Questions

How to disable autorun when double-clicking on a volume in windows explorer

Tags:
+
0 Votes
Locked

How to disable autorun when double-clicking on a volume in windows explorer

list_ado
Hello:

Through group policies or other changes in the windows registry it's posible to disable the autorun feature which activates when a removable device is just plugged, but i need also tu disable the feature windows explorer have (at least in windows 2000/XP) of activating autorun when we double-click on a volume if it contains the autorun.inf file at the root. It's posible to circumvent this behavior by using the context menu, but we could forget to do that.

I have encountered a number of worms exploiting the removable drive autorun feature and this would be a good step in prevention; i have taken into account that most users aren't aware of ways to prevent the kind of attack autorun allows and antivirus software have failed me several times.
  • +
    0 Votes
    delaage.pierre

    When a usb key is inserted, and unfortunately even if AutoRun has been disabled by various Ms (unsufficient) tricks, an explorer extension is automatically added to the ms explorer.
    This extension is directly and completely driven by the usb key autorun.inf file.
    Of course, in case of worm or viruses, the first directive of this autorun is to tell explorer to define "virus.exe" as the DEFAULT explorer action when one will dbl-click on the drive icon. That is exactly your problem.
    To forbid/avoid this explorer pollution, go to regedit :
    1/ login as the user you want to protect from usb viruses, find the key HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Mountpoints2.
    2/ delete subkeys you think "polluted" by previous usb key insertions (yes Windoz remembers previous pollutions!). Each subkey is a drive, I think (not sure)closely related to specific piece of hardware (I mean usb key "john" leads to a different subkey than usbkey "jane").
    3/Then right-click permissions,
    do NOT brutally unclick "full control", as it will be difficult to restore normal rights...
    advanced, select the logged user "full control" acl, then EDIT : just deny everything except read and query value.
    close everything.
    4/ Then logout login.
    5/ Insert an usb key or a CD with autorun.inf
    Provided you have disable autorun feature with classic MS tricks, nothings happen (normal) BUT now open explorer and dlb click on your USB KEY : just the explorer view opens and NOTHING executes!
    That's it.

    +
    0 Votes
    delaage.pierre

    If you fear that a sophisticated worm may re-enable write permissions on the registry key "HKCU..Mountpoints2", then just unclick "FULL CONTROL" with no hesitation when editing the permissions on the registry key.
    Then you will lose your control on that registry key and be UNABLE to gain it again by yourself.

    To restore the initial permissions:
    - login as the concerned user
    - with the explorer browse to the regedit executable.
    - Then right-click, run as, choose an admin account
    - Return to the users Mountpoints2 key, but VIA the proper HKEY_USERS/user branch (but HOW, as this branch has not a clear user name... well easy : do find keys named "LogonUserName" which are in HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer, and you will find the appropriate user branch)
    - Then right-click again on the mountpoints2 key and restore rights.

    Now you are ready for strong disabling of autorun.

    Note : all these things have been done on XP HOME sp2, xp pro is not at all necessary to
    do this, although it offers some nice guiz to do the same thing.

    Last problem: a user can still dbl click directly on virus.exe. So I think a trick forbidding any execution from a drive would be useful: any idea ?

    Thanks

    +
    0 Votes
    nestor

    It works! Even for network/CD. Not only for removable! Great solution. Better than only disabling autorun.

    +
    0 Votes

    Hm

    nimd4

    Sure, but what will happen when inserting a new USB drive, one that hasn't been used before?

    If this isn't what you meant, then by changing permissions higher-up in the tree, virtual CDs are also disabled and some other stuff potentially.

    So this isn't the solution?

  • +
    0 Votes
    delaage.pierre

    When a usb key is inserted, and unfortunately even if AutoRun has been disabled by various Ms (unsufficient) tricks, an explorer extension is automatically added to the ms explorer.
    This extension is directly and completely driven by the usb key autorun.inf file.
    Of course, in case of worm or viruses, the first directive of this autorun is to tell explorer to define "virus.exe" as the DEFAULT explorer action when one will dbl-click on the drive icon. That is exactly your problem.
    To forbid/avoid this explorer pollution, go to regedit :
    1/ login as the user you want to protect from usb viruses, find the key HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Mountpoints2.
    2/ delete subkeys you think "polluted" by previous usb key insertions (yes Windoz remembers previous pollutions!). Each subkey is a drive, I think (not sure)closely related to specific piece of hardware (I mean usb key "john" leads to a different subkey than usbkey "jane").
    3/Then right-click permissions,
    do NOT brutally unclick "full control", as it will be difficult to restore normal rights...
    advanced, select the logged user "full control" acl, then EDIT : just deny everything except read and query value.
    close everything.
    4/ Then logout login.
    5/ Insert an usb key or a CD with autorun.inf
    Provided you have disable autorun feature with classic MS tricks, nothings happen (normal) BUT now open explorer and dlb click on your USB KEY : just the explorer view opens and NOTHING executes!
    That's it.

    +
    0 Votes
    delaage.pierre

    If you fear that a sophisticated worm may re-enable write permissions on the registry key "HKCU..Mountpoints2", then just unclick "FULL CONTROL" with no hesitation when editing the permissions on the registry key.
    Then you will lose your control on that registry key and be UNABLE to gain it again by yourself.

    To restore the initial permissions:
    - login as the concerned user
    - with the explorer browse to the regedit executable.
    - Then right-click, run as, choose an admin account
    - Return to the users Mountpoints2 key, but VIA the proper HKEY_USERS/user branch (but HOW, as this branch has not a clear user name... well easy : do find keys named "LogonUserName" which are in HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer, and you will find the appropriate user branch)
    - Then right-click again on the mountpoints2 key and restore rights.

    Now you are ready for strong disabling of autorun.

    Note : all these things have been done on XP HOME sp2, xp pro is not at all necessary to
    do this, although it offers some nice guiz to do the same thing.

    Last problem: a user can still dbl click directly on virus.exe. So I think a trick forbidding any execution from a drive would be useful: any idea ?

    Thanks

    +
    0 Votes
    nestor

    It works! Even for network/CD. Not only for removable! Great solution. Better than only disabling autorun.

    +
    0 Votes

    Hm

    nimd4

    Sure, but what will happen when inserting a new USB drive, one that hasn't been used before?

    If this isn't what you meant, then by changing permissions higher-up in the tree, virtual CDs are also disabled and some other stuff potentially.

    So this isn't the solution?