Question

Locked

How to disable autorun when double-clicking on a volume in windows explorer

By list_ado ·
Hello:

Through group policies or other changes in the windows registry it's posible to disable the autorun feature which activates when a removable device is just plugged, but i need also tu disable the feature windows explorer have (at least in windows 2000/XP) of activating autorun when we double-click on a volume if it contains the autorun.inf file at the root. It's posible to circumvent this behavior by using the context menu, but we could forget to do that.

I have encountered a number of worms exploiting the removable drive autorun feature and this would be a good step in prevention; i have taken into account that most users aren't aware of ways to prevent the kind of attack autorun allows and antivirus software have failed me several times.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I got the true solution: by forbidding shell extension on mountpoints2

by delaage.pierre In reply to How to disable autorun wh ...

When a usb key is inserted, and unfortunately even if AutoRun has been disabled by various Ms (unsufficient) tricks, an explorer extension is automatically added to the ms explorer.
This extension is directly and completely driven by the usb key autorun.inf file.
Of course, in case of worm or viruses, the first directive of this autorun is to tell explorer to define "virus.exe" as the DEFAULT explorer action when one will dbl-click on the drive icon. That is exactly your problem.
To forbid/avoid this explorer pollution, go to regedit :
1/ login as the user you want to protect from usb viruses, find the key HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Mountpoints2.
2/ delete subkeys you think "polluted" by previous usb key insertions (yes Windoz remembers previous pollutions!). Each subkey is a drive, I think (not sure)closely related to specific piece of hardware (I mean usb key "john" leads to a different subkey than usbkey "jane").
3/Then right-click permissions,
do NOT brutally unclick "full control", as it will be difficult to restore normal rights...
advanced, select the logged user "full control" acl, then EDIT : just deny everything except read and query value.
close everything.
4/ Then logout login.
5/ Insert an usb key or a CD with autorun.inf
Provided you have disable autorun feature with classic MS tricks, nothings happen (normal) BUT now open explorer and dlb click on your USB KEY : just the explorer view opens and NOTHING executes!
That's it.

Collapse -

Tip to strengthen the "Mountpoints2" registry key protection

by delaage.pierre In reply to I got the true solution: ...

If you fear that a sophisticated worm may re-enable write permissions on the registry key "HKCU..Mountpoints2", then just unclick "FULL CONTROL" with no hesitation when editing the permissions on the registry key.
Then you will lose your control on that registry key and be UNABLE to gain it again by yourself.

To restore the initial permissions:
- login as the concerned user
- with the explorer browse to the regedit executable.
- Then right-click, run as, choose an admin account
- Return to the users Mountpoints2 key, but VIA the proper HKEY_USERS/user branch (but HOW, as this branch has not a clear user name... well easy : do find keys named "LogonUserName" which are in HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer, and you will find the appropriate user branch)
- Then right-click again on the mountpoints2 key and restore rights.

Now you are ready for strong disabling of autorun.

Note : all these things have been done on XP HOME sp2, xp pro is not at all necessary to
do this, although it offers some nice guiz to do the same thing.

Last problem: a user can still dbl click directly on virus.exe. So I think a trick forbidding any execution from a drive would be useful: any idea ?

Thanks

Collapse -

Thanks!

by nestor In reply to I got the true solution: ...

It works! Even for network/CD. Not only for removable! Great solution. Better than only disabling autorun.

Collapse -

Hm

by nimd4 In reply to I got the true solution: ...

Sure, but what will happen when inserting a new USB drive, one that hasn't been used before?

If this isn't what you meant, then by changing permissions higher-up in the tree, virtual CDs are also disabled and some other stuff potentially.

So this isn't the solution?

Back to Hardware Forum
5 total posts (Page 1 of 1)  

Hardware Forums