Saturday 26 October 2013

How to make your USB drive Write-protected under Windows

Many of you may be aware that recent versions of Diskpart (after WinXP) have the ability to set 'Read-Only' attributes on a disk or volume. I decided to investigate this feature a bit more thoroughly and this is what I have found. If you already know about this feature then don't stop reading, what I discovered may surprise you!

First, we have to distinguish between the two types that Windows separates 'disks' into - namely 'Removable' and 'Fixed'.

Now in the case of USB Flash Drives (UFDs), most of these are classed as 'Removable'. In the case of USB Hard Disks (UHDs) these are all (??) classed as 'Fixed' (or 'Local' in Explorer). RMPrepUSB will indicate which type of disk it is when you select it. Diskpart will list the types if you use the 'LIST VOLUME' command - you will see either 'Removable' or 'Partition'...

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     E                       DVD-ROM         0 B  No Media
  Volume 1     I                       DVD-ROM         0 B  No Media
  Volume 2     G                       DVD-ROM         0 B  No Media
  Volume 3     D   HDD DRIVE_D  NTFS   Partition     10 GB  Healthy
  Volume 4     C   HDD DRIVE_C  NTFS   Partition    222 GB  Healthy    System
  Volume 5     Z   HDD1_500GB   NTFS   Partition    465 GB  Healthy    Pagefile
  Volume 6     F   SSD HARD DI  NTFS   Partition    111 GB  Healthy    Pagefile
  Volume 7     H   LEXAR JD     FAT    Partition     15 MB  Healthy
  Volume 8     J   USBPEN       FAT32  Removable   1992 MB  Healthy


We can list disks in Diskpart using;
LIST DISK
We can list volumes in Diskpart using:
LIST VOL
We can select a disk or volume using:
SEL VOL 8   or    SEL VOL J   or
SEL DISK 3
We can see what the RO status is using
DETAIL DISK or DETAIL VOL

Current Read-only State : Yes
Read-only  : Yes

Note that the Current Read-only State signifies the current state in Windows and not the state of the disk - for instance, if there is a physical write-protect switch on the USB drive which is set to 'Lock', then the Current Read-only State may be Yes, even if the actual disk state is write-enabled (Read-only : No).

Once we have selected a disk or volume, we can set or clear the Readonly attribute.

Attribute disk set readonly
Attribute disk clear readonly
Attribute vol set readonly
Attribute vol clear readonly

So under Diskpart we have two options when setting 'ReadOnly' status and we have two types of 'disk'.

Here is what happens in each of these 4 cases:

1. Type=Removable, Set Disk=RO
Diskpart makes a change to the Windows Registry - no change is made to any sectors on the disk.

2. Type=Removable, Set Volume=RO
N/A - Diskpart will refuse to run as the disk is removable.

3. Type=Fixed, Set Disk=RO
Diskpart makes a change to the Windows Registry - no change is made to any sectors on the disk.

4. Type=Fixed, Set Volume=RO
Diskpart makes a change to the Windows Registry AND changes the disk contents.
If the drive is an MBR type (not GPT) then all volumes are marked as write-protected.
The MBR and all sectors up to the Partition Boot Record are not protected by Windows however.
If you connect the USB drive to a different Windows system (even a WinXP system), you will not be able to copy files to any volume on the drive. This also applies to UFDs that appear as 'Fixed' disks to Windows.

Now you may be already aware of this behaviour. However, I decided to investigate what disk contents were changed in Scenario 4 above. This was quite easy using RMPrepUSB. I simply made a single 20MB FAT16 partition on a Lexar Jumpdrive UFD that had it's Removable Media bit flipped using the Lexar BooIt.exe utility so that appeared as a Fixed Disk, and then used the RMPrepUSB - Drive->File button to save an image of all sectors up to the end of the partition. I then used Diskpart to set the Volume to Read-only and saved another image and then compared the two images.

