Stop the Windows AutoRun feature in its tracks

AutoRun has drawn attention from security experts because it can be misapplied by viruses and other malware, historically when they were run from CD and DVD-ROMs. Any removable media type can carry an autorun.inf file, however. What makes AutoRun risky is that it allows Windows to execute program instructions when a properly configured disk is accessed, sometimes without any intervention from the user at all. Windows is configured this way by design, to make things “easier” on the end user when he wants to install commercial software or listen to an audio CD. In this case, I believe Microsoft is sacrificing security for a trivial amount of convenience.

AutoRun can be disabled on an individual Windows machine with a (relatively) simple edit to the Registry. If you’re not experienced with Registry edits, be sure to make a back up first, so you can recover from any unexpected problems.

To disable AutoRun for all drive types — including CD and USB drives — search the Registry for values named NoDriveTypeAutoRun, and change the hex data for these values to FF. You can restrict your changes to the user account that’s currently active by changing only the value in the HKEY_CURRENT_USER registry hive. If you want to disable AutoRun for all user accounts, then use the “Find Next” tool under the Registry Editor’s “Edit” menu to cycle through all instances of the NoDriveTypeAutoRun value in the Registry, and change every key’s value to FF.

Some notes about this procedure

  • If editing the system Registry seems like more than you want to take on, you and your users can disable AutoRun on a case-by-case basis by simply holding the <Shift> key on the keyboard while inserting a disk or USB drive.
  • Disabling AutoRun via the Registry will not stop a removable device’s AutoRun instructions from executing when the user double-clicks on the device in Windows Explorer. It will keep AutoRun from activating automatically when the device is inserted, however.
  • The FF value for NoDriveTypeAutoRun will disable AutoRun for all devices. If you find this is overkill for your environment, you can reset hex value to 91 (the Windows XP default) or 95 (which Microsoft recommends as the value for these keys).

An Appendix for the advanced user

  • Since I know someone will point this out, it is possible to disable AutoRun using Group Policy, but that takes us beyond the scope of this article.
  • It also seems logical that one could disable AutoRun across the whole machine during system setup by adding a NoDriveTypeAutoRun value of FF in the HKEY_LOCAL_MACHINE hive (specifically in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer key) or in the HKEY_USERS\.DEFAULT\... node.
This entry was posted in Technical Archive. Bookmark the permalink.