You might even consider AutoPlay/AutoRun somewhat … evil.
We can trace some malware infections to USB or other removable devices carrying malware from one machine to another.
The culprit is often AutoPlay.
Even if you think you have it turned off, you might not have it completely turned off.
AutoPlay (or AutoRun, as it’s sometimes known as or confused with — I’ll use AutoPlay throughout to refer to both), is a convenient Windows feature that, as its name implies, allows things to happen “automatically” when you insert a removable device such as a CD, DVD, USB Memory stick, external hard disk, or digital camera.
While it’s not as evil as it once was, turning it off — really off — is worth considering. The reason is very simple: AutoPlay can be used to install malware.
Become a Patron of Ask Leo! and go ad-free!
AutoPlay considered evil
Several years ago Michael Horowitz posted a series of articles showing how the technology can be used to run malicious software on your machine. Even worse, it can fool you into running malicious software on your machine.
In short, there’s no way to truly trust that AutoPlay won’t do something you don’t want it to do.
- Automatic Playing: as the name implies, AutoPlay can automatically launch software, either already on your machine or on the removable media. This is good when it’s the CD player software installed on your machine automatically playing the CD you just inserted, and it’s bad when it’s a virus installing itself automatically.
- Presenting Choices: instead of automatically doing something I’m sure you’ve all seen the list of “what would you like to do” options when you insert a camera or USB device into your PC. AutoPlay allows that device to control at least some of what those options are. This is good when the options make sense, and bad when the options added are crafted in such a way as to fool you into running malware that’s on the device.
- Describing The Drive: after you’ve inserted a removable device, it often shows up in Windows Explorer with a descriptive name, with or without the drive letter, like “Fancy Software Installation Media (J:)”. That can come from AutoPlay information contained on the device. This is good if it’s accurate, and bad if it’s misleading and might cause you to think that the media is something other than it is.
- Defining Double Click or “Open” actions: after inserting the device, even if you see nothing automatically come up, the AutoPlay information on the device can define what happens if you double-click or “open” the drive. By now you can guess: that’s great if what it does is something useful, but it’s bad if it’s instructions to install malware on your machine.
As you can see, any of the above are dangerous, and all the above used in combination makes AutoPlay a ticking time bomb.
The good news is that autorun has a single, and obvious, fuse: a file called “autorun.inf” that resides in the root of the removable device. All we need do to defuse this time bomb is to somehow cause that file to be ignored.
Here’s the black magic:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist"
(Those are three lines of text. Everything between “[HKEY_LOCAL_MACHINE …” and “… Autorun.inf]” is on one line.)
And yes, this is some incredibly black magic that actually makes use of a Windows 95 compatibility trick to fool Windows into completely ignoring the autorun.inf file on any inserted device. Period.
Copy those three lines exactly to a text file, and save it as “autorunoff.reg” (make certain that the “.reg” part is exactly correct). Double click on the resulting file and the setting will be imported into your registry. You should get a couple of warnings from regedit as you do so. (And yes, for completeness sake, you should probably backup the registry beforehand, even though this is a very simple addition of a single registry item.)
Unfortunately, the solution does come with a bit of a cost.
Let’s face it, when not used for evil autorun is kinda handy. That convenience goes away.
In the name of safety…
- … programs will not get run automatically when you insert removable media. You’ll need to manually open files or run programs appropriate to whatever it is you’re doing.
- … if choices of what to do are presented, they’ll be generic to your system and the software already installed. They will not include any choices that would otherwise be custom to the device being inserted.
- … the device will be described by only its disk label, if it has one, or its drive letter.
- … double clicking the device will simply open up Windows Explorer on the device contents.
In my opinion, it’s a very, very small price to pay. This way you know that you’ll not get a virus from any removable devices you – or anyone else – happen to insert into your machine.