AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.
AutoRun was introduced in Windows 95 to ease application installation for non-technical users and reduce the cost of software support calls. When an appropriately configured CD-ROM is inserted into a CD-ROM drive, Windows detects the arrival and checks the contents for a special file containing a set of instructions. For a commercial application, these instructions normally initiate installation of the software from the CD-ROM. To maximise the likelihood of installation success, AutoRun also acts when the drive is accessed ("double-clicked") in Windows Explorer (or "My Computer").
Until the introduction of Windows XP, the terms AutoRun and AutoPlay were used interchangeably, developers often using the former term and end users the latter. This tendency is reflected in Windows Policy settings named AutoPlay that change Windows Registry entries named AutoRun, and in the autorun.inf file which causes "AutoPlay" to be added to drives’ context menus. The terminology was of little importance until the arrival of Windows XP and its addition of a new feature to assist users in selecting appropriate actions when new media and devices were detected. This new feature was called AutoPlay and a differentiation between the two terms was created.[1]
Contents [hide]
1 AutoRun
2 AutoPlay
3 AutoRun activation
3.1 Initiation and notification
3.2 Changing behaviour
3.2.1 Before AutoPlay
3.2.2 Introducing AutoPlay
3.3 The AutoPlay safety net
4 Registry settings
4.1 Drive types
4.2 Registry terminology
4.3 Changing Registry settings
4.4 Evaluation order
4.5 NoDriveTypeAutoRun
4.6 NoDriveAutoRun
5 Group Policy
5.1 Windows Server 2003, Windows XP, and Windows 2000
5.2 Windows Vista, Windows Server 2008
5.3 Windows 7, Windows Server 2008 R2
6 Altering AutoRun behaviour
6.1 Pressing the Shift key
6.2 Auto Insert Notification
6.3 Editing Group Policy
6.4 Registry files
6.5 Initialization file mapping
7 Issues and security
7.1 The AutoRun disable bug
7.2 Other issues
7.3 Attack vectors
7.4 Attack mitigation
8 See also
9 References
10 External links
[edit]AutoRun
AutoRun, a feature of Windows Explorer (actually of the shell32 dll) introduced in Windows 95, enables media and devices to launch programs by use of command listed in a file called autorun.inf, stored in the root directory of the medium.
Primarily used on installation CD-ROMs, the applications called are usually application installers. The autorun.inf file can also specify an icon which will represent the device visually in Explorer along with other advanced features.[1]
The terms AutoRun and AutoPlay tend to be interchangeably used when referring to the initiating action, the action that detects and starts reading from discovered volumes. The flowchart illustration in the AutoPlay article shows how AutoRun is positioned as a layer between AutoPlay and the Shell Hardware Detection service and may help in understanding the terminology. However, to avoid confusion, this article uses the term AutoRun when referring to the initiating action.
[edit]AutoPlay
AutoPlay in Windows Vista
AutoPlay is a feature introduced in Windows XP which examines removable media and devices and, based on content such as pictures, music or video files, launches an appropriate application to play or display the content.[1] If available, settings in an autorun.inf file can add to the options presented to the user.
AutoPlay is based on a set of handler applications registered with the AutoPlay system. Each media type (Pictures, Music, Video) can have a set of registered handlers which can deal with playing or display that type of media.
Each hardware device can have a default action occurring on discovery of a particular media type, or the AutoPlay dialog can prompt the user what action to take.
[edit]AutoRun activation
The AutoRun sequence starts with the initial discovery of a new device or new piece of media. Following this, notification of interested parties occurs, of which the Windows Explorer shell is of primary interest. After checking certain Registry settings to see if AutoRun can proceed, parsing of an optional autorun.inf may occur and any necessary actions are taken.
The initial sequence is handled much the same in every version of Windows from Windows 95. However, the way the autorun.inf file is read and acted upon and the level of integration of AutoRun with AutoPlay has changed significantly from the time AutoPlay was introduced in Windows XP until the present handling in Windows 7.
[edit]Initiation and notification
When a device with AutoRun-compatible drivers receives new media, a "Media Change Notification" event occurs. The Windows OS then notifies interested applications that a device change has occurred. The notification method used can change depending on the device type.
