How to effectively disable AutoRun-AutoPlay in Windows computers
Takeaway:
This article about (disabling) AutoPlay was supposed to be a sub-section in another article that I am composing about the Conficker/Downadup Worm, but in light of fresh information it has been promoted into its own article. If you already understand how AutoRun works skip down to the "Solution" section, in my extended comments.
AutoPlay is a long time feature included in all Windows operating systems from Windows 95 onward. It allows both data, video and music CDs and DVDs to start automatically when a pre-recorded disk is inserted into the player tray and the tray door is closed, which is a convenience for most users. With Windows XP onward when you insert a blank recordable disk into a media recorder a box will popup asking what you want to do. This is familiar stuff by now.
When you plug in a USB thumbdrive, camera memory module, external USB drive, Firewire disk, or map a network drive, one of two things usually happens. Normally, a box pops up asking what action you wish to take, with a default action highlighted. Most people usually choose to open these drives in a folder view and often select the option to remember that decision and not ask again. If they have selected that option the next time they plug in such a drive or module the device will automatically open as expected, without prompting.
When an external drive or device is plugged into your Windows PC and AutoPlay is on (which it usually is), a normally hidden file named Autorun.inf, in the root of that drive, can cause a program on the device to execute immediately. This is how setup programs run automatically when you insert a program installation disk. These Autorun.inf files are usually very small files, contain just a few lines of code, pointing to the setup executable, and are viewable in Notepad.
However, malware authors have begun exploiting this feature to spread their viruses and hostile programs to computers via removable drives and memory sticks, using the hidden AutoRun.inf to automatically run the Conficker/Downadup Worm's installation routine. This happens the moment that the device is plugged into an unpatched PC. This is one of the ways this Worm spreads in multi-computer environments. If an employee acquires the Conficker Worm while out of the office and then saves work documents to a thumbdrive, then plugs that drive into his or her work computer, the Worm can infect that computer, then attempt to infect the entire LAN!
To protect networks and standalone computers from becoming infected via removable drives that are infected various sources have recommended disabling the AutoPlay feature. Microsoft has entire pages devoted to this trick. Also, I have read details about fine tuning your AutoPlay restrictions so they only apply to removable drives, not CDs and DVDs. This all sounded like a good preventative measure until today, when I read Technical Cyber Security Alert TA09-020A, on the US-CERT website. That bulletin makes it clear that simply disabling AutoPlay via Group Policy or the recommended Registry hacks would NOT prevent infections via removable devices. This is because these hacks and workarounds do not address the problem that Autorun.inf is still parsed for instructions, which are then executed automatically, even if AutoPlay is turned completely OFF!
From the CERT bulletin:The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file.
By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.
Read my extended comments for solutions to this vulnerability.
Solution
The only solution to the AutoRun vulnerability is to disable its parsing for instructions in Autorun.inf files.Disable AutoRun in Microsoft Windows
Produced 2009 by US-CERT, a government organization.
To effectively disable AutoRun in Microsoft Windows, import the following registry value:
- REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
To import this value, perform the following steps:
- Copy the text
- Paste the text into Windows Notepad
- Save the file as autorun.reg
- Navigate to the file location
- Double-click the file to import it into the Windows registry
Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.
Upon being notified about this continued vulnerability Microsoft has released a new article describing how to correctly disable AutoRun so it actually does what one wants it to do; not run automatically when a dive is inserted, or opened for viewing. There are patch available from Microsoft that must downloaded and install it manually. Methinks that they might be considering pushing them out in another out-of-cycle Windows Update (just speculating).
Note, that once you disable the parsing of Autorun.inf you will totally lose AutoPlay functionality on all drive types, including mapped drives. Audio and video media will no longer play automatically and programs will not begin their setup unless you open the drive to a folder view and locate the setup file. You can do this fairly easily by opening the drive to FolderView, unhide Hidden files to reveal Autorun.inf, then open that file in Notepad. The Action line will show you where the setup file is located and you can drill down to it manually, then (scan first for malware) run it.
I hope this helps you protect your computers and networks from unintended infections via thumbdrives or other removable media. I will post an article about the Conficker/Downadup Worm later.
Note: if you have a computer that is already infected you should take it offline. Buy a new thumbdrive that has the means of being rendered as Read Only (via a switch), or grab a CD-R disk and take it to an uninfected computer that has has MS09-067 patch installed (released out-of-cycle on October 23, 2008). Visit the Microsoft Malicious Software Removal Tool page and download the most current version to the thumbdrive or recordable CD. Also, try to download updates or setup packages for your installed anti-malware products, which may have been disabled by the Worm. If you save these things to a thumbdrive be sure to render it READ ONLY afterward. Failure to do so will result in the drive becoming infected with the Worm as soon as it is plugged into the infected PC.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.