The results were rather surprising. Diskpart had completely overwritten the contents of LBA2 (the 3rd sector) of the UFD! It had written 24 bytes of data followed by 488 bytes of 0's to fill the sector. Even if you have boot manager code in this sector, it is overwritten by Diskpart! Luckily this does not seem to stop grub4dos from booting if it was already installed to the MBR and pre-PBR disk sectors.

The bytes that were written were: 
0000 A2 A0 D0 EB E5 B9 33 44 - 87 C0 68 B6 B7 26 99 C7  ¢ Ðëå¹3D ‡Àh¶·&™Ç
0010 00 00 00 00 00 00 00 10 - 00 00 00 00 00 00 00 00  ....... ........
0's etc. etc.

These bytes don't seem to vary, even when Diskpart sets Volume RO status on a 2TB NTFS multi-partition UHD.

However, I found that if you write-protected a 'Fixed' disk Lexar UFD in this way and then 'flipped' the Removable Media Bit to make it a 'Removable' drive again, Windows XP-Win8 no longer treats the volume as write-protected. So this special read-only marker sector only works on 'Fixed' disks and not on 'Removable' disks. :-(

So what if we format a 'Fixed Disk' UFD with RMPrepUSB, install grub4dos to the MBR, and then 'blat' LBA2 with the 'write-protect' sector data... Yep - works fine! The volume is write protected and we cannot copy files to it. If you try to format it in Windows then it won't format it:



However, as the MBR and early sectors are not protected by Windows, we get a strange result if you try to re-partition it using RMPrepUSB. RMPrepUSB erases the early sectors, but then Windows prevents it from erasing the Partition Boot Record and RMPrepUSB returns an error. The volume, PBR and all files are still present. However, if you unplug the USB drive and re-connect it, because LBA2 is now wiped by RMPrepUSB, the USB drive is no longer 'Read-only' and so we can partition and format it using any utility.
You get similar strange results in Disk Manager, which can seem to unformat the partition and return it to 'RAW' status, but not re-format it until the Read-only status has been removed using Diskpart!

So it seems we cannot use this Diskpart Attribute feature to write-protect Removable UFDs... what a pity! If however, you have a UFD that is of the 'Fixed' disk type or you 'flip-the-RMB-bit' using a utility like BootIt (which only works on some Lexar and Netac UFDs and a few other types), then you can have a protected volume using this feature.

P.S. If you have a 'Removable' USB drive, you can hide a partition containing your files by making a drive with two Primary partitions using Easeus Partition Master and then use the RMPrepUSB - Ctrl-O feature to swap Windows access between the two partitions. This does not stop someone from re-partitioning it however and modern Win10 systems can now access all partitions on a Removable drive anyway.

You can write-protect some SD cards and Flash drives if you use the correct special factory utility to reprogram it. This process is not without risk however, and you could end up 'bricking' your flash drive or SD card. You must always use the correct tool. See here.

File Permissions (NTFS)

To protect all files from alteration under Windows, you can change the Windows file permissions on all files on a USB drive.

First select the USB drive in Windows Explorer - right-click and select Properties and then the Security tab. Now click the Edit button and untick the Full Control, Modify and Write boxes - then click on OK. All files on the drive will have their permissions changed. Windows can still add new files but cannot modify or delete any of the existing files. Unfortunately, these permissions are ignored by (most?) linux distros and grub4dos.



Note: If you have a USB HDD with multiple partitions, you can hide any of them from Windows (not linux) by using BootIce - Manage Part - select partition - Hide. When you next connect the USB drive the partition will be hidden. if you unhide it with BootIce, it will immediately be unhidden.

Further reading: 'How to fix Write-protected Read-only drives and SD cards'


Write-Protect NTFS drives

NTFS Drive Protection is  small Windows executable that can change the NTFS permissions on an NTFS volume. You can use this to write-protect a USB drive, but it also allows for some folders on the drive to be read/write whilst all others are read-only.



Keep this on yout USB drive and run it just before you connect the USB drive to an infected system.



No comments:

Post a Comment