JSI Tip 8730. How can I prevent Windows XP users from writing to USB storage devices?

Microsoft introduced a method to write protect USB storage devices, like flash memory sticks, in Windows XP SP2.

To cause USB memory devices to be write protected on all Windows XP SP2 computers in your domain, I have scripted WriteProtect.bat.

NOTE: WriteProtect.bat will encode the WriteProtect value name on all Windows XP computers, so when you upgrade to SP2, the value will already be set.

The syntax for using WriteProtect.bat is:

WriteProtect \[comp1 comp2 ... compN\]

Where each compX is an optional list of NetBIOS computer names to exclude.

NOTE: WriteProtect.bat should be run from a Windows XP or Windows Server 2003 computer.

NOTE: WriteProtect.bat uses NETDOM.EXE from the Support Tools on the CD-ROM.

NOTE: To remove the write protections, set the data value of the WriteProtect Value Name, a REG_DWORD data type, to 0, or delete the Value Name, at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies.

WriteProtect.bat contains:

@echo off
set qry=reg.exe query
set add=reg.exe add
set netdm=netdom query /domain:%userdnsdomain%
set end="The command completed successfully."
set fnd=FINDSTR /L /I /B /V /G:"%TEMP%\WriteProtect.TMP"
if exist "%TEMP%\WriteProtect.TMP" del /q "%TEMP%\WriteProtect.TMP"
if \{%1\}==\{\} goto loopend
@echo %1>>"%TEMP%\WriteProtect.TMP"
goto loop
for /f "Skip=1 Tokens=*" %%c in ('%netdm% workstation^|find /v /i %end%^|%fnd%') do (
 for /f "Tokens=2*" %%r in ('%qry% "\\%%c\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion^|find "REG_SZ"') do (
 if "%%s" EQU "5.1" @echo %%c&%add% "\\%%c\HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies" /V WriteProtect /T REG_DWORD /D 1 /F &@echo.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.