Disable Autoplay in Windows

I use USB sticks and external hard disks a lot, as I tend to share stuff with friends and so I wanted to know the right way of disabling Autoplay.

Currently I went to Local Group Policy Editor->Computer Configuration->Administrative Templates->Windows Components->AutoPlay Policies and enabled "Turn Off Autoplay" for All Drives!

Will this be enough to keep malware from jumping into my internal drives, or do they jump either way?

Thank you!

 

You can test your CD drive by inserting an installation disk to see if it AutoPlays and starts the Setup.exe file.

If it does not start, then open My Computer and d-click on the CD drive letter.
If the Setup.exe file does not start, then this test has passed.

For your USB drive, you can test by creating an AutoRun.inf file:

----------------------------------
[AutoRun]
Open=notepad.exe
----------------------------------

Place this in the root of your USB drive, then reconnect and see what happens.

If it does not start, do the My Computer thing again.

If both cases pass, then you know that an executable file cannot slip through by remote code execution via the Autorun.inf file.

If not, you can install TweakUI for XP and disable the drives. This works for sure:


________________________________________________________________________________


----
rich

 

When I was doing IT I had my flash drive as NTFS so I could make autorun.inf , set it as read only and then deny all for all users in permissions .

Malware could jump on but would not autorun .

 

Thanx a lot! I just got confused in this part:

Why shouldn't it start since I double click the icon?

I tested a CD with Office 2007 in it and yes it does not start with Autoplay, but when I double click the CD icon it starts

edit://Ok that was fun, I created the autorun.inf for the USB stick and nothing happens when I plug it. When I double click though or right-click it and select run as in the picture below, it opens a notepad
So guess this is a PASS!

edit2://Ok, I see your point!!

 

When you d-click the icon in My Computer, it should open to the drive contents.

If the Setup.exe file starts, then your Policy for AutoPlay has prevented the Autorun.inf file from executing the commands, but has not prevented Windows from "reading" the file and writing the commands to the Registry.

These commands are then invoked when you

1) d-click the icon in My COmputer

2) r-click the icon and select Open, or whatever commands have been altered.

As you can see, this is not very secure, since malware on someone else's USB could inadvertantly be executed.

See here for an explanation I wrote earlier this year:

http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html


----
rich

 

Easiest way: Use TweakUI

 

Could you give a link to a Vista compatible one?

edit://Thanx nosirrah!

 

You can turn off autorun on your computer but that wont prevent your flash drive from being able to to infect other computers .

What I posted will prevent that and when combined with what is suggested here you will be double protected .

 

Sorry, I don't know if there's a vista version available.

A bit Off-Topic:
I have SBIE configured so that everything that runs from an USB stick is sandboxed.
This way I prevent infections, but there's another advantage:
Everytime I connect an USB drive to my laptop, I open SBIE Control and can actually see if anything is running. This way you can detect malware or any autorun activity and delete it manually.

 

I'm a bit lucky cause it is being discussed here!

 

Yes, it's actually very easy to achieve.
Just insert a USB drive, so the drive letter (in my case F is recognized.
Then go to sandboxie configuration and add force folder= f:

Just to be safe I added F: and G:, in case I ever must plug 2 USB sticks.

 

disabling autorun on your computer is probably more useful than trying to make your flash drive safe for other computers... autorun doesn't actually work for normal flash drives (http://www.microsoft.com/whdc/device/storage/usbfaq.mspx), autoplay does and that doesn't actually execute the program specified in the autorun.inf file it just presents it as an option in a menu...

those other computers would either need special software to make it work as autorun instead of autoplay or your flash drive's hardware would need to lie to windows about what kind of flash device it is... both options are doable but the net result is that in order for this threat scenario to work those other computers would need to have been explicitly made vulnerable (which is probably outside your control) or you'd have to have specially prepared a dangerous flash drive (in my experience those flash drives that lie to windows store their autorun.inf file on a special partition that requires special software to write to)...

 

This is true, but in PiCo's case in sharing, he can't be sure that the device he plugs in is a *normal* flash drive, for the so-called U3 USB devices do indeed invoke AutoRun, and are very common today.

For those not aware of this, See:

http://en.wikipedia.org/wiki/U3

You may remember the spate of infected digital picture frames. These are essentially U3 USB devices with picture software installed. Pluging in the device automatically infected the user who wasn't set up to protect against such exploits. These devices had a specially crafted AutoRun.inf file which changed the default commands on the computer's right-context menu for that drive. See the example in my post above.

Regarding disabling AutoRun: as I indicated, you have to use a method which insures that Windows does not read/write the AutoRun commands to the Registry; otherwise, the user could inadvertantly launch an executable on the drive from within My Computer.


----
rich

 

hmmm... perhaps i've misread something... i figured the sharing in this situation to mean sharing data on his own flash drives that he's loaned out - in which case he would know the properties of the drives he's giving to people and only really need to worry about disabling autorun on his own computer...

if instead he's sharing unknown flash devices whose properties he doesn't know then i suppose one might be worried about the effect those devices might have on other computers... but that gets to be a little like sharing needles and is probably something you should just avoid doing entirely rather than trying to make secure by taking away access to autorun.inf... also, i'm not sure how you'd actually prepare the u3 partition as ntfs...

were they really? i should try and get one of those... i wonder what kinds of other devices are using u3...

 

According to this thread, ForcedFolder only works on .exe's.

http://sandboxie.com/phpbb/viewtopic.php?t=3520

 

Yes.
But it seems that tzuk has some intersting improvement for next versions of SBIE.
In the meanwhile "disable autoplay" (tweakUI) and Retunil can do the rest.

 

Creating an empty folder named autorun.inf in the root of flash drive will not do the same?