Stop the Windows AutoRun feature in its tracks

Justin Fielding recently posted some instructions he found for disabling the USB mass storage features in Windows and Mac OS X. That information will be of most use in those environments that are very strict about their security practices, but what about those offices that are concerned about security but still need access to removable storage? Preventing removable drives from working at all makes sense for those companies that are extremely concerned about data theft and leaks. Some offices will need the flexibility that those mass storage devices provide, though. If your environment falls in that category, you should still make sure that your department's computers are protected as much as possible from any malicious software that might end up on removable drives. Digital files can be a vector for virus and worm infection regardless of where they come from, and that's why malware protection is important. But removable disks can be set up to use a Windows feature that can make them even more dangerous, the Windows AutoRun.

AutoRun has drawn attention from security experts because it can be misapplied by viruses and other malware, historically when they were run from CD and DVD-ROMs. Any removable media type can carry an autorun.inf file, however. What makes AutoRun risky is that it allows Windows to execute program instructions when a properly configured disk is accessed, sometimes without any intervention from the user at all. Windows is configured this way by design, to make things "easier" on the end user when he wants to install commercial software or listen to an audio CD. In this case, I believe Microsoft is sacrificing security for a trivial amount of convenience.

AutoRun can be disabled on an individual Windows machine with a (relatively) simple edit to the Registry. If you're not experienced with Registry edits, be sure to make a back up first, so you can recover from any unexpected problems.

To disable AutoRun for all drive types — including CD and USB drives — search the Registry for values named NoDriveTypeAutoRun, and change the hex data for these values to FF. You can restrict your changes to the user account that's currently active by changing only the value in the HKEY_CURRENT_USER registry hive. If you want to disable AutoRun for all user accounts, then use the "Find Next" tool under the Registry Editor's "Edit" menu to cycle through all instances of the NoDriveTypeAutoRun value in the Registry, and change every key's value to FF. Some notes about this procedure
  • If editing the system Registry seems like more than you want to take on, you and your users can disable AutoRun on a case-by-case basis by simply holding the <Shift> key on the keyboard while inserting a disk or USB drive.
  • Disabling AutoRun via the Registry will not stop a removable device's AutoRun instructions from executing when the user double-clicks on the device in Windows Explorer. It will keep AutoRun from activating automatically when the device is inserted, however.
  • The FF value for NoDriveTypeAutoRun will disable AutoRun for all devices. If you find this is overkill for your environment, you can reset hex value to 91 (the Windows XP default) or 95 (which Microsoft recommends as the value for these keys).
An Appendix for the advanced user
  • Since I know someone will point this out, it is possible to disable AutoRun using Group Policy, but that takes us beyond the scope of the helpdesk, and this article.
  • It also seems logical that one could disable AutoRun across the whole machine during system setup by adding a NoDriveTypeAutoRun value of FF in the HKEY_LOCAL_MACHINE hive (specifically in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer key) or in the HKEY_USERS\.DEFAULT\... node. Neither of these panned out in my testing; if you have different results, let me know in the Comments.

Editor's Picks