AutoRun

AutoRun was introduced in Windows 95 to ease application installation for non-technical users and reduce the cost of software support calls.

To maximise the likelihood of installation success, AutoRun also acts when the drive is accessed ("double-clicked") in Windows Explorer (or "My Computer").

The terminology was of little importance until the arrival of Windows XP and its addition of a new feature to assist users in selecting appropriate actions when new media and devices were detected.

AutoRun is positioned as a layer between AutoPlay and the Shell Hardware Detection service which may help in understanding the terminology.

An article on the CodeProject website, "Detecting Hardware Insertion and/or Removal", with clarifications from a blog by Doran Holan is of particular technical interest here.

[6] The default Registry settings on Windows versions prior to Windows XP (See NoDriveTypeAutoRun), disable Remote and Removable drives from AutoRun initiation, leaving Fixed and CDROM drive types active by default.

From Windows Vista, the AutoPlay system is integrated into every aspect of media handling and there is no automatic execution of the AutoRun task.

The current handling in Windows 7 is that only drives of type DRIVE_CDROM may specify an AutoRun task, alter double-click behaviour or change context menus.

Registry settings may be changed directly by using the GUI regedit tool or the command line reg.exe utility.

The entry data is a bitmapped value, where a bit set to 1 disables AutoRun on a particular type of drive.

Setting all bits to 1 would give a hexadecimal value of 0xFF, decimal 255, and would disable AutoRun on all types of drives.

The policy is available on either a per-machine or a per-user basis reflecting the Registry entry location in either HKLM or HKCU.

In these versions of Windows, the ability of an autorun.inf file to set an AutoRun task, alter double-click behaviour or change context menus is restricted to drives of type DRIVE_CDROM.

Under Windows 95/98/ME, this setting can be changed under Device Manager, accessible from the System icon in Control Panel.

The MCN message does trigger AutoRun initiation but it also instructs the Explorer shell to update its views and contents.

The default value for this entry consists of products identified by Microsoft testing as being unable to support AutoRun.

However, the Group Policy Editor is not available on Home versions of Windows XP[19] and does not provide any fine-grained drive selection facilities.

Previous versions of Windows do not have this policy setting but the use of initialisation file mapping is an effective workaround.

This leaves the user open to attack from malware which uses the autorun.inf to alter the double-click and contextual menu behaviours.

This bug was fixed in a number of security updates, detailed in Microsoft Knowledge Base article 967715.

[25] This Group Policy setting reflects the value of the Registry entry: AutoRun functionality has been used as a malware vector for some time.

Prior to Windows Vista, the default action with a CD-ROM drive type was to follow any autorun.inf file instructions without prompts or warnings.

Some companies, such as Sony BMG, have used this vector to install malware that attempts to protect against copying of the audio tracks.

Given the ease of writing script based attacks, anti-virus software may be ineffective in preventing data and password stealing.

With a standard flash drive, social engineering attacks can be employed to entice a user to click on the appropriate item in the AutoPlay dialog.

An alluring action string promising free games or pornography would lure many users into the trap.

At any time, double clicking on the drive icon will use the autorun.inf automatically, a trap more advanced users could fall into.

The prevalence of malware infection by means of AutoRun and USB flash drive was documented in a 2011 Microsoft study[31] analyzing data from more than 600 million systems worldwide in the first half of 2011.

That finding was in line with other statistics, such as the monthly reporting of most commonly detected malware by antivirus company ESET, which lists abuse of autorun.inf as first among the top ten threats in 2011.

[32] In addition to basic security precautions, which include[33] exposure to these attacks can be minimised through the appropriate use of Group Policy and Registry settings.

AutoPlay in Windows 8 and later
AutoPlay in Windows Vista
drive type bitwise settings
drive type bitwise settings
The Group Policy settings dialog box on Windows XP showing option to turn off AutoPlay.
AutoRun settings for CD-ROM drive on Windows 98 .
The Conficker worm in action screenshot on Windows 7 .