The registry key guidance that is offered in Technet article 91525 (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true) did not correctly disable AutoRun features. After you set the registry keys to disable these features as described in this Technet article, the AutoRun capabilities, the Double Click feature, and the Contextual Menu feature continue to function as if they were not set. This article describes how to obtain updates that correct these registry key settings.
Windows Server 2008 is not affected.
MORE INFORMATION
The purpose of Autorun The main purpose of Autorun is to provide a software resp...
The purpose of Autorun
The main purpose of Autorun is to provide a software response to hardware actions that you start on a computer. Autorun has the following features:
* Double Click
* Contextual Menu
* AutoPlay
These features are typically called from removable media or from network shares. During AutoPlay, the Autorun.inf file from the media is parsed. This file specifies which commands the system runs. Many companies use this functionality to start their installers.
Prerequisites to disable Autorun capabilities
To disable Autorun capabilities, you must install the following updates:
* Update for Windows XP (KB950582)
http://www.microsoft.com/downloads/details.aspx?FamilyId=CC4FB38C-579B-40F7-89C4-1721D7B8DAA5 (http://www.microsoft.com/downloads/details.aspx?FamilyId=CC4FB38C-579B-40F7-89C4-1721D7B8DAA5)
* Update for Windows Server 2003 for Itanium-based Systems (KB950582)
http://www.microsoft.com/downloads/details.aspx?FamilyId=5795F63E-1FD9-4A13-9650-1015E14B6D11 (http://www.microsoft.com/downloads/details.aspx?FamilyId=5795F63E-1FD9-4A13-9650-1015E14B6D11)
* Update for Windows Server 2003 x64 Edition (KB950582)
http://www.microsoft.com/downloads/details.aspx?FamilyId=E8507286-CDF8-4BCB-AFC5-9734FE772C53 (http://www.microsoft.com/downloads/details.aspx?FamilyId=E8507286-CDF8-4BCB-AFC5-9734FE772C53)
* Update for Windows Server 2003 (KB950582)
http://www.microsoft.com/downloads/details.aspx?FamilyId=705305E5-7060-4236-B5D2-40CA63A967FB (http://www.microsoft.com/downloads/details.aspx?FamilyId=705305E5-7060-4236-B5D2-40CA63A967FB)
* Update for Windows XP x64 Edition (KB950582)
http://www.microsoft.com/downloads/details.aspx?FamilyId=21A0124C-6F50-4281-923E-E2B28068147A (http://www.microsoft.com/downloads/details.aspx?FamilyId=21A0124C-6F50-4281-923E-E2B28068147A)
* Update for Windows 2000 (KB950582)
http://www.microsoft.com/downloads/details.aspx?FamilyId=C192EDCF-CA3D-44E3-8ECC-49C5F4DA5405 (http://www.microsoft.com/downloads/details.aspx?FamilyId=C192EDCF-CA3D-44E3-8ECC-49C5F4DA5405)
Note Windows Vista-based systems must have update 950582 (Security bulletin MS08-038 (http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx) ) installed to take advantage of the registry key settings that disable Autorun.
As soon as the prerequisites are installed, follow these steps to disable Autorun.
Back to the top
How to use Group Policy settings to disable all Autorun features
Windows Vista
1. Click Start
type Gpedit.msc in the Start Search box, and then press ENTER.
User Account Control permission
If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
2. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
3. In the Details pane, double-click Turn off Autoplay.
4. Click Enabled, and then select All drives in the Turn off Autoplay on box to disable Autorun on all drives.
5. Restart the computer.
Windows Server 2003, Windows XP, and Windows 2000
1. Click Start, click Run, type Gpedit.msc in the Open box, and then click OK.
2. Under Computer Configuration, expand Administrative Templates, and then click System.
3. In the Settings pane, right-click Turn off Autoplay, and then click Properties.
Note In Windows 2000, the policy setting is named Disable Autoplay.
4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
5. Click OK to close the Turn off Autoplay Properties dialog box.
6. Restart the computer.
How to selectively disable specific Autorun features
To selectively disable specific Autorun features, you must modify the NoDriveTypeAutoRun value under the following registry key subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
How you modify this subkey depends on the Autorun feature that you want to disable. For more information about Autorun registry key values, visit the following Microsoft TechNet Web page:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true)
Autorun is also known as AutoPlay. The following table shows the settings for the NoDriveTypeAutoRun registry value.
Value Meaning
0x1 Disables AutoPlay on drives of unknown type
0x4 Disables AutoPlay on removable drives
0x8 Disables AutoPlay on fixed drives
0x10 Disables AutoPlay on network drives
0x20 Disables AutoPlay on CD-ROM drives
0x40 Disables AutoPlay on RAM disks
0x80 Disables AutoPlay on drives of unknown type
0xFF Disables AutoPlay on all kinds of drives
The default value for NoDriveTypeAutoRun varies for different Windows-based operating systems. These default values are listed in the following table.
Operating system Default value
Windows Vista 0x91
Windows Server 2003 0x95
Windows XP 0x91
Windows 2000 0x95
Registry key that is used to control the behavior of the current update
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
All the fixes in the current update for Windows XP and for Windows Server 2003 have been included in the following two registry subkeys.
Note Values were concentrated in these subkeys so that you can revert to the previous configuration if it is required. Windows 2000 and Windows Vista do not use these registry subkeys.
HonorAutorunSetting registry subkeys
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
Registry Value
Value Data type Range Default value
HonorAutorunSetting REG_DWORD 0x0–0xFF 0x01
When you install update 950582, the HonorAutorunSetting registry key is created only in the HKEY_LOCAL_MACHINE registry hive. The registry key has a default value of 0x1. This value enables the functionality that is present in the current update. Before you install the current update, this registry key is not present in the system. You can obtain prepackage installation Autorun behavior by manually setting the registry key to 0. (To do this, type 0 instead of 1, in step 6 of the procedures to manually set the registry key.) If the registry key is present in both the HKEY_LOCAL_MACHINE registry hive and the HKEY_CURRENT_USER registry hive, the HKEY_LOCAL_MACHINE hive setting takes priority.
How to set the HonorAutorunSetting registry key manually
Windows Server 2003 and Windows XP
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
4. Right-click in the right pane, point to New, and then click DWORD Value.
5. Type HonorAutorunSetting, and then press ENTER.
6. In the Value data box, type 1, click Hexadecimal, if it is not already selected, and then click OK.
7. Exit Registry Editor.
8. Restart the system for the new settings to take effect.
WORKAROUND
We have tested the following workarounds.
Workaround 1: To prevent creating Aut...
We have tested the following workarounds.
Back to the top
Workaround 1: To prevent creating Autorun.inf files on shares
To prevent the Autorun feature from being invoked and to keep any programs from writing Autoun.inf files to mapped network drives, follow these steps:
1. Delete any Autorun.inf files from the root of a mapped network drive.
2. Do not give anyone Create rights to the root of a mapped network drive.
Note After you implement this workaround, Autorun features will not be available from network drives.
Workaround 2: To disable the use of USB storage devices
The following Microsoft Knowledge Base article contains two methods to prevent users from connecting to a USB storage device:
823732 (http://support.microsoft.com/kb/823732/ ) How to disable the use of USB storage devices
Note After you implement this workaround, USB storage devices no longer function on systems in which these changes are applied.
ref: http://support.microsoft.com/kb/953252
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment