More on Autorun

  • Article

Last month, in my post "Autorun: good for you?" I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers.

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

When I searched for it in my registry, I also found a few others, so maybe you'd want something that would search through the registry and delete them all, although I don't know if such a tool exists -- I've never had a need to look for something like that.

Comments

  • Anonymous
    January 01, 2003
    Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't

  • Anonymous
    January 01, 2003
    While there's been discussion of the weaknesses of NoDriveTypeAutorun, I haven't seen any critiques of NoDriveAutoRun. Setting this to 0xffffffff appears to obviate the need for iterating over MountPoints2 (thus making application much easier).

  • Anonymous
    January 01, 2003
    PingBack from http://blogs.technet.com/steriley/archive/2007/09/22/autorun-good-for-you.aspx

  • Anonymous
    January 01, 2003
    I am running McAfee's VirusScan on all my servers and it has a rule to block the creation of 'autorun.inf' files remotely, meaning any clients connecting to a shared drive on my servers cannot create such a file. You can use that ability to block other file types or you can use FSRM assuming you're running R2 on your servers to block file types as well.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    October 31, 2007
    Hi Steve - Nick Brown here, the author of the above-linked blog entry. I'm skeptical about the impact of systematically deleting MountPoints2.  In our experience of fighting memory stick worms, this is necessary but not sufficient.  We are not sure what would be sufficient, but on general principles, if there's one unknown registry key (googling for "MountPoints2" is remarkably unproductive), I would not be too amazed if there were others. Turning off Autorun using IniFileMapping is instantaneous, reversible (OK, you need to reboot after you delete the entry), and has precisely definable side-effects.  For a busy system administrator, that's three for three... Nick PS: Can you change my name from Mike to Nick please? :-))

  • Anonymous
    October 31, 2007
    The comment has been removed

  • Anonymous
    October 31, 2007
    The comment has been removed

  • Anonymous
    October 31, 2007
    The comment has been removed

  • Anonymous
    November 01, 2007
    Nick - I am running McAfee's VirusScan on all my servers and it has a rule to block the creation of 'autorun.inf' files remotely, meaning any clients connecting to a shared drive on my servers cannot create such a file. You can use that ability to block other file types or you can use FSRM (assuming you're running R2 on your servers) to block file types as well.

  • Anonymous
    November 01, 2007
    The comment has been removed

  • Anonymous
    January 07, 2008
    This is an interesting thread...can someone explain how deleting the MountPoints2 keys from a user's profile affects the spread of USB worms... Thanks, Harlan

  • Anonymous
    January 08, 2008
    The comment has been removed

  • Anonymous
    January 15, 2009
    The comment has been removed

  • Anonymous
    February 09, 2009
    The comment has been removed

  • Anonymous
    February 20, 2009
    I just found a 0-day worm that puts 'smss.exe' into a "system32 " (note the space after the system32). It creates this 2nd folder and then intercepts the exefile key so when you delete it, you can't run any .exe files... Nice. I was able to successfully disable & remove it. BTW it has a cute pink squid as an icon and is 416K in size. The normal smss.exe is about 50K.

  • Anonymous
    February 26, 2009
    I deleted Mountpoints2 in my registry and BAM! In an instant I was able to normally get into my Local Disk E without an error message.

  • Anonymous
    March 03, 2009
    I just ran into the same worm that Tim J. reported Feb 20, 2009.  Is it from USB drives or some other source?  Anyone know?

  • Anonymous
    April 12, 2009
    auto run disable should be done thanks

  • Anonymous
    May 05, 2009
    How I delete INF/Autorun.gen trojen

  • Anonymous
    May 05, 2009
    how i Clean my computer from INF/Autorun.gen trojen

  • Anonymous
    May 05, 2009
    how i feedback appear right away please tell me?

  • Anonymous
    May 18, 2009
    thanx very much. it did worked

  • Anonymous
    June 06, 2009
    The comment has been removed