Hi
today I performed a scan with AVZ, and it said that I have Autorun enabled for removable drives. But I have disabled it with TweakUI.
Now I see that TweakUI disables "Autoplay".
What is the difference? Is this a security risk?

201559

Auto play can be a security risk if an infected CD, flash drive, etc. are inserted. I too have it disabled but did it using Group Policy Editor. My only guess concerning your situation is that AVZ does not read the change as it is made by TweakUI. What the differences may be in how the change is made by GPE vs TweakUI....... I have no idea.

I too have disabled "AutoPlay" via TweakUI exactly like what HURST did. While my game cd (example) doesn't autorun when I insert the cd, but if I double-click on the drive (instead of right-click>open), then I see it autoruns the game setup screen ???

Is that supposed to happen if "Autorun/AutoPlay" is indeed disabled?

http://www.cloanto.com/kb/3-162.html

-{ Quote: "http://www.cloanto.com/kb/3-162.html" }-


Thanks a lot. That enlightened me.
Can autorun be disabled?

-{ Quote: "Thanks a lot. That enlightened me.
Can autorun be disabled?" }-

You're welcome :).

http://www.annoyances.org/exec/show/article03-018

-{ Quote: "http://www.annoyances.org/exec/show/article03-018" }-My testing has shown that only Windows XP - Solution 2 prevents Windows from "reading" the AutoRun.inf file and writing to the Registry to modifiy the context menu of the drive.

The others, while preventing the AutoRun.inf file from automatically executing its commands, leaves open the possibility that they can be executed by d-clicking on the drive icon in My Computer.

See my writup here:

http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html

I'm open to changing my conclusion if someone tests and proves otherwise.

--

Hi

If you set it to "Prompt me each time to choose an action", in D drive and other drives Properties, AutoPlay, is that enough?

Thanks

I'm not sure where you are getting these prompts, so I don't know.

AutoPlay/AutoRun terminology can be confusing and misleading, depending on the particular Operating System, so I avoid getting into discussions about which is which.

For example, the TweakUI for WinXP setting for AutoPlay on drives controls the NoDriveAutoRun value in the Registry. (TweakUI prior to WinXP did not have this setting.)

From a practical point of view, people I'm in contact with, like the AutoPlay/AutoRun features. The concern has always been when you view someone else's USB drive on your computer. Even if from someone you trust, that person may not know the drive is infected, if that drive had been viewed on a computer infected with a USB virus.

Technically savvy people can toggle settings via TweakUI or Registry files.

For others, an easy solution I've recommended in the past is to hold down the Shift key which prevents the AutoRun.inf file commands from executing.

Then, open to the drive in Windows Explorer (two pane view of My Computer) where the contents of the drive are displayed in the right pane. No commands in the AutoRun.inf file will run because you have not double-clicked the icon.

An easy way to open to the drive in Windows Explorer is to make a shortcut for that drive letter.
Then, put this command in the Target line in the Shortcut Tab in Properties Box.
The /e switch causes the drive to "expand" into Explorer view:

201586
_______________________________________________

201588
_______________________________________________

I make similar shortcuts on every computer I help set up. I don't have to get into a technical discussion with people (AutoRun vs AutoPlay), other than to point out that for safety when viewing another's USB drive, you can prevent anything from automatically running/playing by using the above steps.

--

-{ Quote: "My testing has shown that only Windows XP - Solution 2 prevents Windows from "reading" the AutoRun.inf file and writing to the Registry to modifiy the context menu of the drive.

The others, while preventing the AutoRun.inf file from automatically executing its commands, leaves open the possibility that they can be executed by d-clicking on the drive icon in My Computer." }-Hi Rmus, can u help clarify my post #3. Double-clicking on drive still runs autorun.inf in my case. So that is not supposed to happen?

THANKS

Hello,
How about adding Autorun.inf to Disallowed under Restriction Policies via gpedit.msc? Tried and it works ...
Mrk

Hi Mrkvonic,

Is that for XP Pro, which ThunderZ also hinted at post#2? Then I'm out of luck, using XP Home.