If the device changed is a volume (like a CD) or a port (like a serial port) Windows broadcasts a WM_DEVICECHANGE notification to all top-level windows.[2][3] Windows calls this a "basic" notification. A top-level window is one which is a descendant of the desktop.
However, if the device changed is not one of these types an application can use the RegisterDeviceNotification[4] function to register to receive device notifications.
An article on the CodeProject website, "Detecting Hardware Insertion and/or Removal", with clarifications from a blog by Doran Holan is of particular technical interest here.
Non-volume devices are those devices that do not appear as drive letters in "My Computer". These are not handled by any part of AutoRun - any actions taken for these devices are taken either by device specific software or by AutoPlay. See AutoPlay#Devices that are not drives.
When Explorer receives notification of a volume change, it performs a number of actions:[5][6]
Checks to see if AutoRun has been disabled through the Registry. If AutoRun is disabled for that drive or drive type, Explorer does not proceed further. There have been bugs in this area.
Checks that the root directory of the inserted media contains an autorun.inf file, which might be read. See below.
Sends a QueryCancelAutoPlay message to the foreground window. An application which has registered its interest in receiving this message using RegisterWindowMessage can respond to this message to halt AutoRun (and thus AutoPlay) at this point. Any application, foreground or not, can also be notified by using the IQueryCancelAutoPlay COM interface[7] available in Windows XP and later.
Alters double-click and contextual menu behaviours. When a user double clicks on the drive icon in Explorer or right clicks to get a context menu, what happens is fully programmable by settings in the autorun.inf file.
Adds an autorun.inf controllable icon and descriptive text to the drive icon.
Checks to see if the ⇧ Shift key is held down. If it is then Windows Vista (and later Windows versions) will invoke the AutoPlay dialog regardless of settings to the contrary.[8] Previous versions of Windows will not continue with the process.[6]
Finally, if this point has been reached, either:
takes no further action.
executes the "AutoRun task", the application optionally specified in the open or shellexecute keys in an autorun.inf's [autorun] section.
invokes AutoPlay.
Which choice is made depends on the version of Windows in use, instructions from the autorun.inf if available and the type of the media discovered.
[edit]Changing behaviour
See also: autorun.inf#Inf handling
[edit]Before AutoPlay
On Windows versions prior to Windows XP, an autorun.inf file on any drive type will be read and its instructions followed. The AutoRun task, if specified, is executed immediately without user interaction.[9] This includes DRIVE_REMOVABLE, DRIVE_FIXED and DRIVE_REMOTE drive types.
AutoRun will work with network drives (the DRIVE_REMOTE drive type) that are mapped to a drive letter. AutoRun will also work with floppy drives that are provided with autorun-compatible drivers.[6]
The default Registry settings on Windows versions prior to Windows XP (See NoDriveTypeAutoRun), disable Remote and Removable drives from AutoRun initiation, leaving Fixed and CDROM drive types active by default.
[edit]Introducing AutoPlay
With the introduction of AutoPlay in Windows XP, the final stage action (stage 7 above) for some drive types changed from executing an application to invoking AutoPlay. From Windows Vista, the AutoPlay system is integrated into every aspect of media handling and there is no automatic execution of the AutoRun task.
The default Registry settings add Removable drives to those that initiated AutoRun. In Windows XP and higher, except Windows Server 2003, only the Unknown and Remote drive types are not active for AutoRun.
The handling of the autorun.inf file changes very significantly between each Windows version. The details can be found in the autorun.inf article. The current handling in Windows 7 is that only drives of type DRIVE_CDROM may specify an AutoRun task, alter double-click behaviour or change context menus.
[edit]The AutoPlay safety net
It would appear that AutoPlay, by transferring control of what were previously automatic and invisible actions to AutoPlay, acts to increase user control and safety. This applies especially from Windows Vista, where all media and devices fall under AutoPlay control.
However, it is important to note that:
A user can instruct AutoPlay to make automatic choices on their behalf, including the execution of any AutoRun task.
When a user double clicks on the drive icon in Explorer or right clicks to get a context menu, what happens next is fully programmable by the autorun.inf file and is essentially outside AutoPlay's purview. This is true under any Windows operating system.
Disabling AutoRun may force a user to double click the drive icon to get a contents list, thus (potentially? possibly?) increasing the chance of malware infiltration.
File type : rar , open with winrar softwares
