More on Autorun
Last month, in my post "Autorun: good for you?" I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers.
Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.
Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
When I searched for it in my registry, I also found a few others, so maybe you'd want something that would search through the registry and delete them all, although I don't know if such a tool exists -- I've never had a need to look for something like that.
Comments
Anonymous
January 01, 2003
Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn'tAnonymous
January 01, 2003
While there's been discussion of the weaknesses of NoDriveTypeAutorun, I haven't seen any critiques of NoDriveAutoRun. Setting this to 0xffffffff appears to obviate the need for iterating over MountPoints2 (thus making application much easier).Anonymous
January 01, 2003
PingBack from http://blogs.technet.com/steriley/archive/2007/09/22/autorun-good-for-you.aspxAnonymous
January 01, 2003
I am running McAfee's VirusScan on all my servers and it has a rule to block the creation of 'autorun.inf' files remotely, meaning any clients connecting to a shared drive on my servers cannot create such a file. You can use that ability to block other file types or you can use FSRM assuming you're running R2 on your servers to block file types as well.Anonymous
January 01, 2003
The comment has been removedAnonymous
October 31, 2007
Hi Steve - Nick Brown here, the author of the above-linked blog entry. I'm skeptical about the impact of systematically deleting MountPoints2. In our experience of fighting memory stick worms, this is necessary but not sufficient. We are not sure what would be sufficient, but on general principles, if there's one unknown registry key (googling for "MountPoints2" is remarkably unproductive), I would not be too amazed if there were others. Turning off Autorun using IniFileMapping is instantaneous, reversible (OK, you need to reboot after you delete the entry), and has precisely definable side-effects. For a busy system administrator, that's three for three... Nick PS: Can you change my name from Mike to Nick please? :-))Anonymous
October 31, 2007
The comment has been removedAnonymous
October 31, 2007
The comment has been removedAnonymous
October 31, 2007
The comment has been removedAnonymous
November 01, 2007
Nick - I am running McAfee's VirusScan on all my servers and it has a rule to block the creation of 'autorun.inf' files remotely, meaning any clients connecting to a shared drive on my servers cannot create such a file. You can use that ability to block other file types or you can use FSRM (assuming you're running R2 on your servers) to block file types as well.Anonymous
November 01, 2007
The comment has been removedAnonymous
January 07, 2008
This is an interesting thread...can someone explain how deleting the MountPoints2 keys from a user's profile affects the spread of USB worms... Thanks, HarlanAnonymous
January 08, 2008
The comment has been removedAnonymous
January 15, 2009
The comment has been removedAnonymous
February 09, 2009
The comment has been removedAnonymous
February 20, 2009
I just found a 0-day worm that puts 'smss.exe' into a "system32 " (note the space after the system32). It creates this 2nd folder and then intercepts the exefile key so when you delete it, you can't run any .exe files... Nice. I was able to successfully disable & remove it. BTW it has a cute pink squid as an icon and is 416K in size. The normal smss.exe is about 50K.Anonymous
February 26, 2009
I deleted Mountpoints2 in my registry and BAM! In an instant I was able to normally get into my Local Disk E without an error message.Anonymous
March 03, 2009
I just ran into the same worm that Tim J. reported Feb 20, 2009. Is it from USB drives or some other source? Anyone know?Anonymous
April 12, 2009
auto run disable should be done thanksAnonymous
May 05, 2009
How I delete INF/Autorun.gen trojenAnonymous
May 05, 2009
how i Clean my computer from INF/Autorun.gen trojenAnonymous
May 05, 2009
how i feedback appear right away please tell me?Anonymous
May 18, 2009
thanx very much. it did workedAnonymous
June 06, 2009
The comment has been removed