Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is Autorun Really Evil, and If So, How do I Turn Autorun Off?

Some malware infections can be traced to infected USB or other removable devices transmitting malware from one machine to another.

The culprit is autorun.

Even if you think you have it turned off you likely don’t have it completely turned off.

Autorun (or autoplay, as it’s sometimes known as or confused with), is a very convenient feature of Windows that, as its name implies, allows things to happen “automatically” when you insert a removable device such as a CD, DVD, USB Memory stick, or digital camera.

While it’s not quite as evil as it once was, turning it off — really off — is well worth considering. The reason is very simple: autorun can be use to fool you into installing malware.

Become a Patron of Ask Leo! and go ad-free!

Autorun considered evil

A few years ago Michael Horowitz posted a series of articles on how the technology behind autorun can be used to run malicious software on your machine, or perhaps even worse, fool you into running malicious software on your machine.

In short, there’s no way to truly trust that autorun (which I’ll also use to refer to autoplay) won’t do something you don’t want it to do.

  • Automatic Playing: as the name implies, autorun can be used to automatically launch software, either already on your machine or on the removable media. This is good when it’s the CD player software installed on your machine automatically playing the CD you just inserted, and it’s bad when it’s a virus that installs itself automatically.
  • Presenting Choices: instead of automatically doing something I’m sure you’ve all seen the list of “what would you like to do” options when you insert a camera or USB device into your PC. Autorun allows that device to control at least some of what those options are. This is good when the options make sense, and bad when the options added are crafted in such a way as to fool you into running malware that’s on the device.
  • Describing The Drive: after you’ve inserted a removable device it often shows up in Windows Explorer with a descriptive name, with or without the drive letter, like “Fancy Software Installation Media (J:)”. That can come from autorun information contained on the device. This is good if it’s accurate, and bad if it’s misleading and might cause you to think that the media is something other than it is.
  • Defining Double Click or “Open” actions: after inserting the device, even if you then see nothing automatically come up because you’ve disabled it in other ways, the autorun information on the device can define what happens if you double-click or “open” the drive. By now you can guess: that’s great if what it does is something useful and appropriate, but it’s bad if its  instructions are to install malware on your machine.

As you can see any of the above are dangerous, and all of the above used in combination make autorun a ticking time bomb.

The Solution

The good news is that autorun has a single, and obvious, fuse: a file called “autorun.inf” that resides in the root of the removable device. All we need do to defuse this time bomb is to somehow cause that file to be ignored.

Here’s the black magic:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist" 

(Those are three lines of text. Everything between “[HKEY_LOCAL_MACHINE …” and “… Autorun.inf]” is on one line.)

And yes, this is some incredibly black magic that actually makes use of a Windows 95 compatibility trick to fool Windows into completely ignoring the autorun.inf file on any inserted device. Period.

Problem solved.

Copy those three lines exactly to a text file, and save it as “autorunoff.reg” (make certain that the “.reg” part is exactly correct). Double click on the resulting file and the setting will be imported into your registry. You should get a couple of warnings from regedit as you do so. (And yes, for completeness sake, you should probably backup the registry beforehand, even though this is a very simple addition of a single registry item.)

The Cost

Unfortunately, the solution does come with a bit of a cost.

Let’s face it, when not used for evil autorun is kinda handy. That convenience goes away.

In the name of safety…

  • … programs will not get run automatically when you insert removable media. You’ll need to manually open files or run programs appropriate to whatever it is you’re doing.
  • … if choices of what to do are presented, they’ll be generic to your system and the software already installed. They will not include any choices that would otherwise be custom to the device being inserted.
  • … the device will be described by only its disk label, if it has one, or its drive letter.
  • … double clicking the device will simply open up Windows Explorer on the device contents.

In my opinion, it’s a very, very small price to pay. This way you know that you’ll not get a virus from any removable devices you – or anyone else – happen to insert into your machine.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,

Leo

26 comments on “Is Autorun Really Evil, and If So, How do I Turn Autorun Off?”

