Truly Write Protecting a USB Drive

No registry hacks required.

I came up with this solution after my thumbdrive fell victim to a 'Virut' infected machine at work. 'Virut' attached itself to two executables on the drive, so that running either of the programs infected whatever system my USB drive was attached to.

After cleaning my drive with AVG Free Anti-Virus I searched far and wide for a way to be make my USB drive read-only. I looked into mounting the drive as a CD under the ISO9660 standard; I thought of encrypting the drive's contents; I played with multiple partitions...

I'm saddened to report that there is no way to truly write-protect a USB drive at the software level, and so the method I present here is admittedly imperfect. Nonetheless it provides some real advantages. Further, it is the only portable solution you will find short of buying a USB drive with a write-protect switch.

The Solution

The trick is to fill the disk space entirely. When the USB drive is full all write operations will be denied. Viruses will neither be able to infect existing files, nor create their own.

I found this concept here at Jared Heinrichs' blog. All credit is due to Jared Heinrichs for exposing this all-too simple method, used elsewhere in pay-software.

Using the command-line tool 'fsutil' included in windows we can create a dummy file that fills every last bit of free space remaining on our drive, thus securing it. For an explanation of how to do this manually, visit Jared's post.

As for me, I wrote a batch file to automate the job.

The Code

@echo off

REM * Written by: Roy Tousignant
REM * Date: May 19th, 2009

SETLOCAL EnableDelayedExpansion

SET sizelimit=1024000000
SET tmpfile=%cd:~0,1%:\readonly.tmp

FOR /f "tokens=3 delims= " %%A in ('dir \ /-c ^| find /i "bytes free"') DO (
SET freespace=%%A

IF /i %freespace% lss %sizelimit% (
IF /i %freespace% gtr 0 (
IF EXIST !tmpfile! (
FOR /f "tokens=3 delims= " %%A in ('dir !tmpfile! /-c ^| find /i "1 file(s)"') DO (
SET tmpfilesize=%%A
) ELSE SET tmpfilesize=0
SET /a freespace = freespace + tmpfilesize
ECHO Writing !freespace! bytes to !tmpfile!
SET /P okay=Okay?[y/n]
SET okay=!okay:Y=y!
IF !okay! equ y (
del !tmpfile!
fsutil file createnew !tmpfile! !freespace!
ECHO Disc is already full.
GOTO Abort

ECHO Script detects more than !sizelimit! bytes of free space.
ECHO This script refuses to fill more than !sizelimit! bytes of space.
GOTO Abort

ECHO The procedure is aborted.



Copy the code above into 'notepad' and save it to your usb drive as 'readonly.bat'. Run it and answer 'y' to the prompt to create your dummy file. The window will close itself upon successful completion. To "unlock" your drive, just delete the readonly.tmp file it creates.

More Usage

I've restricted the code from writing a dummy file larger than 1Gb. This is a cheap way to prevent fsutil from filling up your hard drive or some other disk, in the event the batch file is accidentally run from the wrong drive. Remember: The batch file must be run from the USB drive itself.

If your USB drive is larger than 1Gb you can change this value in the batch script on the line that reads SET sizelimit=1024000000

To change it to the exact size of your thumbdrive, open My Computer, right click the 'Removable Disk' that represents your thumbdrive and click Properties. Use the number listed as "Capacity" to replace the 1024000000 in the code, making sure to remove all the commas. Careful here! One too many digits and the size limit could end up being 20Gb instead of 2Gb.


The flaw in this method of protection is that nothing prevents the deletion of files. If a virus is so inclined it can still wipe out your thumbdrive the instant you connect it. And if a virus' author were sufficiently devious, he could write a sneaky little function that deletes a few adjacent files, freeing just enough space on the disk to place the virus or infect an executable.

The flipside here is that even virus authors have lives and I'm not aware of any virus that makes such a herculean effort out of anticipating a full disk.

It's a flawed solution. But it is the best we can do without a hardware fix. It's greatest virtue is how unlikely it is that a virus will infect the drive without the user knowing. A virus may remove and replace a file completely, but cannot easily infect one to keep itself hidden. It can delete files to make room for itself, but we have gained warning by way of our missing files.

Design Notes

To prevent the program from running on a large local disc, it would be better to evaluate the total capacity of the drive instead of the free space remaining. But I could find no reasonable method of gaining a drive's true capacity at the command line. At first I figured adding together the free space and the used space values provided by dir \ /s /-c would work, but in testing the value of used space reported over 100k less than correct. The only other method I could find involved the wmic, which added an intolerable delay to initializing an otherwise simple script.

End of Line

As a computer repair technician, I'm satisfied with this solution for myself and I'm happy to recommend it. Though, if pressed, I recommend buying a USB drive with a write-protect switch even more.


Post a Comment