Disabling Autorun and Autoplay on Windows Vista SP1 with Nick Brown's method

I'm a Windows XP person. My only copy of Vista, until recently, was virtual and one that, for whatever reason, doesn't support USB devices. Thus, when I wrote recently about disabling Autorun and Autoplay using Nick Brown's registry zap, all my testing was done with XP. Now that I got my hands on a real (non-virtual) copy of Vista, I tested the zap again.

To put this in context, I've written a few postings about disabling Autorun and Autoplay, something that all Windows users should do because malicious software, typically on USB flash drives, abuses these features to infect new PCs.

The first posting was about constructing a test USB flash drive to both illustrate the tricks the bad guys use and to test if a Windows machine is vulnerable to those tricks or not. The third posting was about, what I consider the best way to disable Autorun and Autoplay, a registry zap documented by Nick Brown on his blog but originated by Emin Atac. It is assumed here that you're familiar with the material in these two postings.

The test machine, a ThinkPad T41, was running Vista Home Premium with Service Pack 1. This was a cleanly installed, virgin copy of Vista, there was no other software installed on the system.

Nick Brown's zap basically tells Windows not to process any autorun.inf files. As noted previously, this is separate and independent from the Autoplay feature of Windows XP in Vista. The autorun.inf file is an optional part of Autoplay.

BEFORE REGISTRY ZAP

As described previously, there are three ways that a maliciously constructed autorun.inf file can trick an unsuspecting user into running software on a USB flash drive. The test Vista system was initially vulnerable to each trick.

flash_drive_autoplay_virgin_vistasp1_321w.png

Shown above is the Autoplay window Vista displayed when I inserted the tester USB flash drive. The ability to add the top option to the Autoplay window is the first trick. You see this here in the option to run Paint.

The second trick comes into play when someone double-clicks on the drive letter in Computer (a.k.a My Computer). Rather than listing the files and folders, a malicious autorun.inf file can run a malicious program. The third trick involves manipulation of the context menu (the menu displayed when you right click on a drive letter) by the autorun.inf file.

DOING THE ZAP

The exact same registry zap works on XP and Vista. This is one of the advantages of Nick Brown's approach to disabling autorun. In contrast, Microsoft's approach involves different software on XP Home, XP Professional and the Home editions of Vista. As described previously, installing the registry zap involves creating or downloading a very small ".reg" file and double-clicking on it.

AFTER THE REGISTRY ZAP

e_autoplay_after_nickbrown_zap_vistasp1_319w.png

After applying Nick Brown's registry zap and re-inserting the test USB flash drive, Vista's Autoplay window was very different (see above).

Gone was the option to run Paint that had come from the autorun.inf file. In its place are four new options, no doubt due to the file types Vista found on the flash drive. Also, the flash drive is now referred to as "Removable Disk" rather than "Testing AutoPlayAutoRun", a name that came from the autorun.inf file. Instead of the Paint icon, the flash drive now has a standard Vista drive letter icon.

In a nutshell, Autoplay is totally ignoring the autorun.inf file.

Vista is now also immune to the other two tricks. Double clicking on the drive letter now lists the file and folders as it's supposed to. Before the zap, it ran Paint. And, the context menu no longer has the option to run Paint.

As with Windows XP, there was no need to reboot to get the effect of the registry zap.  

Backing out the registry zap works exactly the same in Vista as in XP. It involves deleting a key from the registry and rebooting (see previous posting). In this case, the reboot is required.

I didn't get to test with a business edition of Vista but it should function exactly the same as the Home Edition.

Next time, I'll report on tests of how well Nick Brown's registry zap protects from Autorun and Autoplay abuse with CDs and shared network drives.  

Copyright © 2009 IDG Communications, Inc.

  
Shop Tech Products at Amazon