How to Disable AutoRuns on Windows

Microsoft introduced the AutoRun feature as a convenient method for automatically starting a program upon instertion of removable media. AutoRun is found on all removable media such as CDs, DVDs and USB memory sticks.

This feature poses a serious security risk, as it allows malware to spread with very little interaction on the part of the end user. There has been an increase in malware using the AutoRun feature.

AutoRun vs. AutoPlay

Though AutoRun and AutoPlay are terms that have been used interchangeably, they have different functions.

AutoRun

Introduced by Microsoft with the release of Windows 95. AutoRun automatically starts programs on removable media when inserted into a computer.

AutoPlay

Introduced by Microsoft with the release of Windows XP. AutoPlay lets you choose which program to use for different types of media. For example, if there is more than one media player installed on a computer, AutoPlay asks the user which media player to use.

AutoPlay is different from AutoRun. AutoPlay asks you what action to perform, instead of arbitrarily executing a list of instructions contained in a file.

Autorun.inf

This simple text-based configuration file contains instructions for the operating system. It could include instructions such as what executable to start, icons to use and any additional contextual menu commands to make available.

When a computer detects a removable device, it searches for autorun.inf in the root of the device, and if located executes the instructions in autorun.inf.

About Autorun Worms

Misconceptions about AutoRun Worms:

1. The notion that these worms spread only via infected USB drives
2. The belief that autorun can be successfully disabled via the Group Policy Editor (GPE).

AutoRun worms often come bundled with malware delivered via the World Wide Web, Email, Instant Messengers, or other attack vectors. Once the system becomes infected, in addition to infecting removable drives, AutoRun worms will also infect discoverable mapped drives. So, if an AutoRun worm is running amok on your network, it doesn't mean you have multiple users plugging in infected USB drives.

AutoRun worms spread by copying the worm to the drive, and then creating an autorun.inf in the root folder of the drive. The autorun.inf loads the copy of the worm, each time you access the drive. Every time the worm is loaded, it searches for new drives to infect, repeating the cycle over and over.

The first step in removing AutoRun infections is to stop the spread of the worm by disabling the AutoRun feature. Most administrators rely on the GPE to make this sort of change. Because of some rather odd behavior in unpatched versions of Windows, the changes in AutoRuns settings made via the GPE may be ignored. Microsoft released a patch, http://support.microsoft.com/kb/953252, addressing these issues, but rather than chance it there is a much simpler way to completely kill autorun.

AutoRun worms rarely travel alone. Once infected, you can typically expect additional malware to be downloaded to the system.

Prerequisites to disable Autorun capabilities

To disable Autorun capabilities, you must install the update appropriate for your system, below:

• Update for Windows 2000 (KB950582)
• Update for Windows XP (KB950582)
• Update for Windows XP x64 Edition (KB950582)
• Update for Windows Vista (KB950582)
• Update for Windows Vista for x64-based Systems (KB950582)
• Update for Windows Server 2003 (KB950582)
• Update for Windows Server 2003 x64 Edition (KB950582)
• Update for Windows Server 2003 for Itanium-based Systems (KB950582)
• Update for Windows Server 2008 (KB950582)
• Update for Windows Server 2008 x64 Edition (KB950582)
• Update for Windows Server 2008 for Itanium-based Systems (KB950582)

There is a long standing issue with Windows not correctly handling AutoRun registry entries. When AutoRun is diabled Windows should not proceed further than the registry check. However, Windows still parses the autorun.inf on all drives, if present, and executes all commands except invoke the AutoPlay or application execution.

This will leave the system open to attack from malware that uses the autorun.inf. Double clicking the drive icon will infect the system. Right Clicking and selecting "Explore" or "Open" from the context menu is not a workaround as these menu items can be taken over by the appropriate autorun.inf entries.

Windows 95 and Windows 98 are not affected.

These are fixes which address the Double Click, Contextual Menu and AutoPlay functionality.

These patches also allow for reverting back to the previous functionality on a per-user and per-machine basis by changing a Registry entry:

When you install update 950582, the HonorAutorunSetting registry key is created only in the HKEY_LOCAL_MACHINE registry hive. The registry key has a default value of 0x1. If the registry key is present in both the HKEY_LOCAL_MACHINE registry hive and the HKEY_CURRENT_USER registry hive, the HKEY_LOCAL_MACHINE hive setting takes priority.

Disabling autorun

There are several ways to prevent autorun.inf from executing. However, some are more effective than others.

The solution listed on this page combines all the known techniques to disable AutoRun. The effectiveness of this soultion relies mainly on the end user. Even with the AutoRun feature disabled, it doesn't stop the end user from clicking on executable malicious files. MalwareTeks recommends that the end user have preventive security measures in place, including but not limited to, up-to-date anti-virus and firewall with restrictive rules.

CAUTION

This solution involves the changing of registry settings. MalwareTeks recomends that a back up of the registry be created before applying any registry changes.