There's a hack to enable Group Policies for XP Home if you wanna bother.
Mrk

Heheh, ehh maybe I'll try it out in Powershadow mode if u have a link. I'm not sure I can handle it if it's too complicated, so I'll try it virtual first.

THANKS

-{ Quote: "I too have disabled "AutoPlay" via TweakUI exactly like what HURST did. While my game cd (example) doesn't autorun when I insert the cd, but if I double-click on the drive (instead of right-click>open), then I see it autoruns the game setup screen ???

Is that supposed to happen if "Autorun/AutoPlay" is indeed disabled?" }-No.

1) Did you ever let that game CD run without disabling in TweakUI?

2) Try another CD - maybe an installation CD and see if the same thing happens.


--

-{ Quote: "Hello,
How about adding Autorun.inf to Disallowed under Restriction Policies via gpedit.msc? Tried and it works ...
Mrk" }-What Registry key does that Policy change?

If you aren't sure, see if that policy toggles the AutoRun value betweeen 0 and 1 in this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]


Did you try d-clicking on the drive icon in My Computer to see if in fact the autorun.inf commands won't execute?

--

Hello,
Too tired now after basketball, tell you tomorrow.
At home, the values are already at 0... so it won't matter.
Mrk

Maybe, maybe not.

Test by d-clicking the drive icon in My Computer to see if the autorun command will open a setup.exe file on a CD or USB drive.

--

Hi,
It does not, that's what I meant. It does not open.
So I'll check at work in a couple of hours.
Mrk

Can you specify what your configurations are to disable Autorun?

Are you using the Security Policy setting? Did you determine which Registry Key it changes?

--

Hello,

I manually disabled them before installing some VMware product approx. 3 years ago. I do not remember, although I have it documented somewhere. I'll make a check.

At home, I do use policies for some things - but not this one.

At home, the reg value is 0.

At work, it is 1 (after the policy is set), but there's another key:

AutoRunAlwaysDisable

--> this one contains the hardware list of all devices that belong to this category, mainly the different brands of CD/DVD drives...

So, it's definitely ... interesting.

However, fully comparing between policies in effect and the registry change can be tricky unless a program that monitors registry changes is use, specifically for the tracking purpose.

I don't think I need to know every reg key and what it does... it's not effective.

At home, the manual change works well enough.

At work, the policy set by the gpedit works well enough; however, even if it's disabled, restricting autorun.inf works well enough.

So, there are several options here.

Mrk

I was just curious, because in another forum, the user disabled autorun in group polices. The autorun.inf file did not execute its commands when the disk was inserted, but did when the user d-clicked in My Computer.

The poster here had the same experience when using TweakUI, which is not supposed to happen.

There are a number of Registry entries which can control AutoRun, and much depends on the OS and other configurations.

--

Hello,

Here's the mother of all autorun keys:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx

hklm/software/microsoft/windows/currentversion/policies/explorer

This one is set via the gpedit ... see the values and their effect...

Mrk

I didn't realize you were running Win2000. I also, and AutoPlay doesn't work the same as in XP.

Yes, the Registry Key holds a lot of power! It is the one that TweakUI controls.

--

Hi,
I'm using XP ... :) :) maybe I'm gifted - or cursed. The MS article is for 2000, but it works the same for XP. Anyhow, this key is the one controlled by the relevant policy, as well, so it works either way you choose.
Cheers,
Mrk

-{ Quote: "No.

1) Did you ever let that game CD run without disabling in TweakUI?

2) Try another CD - maybe an installation CD and see if the same thing happens.


--" }-Sorry for my late reply.

Not sure abt (1), so I tried another CD which never ran on my PC before. Setup still ran when I double-clicked on drive in My Computer.

Weird. Anyway just a reminder, I'm on XP SP3 Home, TweakUI same settings as post #1.

Did you notice this behavior before installing SP3?

--

It was the same when I had SP2. But it's only now that I know it's not supposed to happen :)

OK - looking at your Image Gallery, your NoDriveAutoRun value is the same as I have.

