USB storage devices have been one of the best technology inventions in recent years. These days it is possible to carry around a flash drive or memory card with hundreds of Gigabytes of capacity in your pocket. Unfortunately, the rise in portable USB drives has made it easier for malicious files to spread from computer to computer. Before opening a USB drive with unverified content, it’s always wise to scan it first for malware to be safe .
Windows has a few hidden away settings that allow a bit more control over access and writing to USB storage devices. For instance, a drive can be write protected meaning no data can be written to it. Normally you would need a small switch on the device itself to do that. You can also deny access to USB drives completely so they don’t show in Windows at all. This could be a useful security measure if you have careless users that constantly insert drives with malicious files.
These settings are mostly based in the registry so you have to either use Regedit or a third party utility that can do it for you. Here we show you some ways to write protect or deny access to your USB storage devices.
Note: These settings only affect the local system, so while your computer might have the write protect option set, other systems will still have full read and write access. Apart from one solution below, all USB storage devices will be affected with the same setting so you cannot selectively choose which drives have write access and which don’t.
USB Disk Manager is a simple tool to use and it has three main functions for your USB storage devices. The first is a standard write protect which makes all devices you insert read only. Inserting any drive after this change makes the cut, copy, delete and rename options disappear in the Explorer right click context menu. Also the Del or Ctrl+X shortcut keys won’t work.
The Execute Deny option is a useful security measure as it stops any executables running from the drive. That’s handy if you have received the drive and are not sure if the contents are safe. The third option disables USB storage devices totally. This means they don’t appear in Windows Explorer and cannot be read from or written to.
The disable autorun in settings might be useful for older systems while applying the settings only for the logged on user means other users can have different USB device configurations. The option to copy the program to USB disks and autorun it is outdated now as Windows 7 and newer systems have USB autorun fully disabled. USB Disk Manager is portable and only consumes about 1MB of memory running in the background.
2. USB Write Protect
USB Write Protect is a tool that is very easy to use and informative enough for users to know what it’s doing. There are three main options, the top option is probably the most useful which enables write protection on storage devices so they can’t be written to. USB Device Lock will disable the Windows USB storage driver so devices are not even recognized by the system,
The last option stops autorun from launching on USB devices although autorun is disabled on Windows 7 and newer systems anyway. Therefore, it might be useful for older operating systems only. At the bottom you can create a password which is required when opening the user interface to change any settings. This isn’t very secure though as the password is stored as plain text in the registry and you can simply use another method here to bypass it.
3. Phrozen Safe USB
Phrozen Safe USB is quite a basic tool that does the plain and simple task of altering the write protect status of USB storage devices you connect to the system. From the default of full access, you can change the setting to read only which prevents writing to the device. The other option is disable which prevents access to USB storage devices by disabling the USB storage driver.
Simply select the required option and insert or reinsert a USB drive for the change to take effect. Phrozen Safe USB has a tray icon context menu to quickly switch between the modes if you want to leave it running in the background. There are additional options to disable the USB autoplay dialog, start the tool with Windows and set up a password when opening the window or changing the access mode. Phrozen Safe USB is also a portable program.
4. URC Access Modes
URC Access Modes is a protection tool that allows you to enable or disable a number of system settings. Once configured the program is then locked with a password. The interesting thing about the tool is it changes security permissions in the system registry for each setting so you cannot use the other methods here, run .REG files or edit the registry without knowledge of resetting the permissions.
The two options that we’re interested in are USB Access Mode and the Lock mode for inserted devices. Access Mode is the standard option of allowing USB drives the default full read and write access, making them read only or making the devices invisible to the system. The lock option is similar to a complete disable, the main difference is after a reboot the devices can been recognized by the system but not opened or accessed.
There’s also options to enable/disable ROM drives, Registry Editor, Group Policy Editor, Task Manager, Command Prompt and file/folder options. The password is effective against tampering by average users, but settings can still be changed by a program like PC Hunter if you forget it. URC Access Modes is a standalone portable executable but make sure you have an archiving program handy as the file downloads in a RAR archive.
5. Wenovo USB Disks Access Manager
USB Disks Access Manager is the simplest tool here to use and only has three options to choose from. By default the system will have both read and write access, this can be changed to read only preventing any data being written, or disable to stop the device from showing up in Explorer by disabling the USB storage driver.
After the selection has been made press Apply and (re)insert any USB storage devices for the changes to take effect. Even though the program downloads with the word “setup” in its filename, it is actually a portable executable.
6. Disable USB Access Or Write Protect Drives By Editing The Registry
For the most part, the tools above disable or enable USB device write access through the registry and one simple value change does it. Complete denial of access to the USB device is also another registry value change.
We won’t cover manually editing the registry to write protect a USB drive here as it’s covered in another article. If you would like to know how to do it, read the article and the section on editing the registry yourself to enable write protection.
We’ve also covered how to disable removable storage devices such as USB drives by editing the registry elsewhere. Remember, attached USB storage devices will have to be reinserted for the changes to be applied.
7. Write Protect A Single USB Device
The disadvantage the methods above have is the changes affect all devices attached to the system. All USB flash drives, memory cards or hard drives will be write protected until the setting is changed to full access. This solution write protects only those drives you want on the local system, other systems will still have full access.
1. Open an admin Command Prompt (press Ctrl+Shift+Enter after typing cmd into Start) and type Diskpart.
2. Type List Disk to see the list of attached disks. Find the number corresponding to the USB storage device you want to write protect and enter Select Disk #.
3. Type Attributes disk set readonly, to confirm read only has been set you can optionally type attributes disk. If Read-only says Yes then it was successful and your drive is write protected on next insert. Type Exit and close the Command Prompt. To disable write protect for that drive enter Attributes disk clear readonly instead.
This method is not a secure solution because the ID given to the device in the registry differs depending on which USB port it’s plugged into. Use another another port and a new ID with a new write protect value will be created allowing full access. An obvious but inefficient workaround is attaching the drive to all USB ports in turn and setting the write protect flag for each.
Tip: It’s possible to write protect a specific drive without using Diskpart and optionally create a .REG file to quickly turn the setting on or off. You do need to know the hardware name for the drive but it should be easy enough to work out from the list of USB devices. Go to the following registry key:
Find the drive name in question from the list and expand it to reveal a key with a unique ID, expand that also. Then go to Device Parameters > Partmgr. Changing the Attributes Value from the default of 0 to 2 will make the drive read only on that specific USB port.
Right click on Partmgr and export the key with the Attributes value set to 0 and then 2. That will allow you to quickly click on either to change the status of the drive. Multiple unique IDs inside the device name key means it has been inserted into multiple USB ports and each one represents a different port. Change the Attributes value for each to protect the device in all used ports.