  1. My friend, I’m thinking you’re going to need a much more detailed, step-by-step set of instructions to make this reg edit work smoothly. FAR too many folks are just not as computer literate as we might think and there are at least two or three vague areas on your instructions that will have SOME screwing up their registry beyond belief. Just sayin’…..

    I’m hopeful that “download and run this .reg file” will be simple enough.

    – Leo
    14-Feb-2009
    Reply
  2. Leo, can you comment on how this differs from the result if you use the TweakUI PowerToy to disable? Does the PowerToy leave holes?

    The Power Toy leaves holes. That’s actually why I listed some of the other things that Autorun actually does. TweakUI prevents automatic playing, but may not disable the ability to modify the menu of choices, the description, or the double click action.

    – Leo
    14-Feb-2009
    Reply
  3. Shouldn’t anti-virus software detect a problem?

    Maybe. And do you really want to count on a maybe? The fact is that machines are getting infected every day because of autorun, with or without anti-virus installed.

    – Leo
    18-Feb-2009
    Reply
  4. Does this mean the ‘Hold the left ShiftKey down while inserting a CD’ or the instructions contained here:
    http://www.base40.com/cdtTipAutoRun.htm
    are not full assurances that autorun has been disabled?

    That’s actually why I listed some of the other things that Autorun actually does. The shift key trick prevents automatic playing, but may not disable the ability to modify the menu of choices, the description, or the double click action.

    – Leo
    18-Feb-2009
    Reply
  5. This information has been used by security conscious individuals for quite some time. Thanks for making this article in such a way that the “general public” can understand and use! I work on computers for a living and use this registry edit on every one of my customers machines for over three years. If they call me later and ask why their computer is acting a bit different, I explain and my work is more appreciated. Just an extra service at no extra charge!

    Reply
  6. Leo,

    Can you please comment on the following Update statement from the CERT blog on the subject of completely disabling AutoRun:

    “Microsoft Windows may cache AutoRun information from connected devices. The impact of this feature is that even after disabling AutoRun as described above, you may still experience AutoRun behaviors for devices (USB drives, network shares, etc.) that have been connected to the computer in the past. For this reason, we also recommend removing this cache by deleting the MountPoints2 registry key for each user:

    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2

    I have tried to delete this key per their instructions but it will not stay deleted. It always returns with reboot.”

    Thanks in advance

    Reply
  7. I had previously disabled autorun with TweakUI, but found that File Explorer would not refresh when I changed CDs! Would using the .reg fix result in the same problem?

    I suspect it’ll have the same issue, and further I suspect that this issue is unrelated to autorun being on or off. Remember you can always press F5 in Windows Explorer to refresh the view.

    – Leo
    18-Feb-2009
    Reply
  8. I could not get rid of auto run I copied to my desktop. I then ran it and got the 2 warnings but the next time I turned on the computer the auto run still ran. Your instructions may be good for computer savy people but not me. Go ahead and laugh and put down people like me but explain things better. Yes, I gave to you tip jar 3 times when you just started.

    Certainly not putting anyone down – I try very hard make my answers accessible to all. So the two warnings you got: were they from Registry Editor? And when you say “auto run still ran”, what exactly still ran? How did you test it?

    – Leo
    18-Feb-2009
    Reply
  9. I turned autorun off and Windows no longer recognizes my DVD drive.

    Turned it back on – Windows now recognizes the drive.

    I want it off but how to see drive?

    Autorun should not affect the visibility of the drive at all. You should be able to open up Windows Explorer and see the contents of the drive manually. You’re saying that’s not the case?

    – Leo
    18-Feb-2009
    Reply
  10. Can’t users just use Tweak UI and disable this feature under My Computer-Autoplay-Types, and unchecking the boxes next to both CD and DVD and removable drives?

    That’s actually why I listed some of the other things that Autorun actually does. TweakUI prevents automatic playing, but may not disable the ability to modify the menu of choices, the description, or the double click action.

    – Leo
    18-Feb-2009
    Reply
  11. Hi Leo!

