"How to disable the Autorun functionality in Windows" (Windows XP)
2 posters
Page 1 of 1
"How to disable the Autorun functionality in Windows" (Windows XP)
Inspired from this thread:
https://ssj100.forumotion.com/other-f6/no-autorun-t157.htm:
http://support.microsoft.com/kb/967715:
As you can see, to disable Autorun completely (for all drives), you'll need to enter the value "FF". However, doing this for the "NoDriveTypeAutoRun" entry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" will only apply to your current Administrator account that you are logged into (since you can't modify these registry keys as a limited user and "HKEY_CURRENT_USER" settings only apply to the currently logged in account).
In order to disable Autorun for your limited user accounts and/or other accounts, you'll need to match your user profile(s) to folders in "HKEY_USERS". In order to do this, follow the instructions here:
http://resources.arcgis.com/content/kbase?fa=articleShow&d=36526
Then, you can navigate to the relevant "HKEY_USERS" registry folder and modify the "NoDriveTypeAutoRun" entry as described above.
For example, in my case, I have one administrator account and one limited user account. So to disable autorun in my admin account, I simply log into the admin account and navigate to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" and change the "NoDriveTypeAutoRun" entry accordingly.
Then, to disable autorun in my limited user account, I simply work out which is the limited user account user profile (as described above) under "HKEY_USERS" and then navigate accordingly to eg. "HKEY_USERS\S-1-5-21-2060139532-2050374463-2073913816-1157\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" and change the "NoDriveTypeAutoRun" entry accordingly.
I suspect if we all did this, we would never have to worry about drive-by attacks from any devices being plugged into the computer.
https://ssj100.forumotion.com/other-f6/no-autorun-t157.htm:
http://support.microsoft.com/kb/967715:
How to selectively disable specific Autorun features
To selectively disable specific Autorun features, you must change the NoDriveTypeAutoRun entry in...the following registry key subkey...:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
The following table shows the settings for the NoDriveTypeAutoRun registry entry.
The value of the NoDriveTypeAutoRun registry entry determines which drive or drives the Autorun functionality will be disabled for. For example, if you want to disable Autorun for network drives only, you must set the value of NoDriveTypeAutoRun registry entry to 0x10.
If you want to disable Autorun for multiple drives, you must add the corresponding hexadecimal values to the 0x10 value. For example, if you want to disable Autorun for removable drives and for network drives, you must add 0x4 and 0x10, which is the mathematical addition of 2 hexadecimal values, to determine the value to use. 0x4 + 0x10 = 0x14. Therefore, in this example, you would set the value of the NoDriveTypeAutoRun entry to 0x14.
As you can see, to disable Autorun completely (for all drives), you'll need to enter the value "FF". However, doing this for the "NoDriveTypeAutoRun" entry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" will only apply to your current Administrator account that you are logged into (since you can't modify these registry keys as a limited user and "HKEY_CURRENT_USER" settings only apply to the currently logged in account).
In order to disable Autorun for your limited user accounts and/or other accounts, you'll need to match your user profile(s) to folders in "HKEY_USERS". In order to do this, follow the instructions here:
http://resources.arcgis.com/content/kbase?fa=articleShow&d=36526
Then, you can navigate to the relevant "HKEY_USERS" registry folder and modify the "NoDriveTypeAutoRun" entry as described above.
For example, in my case, I have one administrator account and one limited user account. So to disable autorun in my admin account, I simply log into the admin account and navigate to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" and change the "NoDriveTypeAutoRun" entry accordingly.
Then, to disable autorun in my limited user account, I simply work out which is the limited user account user profile (as described above) under "HKEY_USERS" and then navigate accordingly to eg. "HKEY_USERS\S-1-5-21-2060139532-2050374463-2073913816-1157\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" and change the "NoDriveTypeAutoRun" entry accordingly.
I suspect if we all did this, we would never have to worry about drive-by attacks from any devices being plugged into the computer.
tnegjm- Member
- Posts : 37
Join date : 2010-04-20
Re: "How to disable the Autorun functionality in Windows" (Windows XP)
Thanks tnegjm. Sounds like a simpler (and more effective) method of disabling autorun:
http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-AutoRun-attacks
Some say you can simply delete all instances of the registry key "MountPoints2" and then follow the instructions in the original post. However, I wouldn't recommend that unless you have fully backed up your system!
By the way, to re-enable autorun (after applying the above registry key to disable it), check here:
http://www.wilderssecurity.com/showpost.php?p=1259439&postcount=4
Just a note that I personally don't disable autorun (naughty me!) - instead, I force sandbox my USB/CD/DVD drives with Sandboxie and I have a system-wide default-deny anti-execution mechanism of protection (SRP). This works out well for me, since Sandboxie automatically produces a sandboxed explorer.exe browsing straight to the relevant drive when I insert it - nice and convenient!
EDIT: it appears Autorun is disabled by default in Windows 7 (except for Microsoft certified programs), so there probably isn't any extra configuration required for this OS.
http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-AutoRun-attacks
You might think that you could protect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.
However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun.
The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure:
Step 1. Start Notepad or another text editor.
Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.
Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.
UPDATE 2009-01-21: As an extra precaution, it's a good idea to reboot your PC after Step 4, on the off chance that some old information was residing in cache memory.
Some say you can simply delete all instances of the registry key "MountPoints2" and then follow the instructions in the original post. However, I wouldn't recommend that unless you have fully backed up your system!
By the way, to re-enable autorun (after applying the above registry key to disable it), check here:
http://www.wilderssecurity.com/showpost.php?p=1259439&postcount=4
- Code:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
Just a note that I personally don't disable autorun (naughty me!) - instead, I force sandbox my USB/CD/DVD drives with Sandboxie and I have a system-wide default-deny anti-execution mechanism of protection (SRP). This works out well for me, since Sandboxie automatically produces a sandboxed explorer.exe browsing straight to the relevant drive when I insert it - nice and convenient!
EDIT: it appears Autorun is disabled by default in Windows 7 (except for Microsoft certified programs), so there probably isn't any extra configuration required for this OS.
Re: "How to disable the Autorun functionality in Windows" (Windows XP)
You're welcome.
I force all external drives F: through Z: into a restricted sandbox. I manually edit SBIE's configuration .ini file by adding the following to one of my sandboxes:
ForceFolder=F:\
ForceFolder=H:\
ForceFolder=I:\
ForceFolder=J:\
ForceFolder=K:\
ForceFolder=L:\
ForceFolder=M:\
ForceFolder=N:\
ForceFolder=O:\
ForceFolder=P:\
ForceFolder=Q:\
ForceFolder=R:\
ForceFolder=S:\
ForceFolder=T:\
ForceFolder=U:\
ForceFolder=V:\
ForceFolder=W:\
ForceFolder=X:\
ForceFolder=Y:\
ForceFolder=Z:\
I also add to the same sandbox:
ForceProcess=autorun.ini
ForceProcess=autorun.exe
But I like your way of doing it so I may delete the last two entries.
I force all external drives F: through Z: into a restricted sandbox. I manually edit SBIE's configuration .ini file by adding the following to one of my sandboxes:
ForceFolder=F:\
ForceFolder=H:\
ForceFolder=I:\
ForceFolder=J:\
ForceFolder=K:\
ForceFolder=L:\
ForceFolder=M:\
ForceFolder=N:\
ForceFolder=O:\
ForceFolder=P:\
ForceFolder=Q:\
ForceFolder=R:\
ForceFolder=S:\
ForceFolder=T:\
ForceFolder=U:\
ForceFolder=V:\
ForceFolder=W:\
ForceFolder=X:\
ForceFolder=Y:\
ForceFolder=Z:\
I also add to the same sandbox:
ForceProcess=autorun.ini
ForceProcess=autorun.exe
But I like your way of doing it so I may delete the last two entries.
tnegjm- Member
- Posts : 37
Join date : 2010-04-20
Re: "How to disable the Autorun functionality in Windows" (Windows XP)
tnegjm wrote:I also add to the same sandbox:
ForceProcess=autorun.ini
ForceProcess=autorun.exe
But I like your way of doing it so I may delete the last two entries.
That's interesting how you're using those ForceProcess settings. Do all autorun malware always use autorun.ini and/or autorun.exe or could they use other files to execute their malicious process? I seriously don't know jot about autorun malware.
Re: "How to disable the Autorun functionality in Windows" (Windows XP)
AFAIK they do. Or they would have to motivate the user to click something to do the work. Either way when the malware tries to execute/run you'd be covered.
tnegjm- Member
- Posts : 37
Join date : 2010-04-20
Re: "How to disable the Autorun functionality in Windows" (Windows XP)
tnegjm wrote:AFAIK they do. Or they would have to motivate the user to click something to do the work. Either way when the malware tries to execute/run you'd be covered.
I don't think it uses autorun.exe - I can't seem to find such a file on my system (and if it exists anywhere else, it would be blocked by my SRP, so that can't be it). I think the autorun.inf file directs the execution rather than executes itself. What would be best is to find some real-world USB autorun viruses and experiment with it on a test machine.
Re: "How to disable the Autorun functionality in Windows" (Windows XP)
Just wanted to make a note that even with Autorun disabled (not Autoplay) Sandboxie still automatically opens a sandboxed explorer.exe of the CD/DVD/USB etc drive.
Therefore, from a security perspective, it's probably best to disable Autorun, while keeping Autoplay enabled for the convenience of automatically exploring the drive sandboxed.
Therefore, from a security perspective, it's probably best to disable Autorun, while keeping Autoplay enabled for the convenience of automatically exploring the drive sandboxed.
Similar topics
» USB Drive - Forced Start under SBIE or Disable Autorun?
» How to disable Ports 135, 137-139, 445 (Windows XP)
» Windows 8. possible to disable metro GUI ?
» Disable Unneeded Services In Windows add security and performance!
» Disable auto-updaters to avoid exploits
» How to disable Ports 135, 137-139, 445 (Windows XP)
» Windows 8. possible to disable metro GUI ?
» Disable Unneeded Services In Windows add security and performance!
» Disable auto-updaters to avoid exploits
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|