JSI Tip 8730. How can I prevent Windows XP users from writing to USB storage devices?

Microsoft introduced a method to write protect USB storage devices, like flash memory sticks, in Windows XP SP2.

To cause USB memory devices to be write protected on all Windows XP SP2 computers in your domain, I have scripted WriteProtect.bat.

NOTE: WriteProtect.bat will encode the WriteProtect value name on all Windows XP computers, so when you upgrade to SP2, the value will already be set.

The syntax for using WriteProtect.bat is:

WriteProtect [comp1 comp2 ... compN]

Where each compX is an optional list of NetBIOS computer names to exclude.

NOTE: WriteProtect.bat should be run from a Windows XP or Windows Server 2003 computer.

NOTE: WriteProtect.bat uses NETDOM.EXE from the Support Tools on the CD-ROM.

NOTE: To remove the write protections, set the data value of the WriteProtect Value Name, a REG_DWORD data type, to 0, or delete the Value Name, at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies.

WriteProtect.bat contains:

@echo offsetlocalset qry=reg.exe queryset add=reg.exe addset netdm=netdom query /domain:%userdnsdomain%set end="The command completed successfully."set fnd=FINDSTR /L /I /B /V /G:"%TEMP%WriteProtect.TMP"if exist "%TEMP%WriteProtect.TMP" del /q "%TEMP%WriteProtect.TMP":loopif {%1}=={} goto loopend@echo %1>>"%TEMP%WriteProtect.TMP"shiftgoto loop:loopend@echo END_OF_WRITEPROTECT_EXCLUSION>>"%TEMP%WriteProtect.TMP"for /f "Skip=1 Tokens=*" %%c in ('%netdm% workstation^|find /v /i %end%^|%fnd%') do ( for /f "Tokens=2*" %%r in ('%qry% "\%%cHKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v CurrentVersion^|find "REG_SZ"') do ( if "%%s" EQU "5.1" @echo %%c&%add% "\%%cHKLMSYSTEMCurrentControlSetControlStorageDevicePolicies" /V WriteProtect /T REG_DWORD /D 1 /F &@echo. ))endlocal