"How to disable the Autorun functionality in Windows" (Windows XP)

View previous topic View next topic Go down

"How to disable the Autorun functionality in Windows" (Windows XP)

Post by ssj100 on 3/7/2010, 18:51

Inspired from this thread:
http://ssj100.fullsubject.com/other-f6/no-autorun-t157.htm:

http://support.microsoft.com/kb/967715:

How to selectively disable specific Autorun features
To selectively disable specific Autorun features, you must change the NoDriveTypeAutoRun entry in...the following registry key subkey...:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\

The following table shows the settings for the NoDriveTypeAutoRun registry entry.



The value of the NoDriveTypeAutoRun registry entry determines which drive or drives the Autorun functionality will be disabled for. For example, if you want to disable Autorun for network drives only, you must set the value of NoDriveTypeAutoRun registry entry to 0x10.

If you want to disable Autorun for multiple drives, you must add the corresponding hexadecimal values to the 0x10 value. For example, if you want to disable Autorun for removable drives and for network drives, you must add 0x4 and 0x10, which is the mathematical addition of 2 hexadecimal values, to determine the value to use. 0x4 + 0x10 = 0x14. Therefore, in this example, you would set the value of the NoDriveTypeAutoRun entry to 0x14.

As you can see, to disable Autorun completely (for all drives), you'll need to enter the value "FF". However, doing this for the "NoDriveTypeAutoRun" entry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" will only apply to your current Administrator account that you are logged into (since you can't modify these registry keys as a limited user and "HKEY_CURRENT_USER" settings only apply to the currently logged in account).

In order to disable Autorun for your limited user accounts and/or other accounts, you'll need to match your user profile(s) to folders in "HKEY_USERS". In order to do this, follow the instructions here:
http://resources.arcgis.com/content/kbase?fa=articleShow&d=36526
Then, you can navigate to the relevant "HKEY_USERS" registry folder and modify the "NoDriveTypeAutoRun" entry as described above.

For example, in my case, I have one administrator account and one limited user account. So to disable autorun in my admin account, I simply log into the admin account and navigate to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" and change the "NoDriveTypeAutoRun" entry accordingly.

Then, to disable autorun in my limited user account, I simply work out which is the limited user account user profile (as described above) under "HKEY_USERS" and then navigate accordingly to eg. "HKEY_USERS\S-1-5-21-2060139532-2050374463-2073913816-1157\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" and change the "NoDriveTypeAutoRun" entry accordingly.

I suspect if we all did this, we would never have to worry about drive-by attacks from any devices being plugged into the computer.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by tnegjm on 3/7/2010, 23:40

Shutting down AutoPlay is not a fix? Needs to globally block autorun.inf files from executing. link

Also, the difference between "Autoplay" vs. "Autorun" link. For those that don't know.

tnegjm
Member
Member

Posts : 37
Join date : 2010-04-20

View user profile

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by ssj100 on 4/7/2010, 04:20

Thanks tnegjm. Sounds like a simpler (and more effective) method of disabling autorun:

http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-AutoRun-attacks

You might think that you could protect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.

However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun.

The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure:

Step 1. Start Notepad or another text editor.

Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.

Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.

UPDATE 2009-01-21: As an extra precaution, it's a good idea to reboot your PC after Step 4, on the off chance that some old information was residing in cache memory.

Some say you can simply delete all instances of the registry key "MountPoints2" and then follow the instructions in the original post. However, I wouldn't recommend that unless you have fully backed up your system!

By the way, to re-enable autorun (after applying the above registry key to disable it), check here:
http://www.wilderssecurity.com/showpost.php?p=1259439&postcount=4

Code:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

Just a note that I personally don't disable autorun (naughty me!) - instead, I force sandbox my USB/CD/DVD drives with Sandboxie and I have a system-wide default-deny anti-execution mechanism of protection (SRP). This works out well for me, since Sandboxie automatically produces a sandboxed explorer.exe browsing straight to the relevant drive when I insert it - nice and convenient!

EDIT: it appears Autorun is disabled by default in Windows 7 (except for Microsoft certified programs), so there probably isn't any extra configuration required for this OS.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by tnegjm on 4/7/2010, 06:51

You're welcome.

I force all external drives F: through Z: into a restricted sandbox. I manually edit SBIE's configuration .ini file by adding the following to one of my sandboxes:
ForceFolder=F:\
ForceFolder=H:\
ForceFolder=I:\
ForceFolder=J:\
ForceFolder=K:\
ForceFolder=L:\
ForceFolder=M:\
ForceFolder=N:\
ForceFolder=O:\
ForceFolder=P:\
ForceFolder=Q:\
ForceFolder=R:\
ForceFolder=S:\
ForceFolder=T:\
ForceFolder=U:\
ForceFolder=V:\
ForceFolder=W:\
ForceFolder=X:\
ForceFolder=Y:\
ForceFolder=Z:\

I also add to the same sandbox:
ForceProcess=autorun.ini
ForceProcess=autorun.exe

But I like your way of doing it so I may delete the last two entries.

tnegjm
Member
Member

Posts : 37
Join date : 2010-04-20

View user profile

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by ssj100 on 4/7/2010, 07:18

tnegjm wrote:I also add to the same sandbox:
ForceProcess=autorun.ini
ForceProcess=autorun.exe

But I like your way of doing it so I may delete the last two entries.

That's interesting how you're using those ForceProcess settings. Do all autorun malware always use autorun.ini and/or autorun.exe or could they use other files to execute their malicious process? I seriously don't know jot about autorun malware.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by tnegjm on 4/7/2010, 07:56

AFAIK they do. Or they would have to motivate the user to click something to do the work. Either way when the malware tries to execute/run you'd be covered.

tnegjm
Member
Member

Posts : 37
Join date : 2010-04-20

View user profile

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by ssj100 on 4/7/2010, 08:20

tnegjm wrote:AFAIK they do. Or they would have to motivate the user to click something to do the work. Either way when the malware tries to execute/run you'd be covered.

I don't think it uses autorun.exe - I can't seem to find such a file on my system (and if it exists anywhere else, it would be blocked by my SRP, so that can't be it). I think the autorun.inf file directs the execution rather than executes itself. What would be best is to find some real-world USB autorun viruses and experiment with it on a test machine.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by ssj100 on 24/1/2011, 13:24

Just wanted to make a note that even with Autorun disabled (not Autoplay) Sandboxie still automatically opens a sandboxed explorer.exe of the CD/DVD/USB etc drive.

Therefore, from a security perspective, it's probably best to disable Autorun, while keeping Autoplay enabled for the convenience of automatically exploring the drive sandboxed.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: "How to disable the Autorun functionality in Windows" (Windows XP)

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum