TweakUI AutoRun?

Here is a screen shot of my XP MountPoints2 Keys:

​

The first two {3d...} entries are the mounted C and D (CDROM) drives

The {6e..} is my USB drive. You can see the Shell sub-Keys and the Autorun Command to execute the file that is read on my drive: astro.exe

These {...} keys also appear in the CPC list of volumes.

With the Registry Tweak @doesnotexist, the Autorun commands are not written, therefore Windows doesn't "see" anything to execute.

The problem is that unless I delete the {6e..} Key before enabling the Tweak, those commands remain in the Registry.

Now, a different drive and different autorun.inf file will be prevented from writing autorun to the Registry, so what remains from a previous drive will have no effect as long as that drive is not reconnected.

On my Win2K system I don't have this problem because with Deep Freeze, anything written to the Registry while frozen is discarded on reboot.

----
rich

 

So if I disable AutoPlay with gpedit.msc I will never see this fake AutoPlay window and Conficker won't install - am I right?

 

I don't know - I don't use gpedit.msc.

You will have to run your own tests!

----
rich

 

A little story:

If I connect my USB stick to an infected machine the infected autorun.inf will be written to the USB stick. Then I go home and connect the USB stick to my machine. The @doesnotexist tweak won't work because the USB stick was registered in MountPoints2 days before. So the malware will start without any problems?!

 

This may be somewhat of an overkill, but I've used this cheap (it's on the honor system) German program to control drive letter assignments for USB keys. It also has extensive options for managing autoruns, but which I've never used. Check out the help file link (the autorun options are towards the bottom):
http://www.uwe-sieber.de/usbdlm_e.html

-BC

 

Your reasoning here is flawed. Even though the USB stick is registered as indicated by {######}, the specific Shell command with the specific executable must also be registered. See my Post #26 screenshot, where the Shell/Autrorun/Command value is astro.exe.

Now, I will change the Autorun.inf Open command to point to a different executable:

​

Then I enable the @DoesNotexist Registry Tweak and connect the drive. Nothing happens. If the specific executable referenced in the autorun.inf file is not written to the Registry, then Windows cannot do anything. In fact, checking the MountPoints2 Key I see that the Shell/Autorun/Command entry has been removed:

​

I do not understand how all of this works. In fact, I knew nothing about the MountPoints2 Key until last year. Does it matter? I became interested only because this was such a big discussion in another forum during the conficker outbreak.

But just because others became infected, doesn't mean that I have to be in danger.

In my view, autorun.inf has become a bigger problem in people's minds than it should be. A very simple USB policy has worked for me with the average home user:

• Use a non-U3 (SmartDrive) Flash drive.
  
  
• Avoid connecting other people's flash drive
  
  
• Set AutoPlay to Prompt

Another procedure:

• Hold down the SHIFT key to suppress Autorun and AutoPlay
  
  
• Access the drive in Windows Explorer

If people would think through what is involved in getting infected, it would become evident that in most cases, a review of the their own security policies and procedures would solve most problems. In all cases, procedures must be carefully tested.

For me, that has been an easier solution than trying to figure out why TweakUI doesn't work on some systems, or delving into the mysteries of the MountPoints2 Keys!


----
rich