Solved Suspicion about ejecting USB drives

[Snick]

F22 Simpilot

You are referring to the Stuxnet worm. It was in the firmware of the USB, and is not detectable with conventional AVs.
Most can be removed by flashing the bios, however, if it infects the boot code as well, it reinfects the bios.
Stuxnet - Wikipedia

 

[ToughDiamond]

Yes there's very likely some way like that to get infected. Ultimately the risk can't be quantified exactly, I just try to keep it "reasonably low" whatever that means.


If I wanted to securely delete a drive's contents, I'd probably just fill it with (non-sensitive) data till there wasn't any free space on it, then delete it if need be. I don't see how the original contents could survive that, otherwise it would be a way of doubling the capacity of a disk, which would be rather good.

 

[Snick]

ToughDiamond

Not likely over the Net, most are infected before you purchase them. Like picking up a free one at an exposition, or off the ground and plugging it in with autoplay enabled (good what to get normal malware).

It takes some expertise, or a malicious BIOS update or flashing the BIOS.

There are several drive wiper apps available that overwrite, once or many times, your choice. The more the drive is overwritten, the harder to impossible it is to recover data.

 

[ToughDiamond]

Anyway, back on topic, to effect the fix, my .reg file is this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\usbhub\hubg]
"DisableOnSoftRemove"=dword:00000001

To revert to the original state (in my case), my .reg file is this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\usbhub\hubg]
"DisableOnSoftRemove"=-

I've tested them both, and they work fine for me. I have to reboot for the effect to take place.

So I think I'll mark this issue as solved now. Thanks for your help, folks

For anybody else wanting to do this, I suppose ideally it would be best to check (before adding the DWORD in the first place) whether or not your registry already contains the HubG subkey - although mine did (the HubG subkey that is, not the actual DWORD - see attached screenshot of the registry as it was before I changed anything), Microsoft's manual instructions include creating it, as if they don't expect users to already have the key. The only difference it makes is that if you don't, then to revert your registry to the exact same state as it was before the fix would require the deletion of the entire HubG key and not just the dword. Though I can't imagine it would matter. And it could be that Microsoft has just got it wrong and everybody's already got the subkey.

 

[file3456]

I now see that KB from M$ is gone that was posted in post #12.

 

[ToughDiamond]

I now see that KB from M$ is gone that was posted in post #12.

Well spotted - I see they've also put a note there to tell me to use Win10 instead :roflmao:
I suppose that means they've also pulled all their other Win7 help, damn them.

So, in the spirit of defiance, here's the "per device" method that I guess might now be hard to find elsewhere (looks to me like a lot of work for very little, but who knows?) - I've not tested it, and it is from Microsoft, so it should be regarded with suspicion:

To apply the workaround for a specific device, add a REG_DWORD value named DisableOnSoftRemove that has a value of 1 to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\usbflags\vvvvpppprrrr
(where vvvv is the device's Vendor ID, pppp is the device's Product ID, and rrrr is the device's Revision number).
1. Click Start, click Run, type regedit in the Open box, and then click OK .
2. Locate and then click the following subkey in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UsbFlags
3. On the Edit menu, point to New, and then click Key.
4. Type the name of the new key in the following form:
vvvvpppprrrr
where vvvv is a 4-digit hexadecimal number that identifies the vendor (idDevice from the USB Device Descriptor),
pppp is a 4-digit hexadecimal number that identifies the product (idVendor from the USB Device Descriptor), and
rrrr is a 4-digit binary-coded decimal number that contains the revision number of the device (bcdDevice from the USB Device Descriptor).
5. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
6. Type DisableOnSoftRemove for the name of the DWORD Value, and then press ENTER.
7. Right-click DisableOnSoftRemove, and then click Modify.
8. In the Value data box, type 1 , and then click OK.
9. Exit Registry Editor.

 

[Snick]

I now see that KB from M$ is gone that was posted in post #12.

I agree, well spotted!

 

[file3456]

And the Wayback Machine usually never fails. Though, it is slow to load. USB Port Remains Active for Disabled or Safely Removed USB Device

 

[ToughDiamond]

There's also this utility I noticed:

USB Disk Ejector | Quick And Easy Software

To my mind Microsoft's ejector suffers from 2 limitations (apart from failing to power devices off):
1. Sometimes it says it can't eject the device because it's "still in use" even though you know it's not in use.
2. It doesn't give enough info about connected to allow you to quickly tell one drive from another.

So maybe that utility can do better. I haven't tried it myself yet, so use at your own risk.

 

[ToughDiamond]

And the Wayback Machine usually never fails. Though, it is slow to load. USB Port Remains Active for Disabled or Safely Removed USB Device

That's encouraging, and the link works here. Seems it would be a great way to access all the other Win7 stuff that's been deleted. Trouble is, I can't seem to get the Wayback Machine to find anything else. All I seem to get is this kind of thing:

 

[strollin]

Glad you got it sorted to your satisfaction.

For me, as long as I know there are no pending write operations, I'm good. The way a USB drive gets corrupted is when it gets yanked while performing a write operation. Interrupted read operations won't corrupt things, only writes. When I get the message that Windows can't safely eject, I just make sure that I don't have any folders or files open on that drive, I wait a few seconds after I see any activity on that drive and then pull it. Never had an issue.

 

[ToughDiamond]

Glad you got it sorted to your satisfaction.

For me, as long as I know there are no pending write operations, I'm good. The way a USB drive gets corrupted is when it gets yanked while performing a write operation. Interrupted read operations won't corrupt things, only writes. When I get the message that Windows can't safely eject, I just make sure that I don't have any folders or files open on that drive, I wait a few seconds after I see any activity on that drive and then pull it. Never had an issue.

Yes that's more or less what I've been doing too, with flash drives anyway (larger drives with a motor that actually spins were another matter because of the power not going off, it really didn't feel right to yank those out and so abruptly cut the power). I don't even worry about Explorer being open on the drive as long as it's not doing anything (though I see that with Vista, the ejector refuses to eject unless you manually close Explorer - that's really stupid, like a lot of things in Vista). I gather there's some "dynamic mode" that can be switched to that makes it unsafe to remove the drive, so it's worth making sure that's not the case.