StorageDevicePolicies key may not exist by default and must be added by an administrator. If the value is set to “00000001” then all newly connected USB drives will be write blocked.
In the test that I performed on Windows 7 the effect was immediate, however according to an article on Howtogeek.com (1), on Windows XP; a restart is required when the key is initially added.
1. http://www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/ - Not that the reg files provided are mixed up and the “EnableUSBWrite” sets the key to 00000000.
2. What windows subsystem is enforcing the write protection?
Unsure.
The Plug-and-Play manager receives notification that a drive has been connected and then queries a number of keys in the SYSTEM hive. I imagine that it looks for the StorageDevicePolicies key if it exists and acts accordingly.
2. Windows Registry Forensics, Carvey, p 110.
3. What happens to USB devices already plugged in when the write protection?
If a USB device is currently connected when the registry key is changed it will remain writeable until it is removed and reconnected.
4. Can anything bypass the write protection offered by this registry key?
Yes, using a hex editor will bypass this kind of write protection (but not a physical write blocker).
5. Does this registry key protect MTP USB Devices?
No.
I performed a quick test using my Nexus 5 and saw that it mounted as a portable device. I then successfully copied a file onto the device even though write protection was enabled.
6.  Why does this registry key not protect non USB Devices?
Unsure.
I imagine it has something to do with the way that Windows checked the registry key before it mounts USB drives but not before it mounts hard drives or portable devices.
It is possible to write protect hard disks using diskpart