Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch
Ondrej Sevecek's English Pages > Posts > Windows registry values (NoAutoMount) for forensic disk imaging
March 31
Windows registry values (NoAutoMount) for forensic disk imaging
by  Ondřej Ševeček  on 31/03/2017 13:26
Category: Security

You may want to use disk imaging tools such as my favourite WinHex for capturing forensically sound disk images from arbitratily attached USB/SATA/mSATA/M.2/SAS/etc. harddrives even if you do not have a hardware based write-blocker device. In order to prevent the operating system from switching the just attached disks to Online mode and mounting any file systems, you should configure the following registry values:

HKLM\System\CurrentControlSet\Services\mountmgr
  NoAutoMount = REG_DWORD = 1

HKLM\System\CurrentControlSet\Services\partmgr\Parameters
  SanPolicy = REG_DWORD = 3

Note that the NoAutoMount value goes really directly into the mountmgr registry key, while the SanPolicy value must be set in the Parameters subkey of the partmgr driver.

If you have the registry configured this way, the newly attached disk drives remain in the default Offline mode which means that thay are read/only.

If you want to switch the disks to the writable Online mode, you can always do so with diskpart's command online disk. Note although that making disk Online means immediate mounting any respective filesystem even if no disk letter may be assigned yet.

If you wanted to mount any file system while keeping the disk in read/only mode, you can achieve this with diskpart's command attributes disk set readonly prior to switching the disk into the online mode.

Thus having the disk in the offline mode means always read/only, while having the disk in the online mode may mean read/only or writable, depending on the disk's attribute setting which you can change yet before making the disk online.

A sample DISKPART transaction may look like this:

DISKPART

  list disk
  REM :the previous command listed your disks, the newly attached disk should be offline, note its number

  select disk XX
  REM :select the number of your offline attached disk instead of typing XX

  attributes disk
  REM :the previous command should have displayed some attributes, mainly the fact that the disk is in read/only state

  attributes disk set readonly
  REM :we make the read/only setting permanent for the selected disk by storing this information in the local computer registry
  REM :note that this does not modify anything on the disk yet and note also that the setting stays in the local computer registry
  REM :and does not roam with the disk if unplugged and moved to another computer

  online disk
  REM :makes the disk online allowing file systems to be mounted, although the disk remains in read/only mode and thus the file systems
  REM :are read only as well. No disk letters assigned yet due to the NoAutoMount registry value

  assign
  REM :only now disk letters assigned, the disk and its file systems still remain in read/only mode
Permanent Link to Post | Email Post Link | Number of Comments 2 Comment(s)

Comments

Re: Windows registry values (NoAutoMount) for forensic disk imaging

FYI, in WinHex 19.6 and later you can change the read-only status directly in the user interface with a new menu command.
 on 25/02/2018 19:39

It does not work in Windows 10 Pro x64, ver. 1803, build 17134.648

Hi,

I followed your instructions in order to disable disk automount, but still Windows automounts (i.e. assignes a drive letter) to any USB drive I plug into the computer.

Short recap of what I've done:
- ejected and removed all USB drives;
- checked Automount: diskpart → automount = "Automatic mounting of new volumes disabled". This equals to Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MountMgr\NoAutoMount=1 ;
- removed non-present volume drive mappings: diskpart → automount scrub = successfuly done;
- diskpart → san policy=offlineall . Registry check: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partmgr\Parameters\SanPolicy=3 ;
- restarted computer;
- plugged USB drive.
 on 19/03/2019 23:37

Add Comment

Sorry comments are disable due to the constant load of spam *


This simple antispam field seems to work well. Just put here the number.

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Attachments