Windows

Stop the Windows AutoRun feature in its tracks


Justin Fielding recently posted some instructions he found for disabling the USB mass storage features in Windows and Mac OS X. That information will be of most use in those environments that are very strict about their security practices, but what about those offices that are concerned about security but still need access to removable storage? Preventing removable drives from working at all makes sense for those companies that are extremely concerned about data theft and leaks. Some offices will need the flexibility that those mass storage devices provide, though. If your environment falls in that category, you should still make sure that your department's computers are protected as much as possible from any malicious software that might end up on removable drives. Digital files can be a vector for virus and worm infection regardless of where they come from, and that's why malware protection is important. But removable disks can be set up to use a Windows feature that can make them even more dangerous, the Windows AutoRun.

AutoRun has drawn attention from security experts because it can be misapplied by viruses and other malware, historically when they were run from CD and DVD-ROMs. Any removable media type can carry an autorun.inf file, however. What makes AutoRun risky is that it allows Windows to execute program instructions when a properly configured disk is accessed, sometimes without any intervention from the user at all. Windows is configured this way by design, to make things "easier" on the end user when he wants to install commercial software or listen to an audio CD. In this case, I believe Microsoft is sacrificing security for a trivial amount of convenience.

AutoRun can be disabled on an individual Windows machine with a (relatively) simple edit to the Registry. If you're not experienced with Registry edits, be sure to make a back up first, so you can recover from any unexpected problems.

To disable AutoRun for all drive types -- including CD and USB drives -- search the Registry for values named NoDriveTypeAutoRun, and change the hex data for these values to FF. You can restrict your changes to the user account that's currently active by changing only the value in the HKEY_CURRENT_USER registry hive. If you want to disable AutoRun for all user accounts, then use the "Find Next" tool under the Registry Editor's "Edit" menu to cycle through all instances of the NoDriveTypeAutoRun value in the Registry, and change every key's value to FF. Some notes about this procedure
  • If editing the system Registry seems like more than you want to take on, you and your users can disable AutoRun on a case-by-case basis by simply holding the <Shift> key on the keyboard while inserting a disk or USB drive.
  • Disabling AutoRun via the Registry will not stop a removable device's AutoRun instructions from executing when the user double-clicks on the device in Windows Explorer. It will keep AutoRun from activating automatically when the device is inserted, however.
  • The FF value for NoDriveTypeAutoRun will disable AutoRun for all devices. If you find this is overkill for your environment, you can reset hex value to 91 (the Windows XP default) or 95 (which Microsoft recommends as the value for these keys).
An Appendix for the advanced user
  • Since I know someone will point this out, it is possible to disable AutoRun using Group Policy, but that takes us beyond the scope of the helpdesk, and this article.
  • It also seems logical that one could disable AutoRun across the whole machine during system setup by adding a NoDriveTypeAutoRun value of FF in the HKEY_LOCAL_MACHINE hive (specifically in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer key) or in the HKEY_USERS\.DEFAULT\... node. Neither of these panned out in my testing; if you have different results, let me know in the Comments.
12 comments
braunmax
braunmax

I have downloaded TweakUIPowerToySetup.exe - downloadable from Microsoft itself to set the parameters to prevent Autorun on selected drives, and specifically the USB ports. Perhaps one can track the changes in the registry before and after the options in this tool are set to get hold of the "undocumented" features that this utility uses and so create a specific set of manual instructions. I did this in desperation of being given several viruses by a student who passed me his thesis on a USB flashdrive, and finding several antivirus programmes incapable of fixing or preventing the infections! MacAffee, to its credit could at least detect it! Search for TweakUI and Powertoys to get the version you want. Mine is the XP version. Max

ranban
ranban

i think tweak ui can do the job. please examine.

keeperocrumbs
keeperocrumbs

I agree that Autorun can be dangerous and frustrating too, but it can have it's uses for instannce enabling autorun for network drives -change value to 85 - there must be a way to disable autorun on just USB devices....?

williamjones
williamjones

As I've pointed out, TweakUI doesn't keep the AutoRun feature from activating when you double-click on a drive in the Explorer to open it for file access. Using TweakUI to disable AutoPlay on a drive only keeps the automatic file scan from occuring. If you've been having problems receiving infected drives, I'd suggest that you look closely at setting your anti-virus software to scan removable disks on insert.

tunapez
tunapez

I recently disabled this service fearing my external drives were spreading a bug. Could someone educate me on the pitfalls of disabling this service? I have disabled it on two machines with no adverse effects yet(~week ago). Even installed USB periperals with no problem: MultiFunctionPrinter, All In One card reader, joystick. The only thing that auto plays now is the XP disk. DVDs, CDs, flash drives, ide/sata drive enclosures all register, just no automation.

williamjones
williamjones

TweakUI and some other tools allow for easy access to modify the AutoPlay settings of your drives. AutoPlay powers the little window that pops up and scans the contents of your drives when they're first connected. It's not the same thing as AutoRun, though the two features can work together (along with what Window calls Auto Insert Notification, the mechanism by which Windows detects new volumes and devices). Using TweakUI to disable AutoPlay prevents your computer from scanning your disk for known file types when it is attached. This doesn't change whether AutoRun is activated when you "open" your connected disk. If your volume contains AutoRun instructions--carried in an autorun.ini file--those instructions will be parsed automatically when the device is accessed by the Explorer--when you double-click to open it. Try it out yourself! Create an autorun.ini file in Notepad with the following contents: [autorun] shellexecute=c:\windows\system32\cmd.exe ...And save it to a thumb drive, or a floppy, or whatever. Un-mount your device, then use TweakUI to disable AutoPlay for your drive's assigned letter. Then reconnect your drive. You shouldn't see the AutoPlay scan and accompanying prompt. But when you try to open your device in My Computer, you'll have a Command window pop open. That was activated by AutoRun parsing your autorun.ini file. One thing that might be causing confusion is a nomenclature problem in Explorer. If you right-click on a device containing an autorun.ini file, the contextual menu will show an AutoPlay option. Selecting this will re-interpret the autorun.ini command file, even if AutoPlay is turned off. I presume this is because AutoRun is something that Microsoft didn't intend to become common vocabulary; it's kind of habit for these files to be invisible on commercial software, though it's not required for AutoRun to function.

williamjones
williamjones

You just need to find documentation on the Hex code masks for the devices. Not to nitpick, though, but I'm even more concerned about AutoRuns from network devices! Even Windows doesn't activate that by default (if I remember correctly). Frankly, I am a lot more likely to know where my personal USB thumb drive has been, and that it's safe. I don't want my machine running autorun.ini files from any old network share that I may need to connect to.

Abstract57
Abstract57

Go to My Computer, right click on the USB drive. Choose Autoplay tab, and change the options there. Or you can install TweakUI which is part of Windows PowerToys and go to the My Computer, Drives section and change it there. You can change only USB or only CD options. I found TweakUI here: http://www.annoyances.org/exec/show/tweakui

ranban
ranban

thank you for educating me on the difference between autorun and autoplay

sandrok911
sandrok911

Hi All, Just today I have got a message from CERT Advisory board... its about time, this "autorun problem" exist for several years! Here is a link http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html I've applied solution with reg file: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" As delaage.pierre mentioned protecting MountPoints2 for each user does make sence.

Editor's Picks