Disable Autorun

The methods given by Microsoft failed to work perfectly initially. The keys they use can be overridden. A registry key named MountPoints2 is a cache that stores info an all usb drives that have been connected to the pc which would be used instead of the keys MS provides. In our environment that’s not much of an issue since there usually aren’t any usb drives connected before the images are deployed (and locked down with deepfreeze). Nevertheless, if an autorun.inf virus is somehow executed by a student and another student comes along afterward, they could become infected.

Delete the regkey/cache to get rid that concern on a fresh system. Note that it’s per user.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

An alternative method help can be used. It places more of a burden on the students (everything must be run manually) but should be better in the long run.

Disable both autorun and autoplay:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExistAtLCC”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
“AutoRun”=dword:00000000

I also came across another nifty util that simply flips a registry bit which controls writing to usb drives. 0 or 1 accordingly.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect

MS has created updates and now has a TRUE working patch that honors the noAutorun reg keys listed above: KB# 971029 was updated 1 July 2010

ref: http://www.us-cert.gov/cas/techalerts/TA09-020A.html
ref: http://support.microsoft.com/kb/967715

Advertisements