TechRepublic|Forums|Hardware

Hardware

Question

  • Creator
    Topic
  • August 24, 2007 at 11:34 am #2236070

    How to disable autorun when double-clicking on a volume in windows explorer

    Locked

    by list_ado · about 16 years, 7 months ago

    Hello:

    Through group policies or other changes in the windows registry it’s posible to disable the autorun feature which activates when a removable device is just plugged, but i need also tu disable the feature windows explorer have (at least in windows 2000/XP) of activating autorun when we double-click on a volume if it contains the autorun.inf file at the root. It’s posible to circumvent this behavior by using the context menu, but we could forget to do that.

    I have encountered a number of worms exploiting the removable drive autorun feature and this would be a good step in prevention; i have taken into account that most users aren’t aware of ways to prevent the kind of attack autorun allows and antivirus software have failed me several times.

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

  • Author
    Replies
    • August 24, 2007 at 11:34 am #2625844

      Clarifications

      by list_ado · about 16 years, 7 months ago

      In reply to How to disable autorun when double-clicking on a volume in windows explorer

      Clarifications

    • September 14, 2007 at 9:41 am #2604979

      I got the true solution: by forbidding shell extension on mountpoints2

      by delaage.pierre · about 16 years, 7 months ago

      In reply to How to disable autorun when double-clicking on a volume in windows explorer

      When a usb key is inserted, and unfortunately even if AutoRun has been disabled by various Ms (unsufficient) tricks, an explorer extension is automatically added to the ms explorer.
      This extension is directly and completely driven by the usb key autorun.inf file.
      Of course, in case of worm or viruses, the first directive of this autorun is to tell explorer to define “virus.exe” as the DEFAULT explorer action when one will dbl-click on the drive icon. That is exactly your problem.
      To forbid/avoid this explorer pollution, go to regedit :
      1/ login as the user you want to protect from usb viruses, find the key HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Mountpoints2.
      2/ delete subkeys you think “polluted” by previous usb key insertions (yes Windoz remembers previous pollutions!). Each subkey is a drive, I think (not sure)closely related to specific piece of hardware (I mean usb key “john” leads to a different subkey than usbkey “jane”).
      3/Then right-click permissions,
      do NOT brutally unclick “full control”, as it will be difficult to restore normal rights…
      advanced, select the logged user “full control” acl, then EDIT : just deny everything except read and query value.
      close everything.
      4/ Then logout login.
      5/ Insert an usb key or a CD with autorun.inf
      Provided you have disable autorun feature with classic MS tricks, nothings happen (normal) BUT now open explorer and dlb click on your USB KEY : just the explorer view opens and NOTHING executes!
      That’s it.

      • September 14, 2007 at 10:16 am #2604968

        Tip to strengthen the “Mountpoints2” registry key protection

        by delaage.pierre · about 16 years, 7 months ago

        In reply to I got the true solution: by forbidding shell extension on mountpoints2

        If you fear that a sophisticated worm may re-enable write permissions on the registry key “HKCU..Mountpoints2”, then just unclick “FULL CONTROL” with no hesitation when editing the permissions on the registry key.
        Then you will lose your control on that registry key and be UNABLE to gain it again by yourself.

        To restore the initial permissions:
        – login as the concerned user
        – with the explorer browse to the regedit executable.
        – Then right-click, run as, choose an admin account
        – Return to the users Mountpoints2 key, but VIA the proper HKEY_USERS/user branch (but HOW, as this branch has not a clear user name… well easy : do find keys named “LogonUserName” which are in HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer, and you will find the appropriate user branch)
        – Then right-click again on the mountpoints2 key and restore rights.

        Now you are ready for strong disabling of autorun.

        Note : all these things have been done on XP HOME sp2, xp pro is not at all necessary to
        do this, although it offers some nice guiz to do the same thing.

        Last problem: a user can still dbl click directly on virus.exe. So I think a trick forbidding any execution from a drive would be useful: any idea ?

        Thanks

      • December 21, 2007 at 3:32 pm #2650902

        Thanks!

        by nestor · about 16 years, 4 months ago

        In reply to I got the true solution: by forbidding shell extension on mountpoints2

        It works! Even for network/CD. Not only for removable! Great solution. Better than only disabling autorun.

      • January 16, 2009 at 6:19 pm #2984501

        Hm

        by nimd4 · about 15 years, 3 months ago

        In reply to I got the true solution: by forbidding shell extension on mountpoints2

        Sure, but what will happen when inserting a new USB drive, one that hasn’t been used before?

        If this isn’t what you meant, then by changing permissions higher-up in the tree, virtual CDs are also disabled and some other stuff potentially.

        So this isn’t the solution?

  • Author
    Replies
Viewing 1 reply thread