    Besides the security risk, I find autorun highly annoying. Alas, this registry entry didn’t work for me either. I did verify that the key made it into the registry. This on an HP laptop running XPpro.
    Any thoughts? TIA! S.

    Reply
  12. I have XP Pro and Firefox OS.When I clicked on your link to download “autorunof.reg” my computor came up with “this does not exist”

    Remember to right-click and Save As…

    – Leo
    19-Feb-2009
    Reply
  13. I absolutely hate AutoRun / AutoPlay; I’ve hated it since they first introduced it, it’s extremely annoying not to mention a way to lose your OS or data or both:
    consider the following:
    an evil person puts a legitimate windows / dos program on a CD/DVD or USB device and uses autorun.inf to tell it to totally roast your C:\ drive, no AV or anti-anything will stop it because it’s a legitimate part of the OS,

    I use two apps to prevent autorun / autoplay
    1> tweakUI
    2> GPEdit.msc (XP Pro only not available on XP home)
    in GPEdit there are two settings:
    one in computer configuration and the other in user configuration
    expand: “Administrative Templates” in both sections
    then click on system,
    under system is “Turn off Autoplay”
    change it to enabled and in the drop down box select “all drives”

    after doing this I have yet to see an autorun.inf run on any of my systems;

    Reply
  14. I ran the tweak as advised. And now, whenever, I insert the USB drive in my PC, it shows “windows explorer has encountered an error and needs to be closed”. Unfortunately, I didn’t do a registry backup [lesson learnt the hard way]….I can’t access my USB drive as it keeps on getting the message..please help me to restore the old settings…thanks..

    Reply
  15. I implement this modification without backing up my registry first. Please tell me how undo this modification. Thank you.
    Larry

    Reply
  16. It seems Leo is too busy to reply….

    FYI…Larry….
    System restore helps….as it worked for me..hence..its bound to work for you as well….
    Cheers…

    Vishal

    Reply
  17. Now my wife hates me. How do I reverse autorunoff.reg?

    She would rather have an unsecure machine? OK, just backup the resgitry, then fire up regedit and delete the registry entry that the .reg file added. (As someone else pointed out it may be possible to simply use system restore to restore to a point prior to running the .reg flie.)

    – Leo
    27-Feb-2009
    Reply
  18. I’ve read the article and the comments thoroughly.
    I am unable to copy and post or download the fix.
    it always saves as autorunoff.reg.txt not just autorunoff.reg. There seems to be no save option for .reg. Can any commenter help me.
    thanks
    rick

    Just rename the file manually.

    – Leo
    27-Feb-2009
    Reply
  19. FYI…Rick Ebert

    Most computers using Windows OS, by default, hides extensions for known file type. Hence, you are unable to save it as .reg.
    Go to My Documents > Tools > Folder Options > View > and untick the box of “Hide extension for known file types” & click Apply.

    Now, right click on the autorunoff.reg.txt file & delete .txt
    Thats it…
    Hope it helps…
    Cheers….

    Reply
  20. black magic did not work for me.
    even after following your instructions precisely.
    i copied those 3 line above and pasted on a text document and saved it as autorunoff.reg as told bu you.
    after that i run that file and changes in the registry were made(windows confirmed it by a prompt).
    but then i inserted my pendrive and autoplay menu was there for me.
    i use WINDOWS XP SP2.
    So please help me out.
    waitng for your reply.
    thank you.

    Reply
  21. my autorun kicks on all byitself even with no media in the drives.if i am playing a game or something online it minimizes and autorun will run 5 or 6 time then i open the game and it will happen again in another minute or to when i reformat it goes away but always comes back what should i do.

    Reply
  22. I went to computerworld and followed his advice by installing MS update KB—-. The problem is now every time I stick an USB stick in and try to open the drive from “my computer” I get a window “choose the program you want to use to open this file”. I have to manually pick out “explorer.exe”. The problem is I can’t even tick the box to “always use this program”. It is such a pain in the a. Any suggestions Leo please help me……..

    Reply
  23. by manually I mean I literally have to go to the folder “C:\WINDOWS/explorer.exe”. It does not even show up on the list of programs given.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.