Remove all removable media, then

Go to this Key in the Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2


See if yours looks like this with no + sign preceding any sub Key (your sub keys will have different numbers):

201663
________________________________________________________

Hi Rmus,

With any removable media removed, this is what I see. Some have "+" in front of them. They mostly expand to "shell/Autoplay/DropTarget".

One expands to "_Autorun/DefaultIcon" and has a "Name" which is the game cd I tested.

Then there's another "CPC/Volume/..."

THANKS again.

OK, this means that your Registry has stored a history of your removable media, meaning that the Autorun commands are invoked when you access the drive in My Computer, even though Windows cannot read the current autorun.inf file because of your TweakUI settings.

If you delete the sub keys with the + [except the CPC key] you erase the history, and Windows creates a new key when it detects a drive in use.

I've done this many times, but if you want to play safe, you can export the entire MountPoints2 Key to your desktop before deleting keys.

Now, I never experienced what you have because on my XP laptop when I reboot, the entries do not stick in the Registry.

But I know a couple of people who say the entries do stick, and have set up a .reg file to delete the MountPoints2 key on reboot.

The CPC key by the way is just a list of the drives used. It usually purges as the drive is no longer in use.

Now you know why for home users I recommend accessing the drive via Windows Explorer rather than My Computer if you have concerns about an untrusted/unknown USB drive, or maybe even a CD.

EDIT: I found this explanation in my notes:

-{ Quote: "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2

holds cached information about every removable device, like a memory stick, that Windows has seen before, and that key overrides the NoDriveTypeAutoRun setting.

So if you insert a removable volume that Windows already knows about, the cached value gets used instead of the NoDriveTypeAutoRun setting.

The class IDs or drive letters under the MountPoints2 key will have an autorun or autoplay subkey.

MountPoints2 is a dynamic system registry key that does not permit users to write to it, even admins, as it is only accessed by the system account to update the cached information. While you cannot edit the subkeys and their values, you can delete this registry key to get it regenerated as you use Windows thereafter. As with anything for the registry, save a backup .reg file of the folder or key that you intend to modify or delete. " }-

In my article referenced in an earlier post, I show how the Shell commands are written to the MountPoints2 Key:

Analysis of an AutoRun.inf File
http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html

Post back what you find out!


----
rich

HI Rmus :)

1. I deleted all the very long {...} subkeys regardless of whether there was "+" preceding them.

2. After I rebooted PC, 5 long {...} subkeys were recreated. Probably relates to my a: c: d: e: f: drives? No "+" sign on them. 1st pic.

3. But when I insert game cd and refresh registry, a "+" sign appears, which I expanded in the 2nd pic.

4. Double-clicking on drive icon runs game setup.

Tried again 1-4, but same thing happens. I guess my case is just abnormal ???

Hello yeow,

I assume you have your drive unchecked in TweakUI. If so, then your case does not follow the normal pattern.


----
rich

Hi Rmus,

Yes, in TweakUI they are still unchecked. I also tried re-checking & unchecking them, but still the same.

Much thanks for ur time looking into it. I'll just right-click> open, or navigate with the left-pane instead.

THANKS!

Hello yeow,

You are welcome.

This is the second "method" of disabling AutoRun which has not proved to be reliable for all systems.

Above, I questioned Mrk about the configuration using Group Policies because in another discussion, a user found that setting that policy did prevent AutoRun.inf from invoking the commands when the CD was inserted, but the setup.exe on the CD launched when the drive icon was clicked My Computer.

In other words, both methods did not prevent the Shell commands from writing to the Registry in those cases.

There is another rather brutal method you might try -- it cripples AutoRun for the entire system. See

Memory stick worms
http://nick.brown.free.fr/blog/2007/10/memory-stick-worms


----
rich

Hello,

For clarification:

The Group Policy method = NoDriveTypeAutorun set to 255, disables autorun on all drives and prevents creation of registry keys by the shell.

Manual cd registry key hack alone change does not prevent the shell ...

Mrk