Windows 2000/XP/Server 2003/Vista/Server 2008/7:

Copy the below code to Notepad. Save As DisableAutoRuns.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Windows Registry Editor Version 5.00
 
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
	@="@SYS:DoesNotExist"
 
	[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
 
	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
 
	[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
	"HonorAutorunSetting"=dword:00000001
	"NoDriveAutoRun"=dword:03ffffff
	"NoDriveTypeAutoRun"=dword:000000ff
 
	[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
	"HonorAutorunSetting"=dword:00000001
	"NoDriveAutoRun"=dword:03ffffff
	"NoDriveTypeAutoRun"=dword:000000ff
 
	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
	"AutoRun"=dword:00000001

Locate DisableAutoRuns.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

NOTE

KB950582 must be applied before the registry changes made by this patch can take effect.

Undo DisableAutoRuns.reg (Windows XP/Vista/Server 2008/7):

Copy the below code to Notepad. Save As UndoDisableAutoRuns.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=-
 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=-
"NoDriveTypeAutoRun"=-
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutorunSetting"=-
"NoDriveAutoRun"=-
"NoDriveTypeAutoRun"=dword:00000091

Locate UndoDisableAutoRuns.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Undo DisableAutoRuns.reg (Windows 2000/Server 2003):

Copy the below code to Notepad. Save As UndoDisableAutoRuns.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=-
 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=-
"NoDriveTypeAutoRun"=-
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutorunSetting"=-
"NoDriveAutoRun"=-
"NoDriveTypeAutoRun"=dword:00000095

Locate UndoDisableAutoRuns.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

So, what does all this mean?

NoDriveAutoRun

Determines whether the Autoplay feature is enabled on each drive connected to the system. When Autoplay is enabled, media starts automatically when it is inserted in the drive.

The value of this entry consists of 32 bits. The lower 26 bits each represent a drive, with the lowest (right-most) bit representing drive A, and the 26th bit from the right representing drive Z.

A value of 0x3ffffff will diable the AutoRun feature on all drives.

NoDriveTypeAutoRun

Disables the Autoplay feature on all drives of the type specified.

Autoplay begins reading from a drive as soon as media is inserted in the drive. As a result, the setup file of programs and the sound on audio media starts immediately.

This Registry entry disables or enables the AutoRun feature on all drives of the type specified. It reflects the setting of the relevant Autoplay Group Policy. Valid data ranges from 0x00 to 0xff in hexadecimal notation. If the entry is not present, the default data value is either 0x91 or 0x95 depending on the version of Windows used.

Default Values

NOTE

Autoplay is disabled on any drive if the value of NoDriveAutoRun (in HKLM or HKCU) or NoDriveTypeAutoRun (in HKLM or HKCU) is set to disable it. But if NoDriveAutoRun or NoDriveTypeAutoRun appear in HKEY_LOCAL_MACHINE, the corresponding entries in HKEY_CURRENT_USER are ignored.

Versions of Windows before Windows XP, including Windows 2000 and Windows Server 2003 use the value 0x95. This disables AutoRun on Unknown, Network and Removable drives.

Windows XP and later use the value 0x91, which disables AutoRun on Unknown and Network drives. Removable drives are now enabled, reflecting the added AutoPlay feature in Windows XP.

AutoRun is, by default, enabled for CD and DVD, Fixed and RAM drives on all versions of Windows from Windows 95.

A value of 0xff disables the AutoRun feature on all drives.

HonorAutorunSetting

Setting to 0 results in insecure behavior.

Autorun

Determines whether the system sends a Media Change Notification (MCN) message to Windows, when it detects that a CD-ROM is inserted in the drive. The MCN message triggers media-related features, such as Autoplay.

If the MCN message is disabled, the media features that use it do not operate.

If the value of this entry is 0, Autoplay does not operate, regardless of the value of the NoDriveAutoRun entry (in HKLM and HKCU) and the NoDriveTypeAutoRun entry (in HKLM and HKCU).

We make sure that the default setting is written to the registry, to ensure that the system detects when a CD is inserted into the drive, or a CD is changed.

Autorun.inf

The (Default) Registry entry name is also called (NULL) or, in a Registry file, "@"

This workaround involves using initialisation file mapping to create a mapping between the autorun.inf initialisation file and the Registry. This procedure relies on the fact that an autorun.inf file is a standard Windows INI file and so the appropriate API calls are used by Windows when fetching its settings. These API calls can be redirected using the INI file mapping method.

This method was first mentioned in Nick Brown's blog and is also referred to in the US-CERT Vulnerability Note.

Creates a subkey called autorun.inf under the HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping key. Change the (Default) entry under the new autorun.inf key to the string @SYS:DoesNotExist.

Now whenever Windows tries to read a file called "autorun.inf" using the INI programming calls, it will fail to read the actual file. Instead, all settings are read from the HKEY_LOCAL_MACHINE\Software\DoesNotExist Registry key. Since this key does not exist, it is as if the autorun.inf file contains no settings information. This applies to any autorun.inf in any location, on any drive.

The only drawback is that installation of software from an autorunning install CD or DVD is no longer automatic. It will be necessary to view the CD's autorun.inf file and then execute the appropriate install program manually.

MountPoints2

The MountPoints2 Registry key contains cached data for all removable devices that have been used on the system. It is possible that it may override the NoDriveTypeAutoRun entry when a device the PC already knows about is inserted.

It is unclear whether the AutoRun Bug patch fixes issues with this key. There is no Microsoft documentation available on this Registry entry.

As a purely precautionary measure the key is deleted by the registry patch.

COPYRIGHT NOTICE

You may not reproduce this article in whole or part without the express permission of the author and MalwareTeks.