How to use Group Policy settings to disable all Autorun features

(Microsoft) The purpose of Autorun

The main purpose of Autorun is to provide a software response to hardware actions that you start on a computer. Autorun has the following features:

  • Double-Click
  • Contextual Menu
  • AutoPlay

These features are typically called from removable media or from network shares. During AutoPlay, the Autorun.inf file from the media is parsed. This file specifies which commands the system runs. Many companies use this functionality to start their installers.

Back to the top

User experience

You may notice a change in user experience for the drives for which Autorun is disabled. The double-click and right-click shortcut menu functionality might be different because the Autorun.inf file is no longer read.

Back to the top

Prerequisites to disable Autorun capabilities

To disable Autorun capabilities, you must install the following updates:

As soon as the prerequisites are installed, follow these steps to disable Autorun.

Back to the top

How to use Group Policy settings to disable all Autorun features

Windows Server 2008 or Windows Vista

Note Windows Vista-based and Windows Server 2008-based systems must have update 950582 (Security bulletin MS08-038 ( http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx) ) installed to take advantage of the registry key settings that disable Autorun.

  1. Click Start

    Collapse this imageExpand this image

    the Start button

    , type Gpedit.msc in the Start Search box, and then press ENTER.

    Collapse this imageExpand this image

    User Account Control permission

    If you are prompted for an administrator password or for confirmation, type the password, or click Allow.

  2. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
  3. In the Details pane, double-click Turn off Autoplay.
  4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
  5. Restart the computer.

Windows Server 2003, Windows XP, and Windows 2000

  1. Click Start, click Run, type Gpedit.msc in the Open box, and then click OK.
  2. Under Computer Configuration, expand Administrative Templates, and then click System.
  3. In the Settings pane, right-click Turn off Autoplay, and then click Properties.Note In Windows 2000, the policy setting is named Disable Autoplay.
  4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
  5. Click OK to close the Turn off Autoplay Properties dialog box.
  6. Restart the computer.

Back to the top

How to selectively disable specific Autorun features

To selectively disable specific Autorun features, you must modify the NoDriveTypeAutoRun value under the following registry key subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

How you modify this subkey depends on the Autorun feature that you want to disable. For more information about Autorun registry key values, visit the following Microsoft TechNet Web page:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true ( http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true)

Autorun is also known as AutoPlay. The following table shows the settings for the NoDriveTypeAutoRun registry value.

Collapse this tableExpand this table

Value Meaning
0x1 Disables AutoPlay on drives of unknown type
0x4 Disables AutoPlay on removable drives
0x8 Disables AutoPlay on fixed drives
0x10 Disables AutoPlay on network drives
0x20 Disables AutoPlay on CD-ROM drives
0x40 Disables AutoPlay on RAM disks
0x80 Disables AutoPlay on drives of unknown type
0xFF Disables AutoPlay on all kinds of drives

The default value for NoDriveTypeAutoRun varies for different Windows-based operating systems. These default values are listed in the following table.

Collapse this tableExpand this table

Operating system Default value
Windows Server 2008 and Windows Vista 0x91
Windows Server 2003 0x95
Windows XP 0x91
Windows 2000 0x95

Back to the top

Registry key that is used to control the behavior of the current update

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

All the fixes in the current update for Windows XP and for Windows Server 2003 are included in the following two registry subkeys.

Note Changes are controlled by using this subkey so that you can revert to the previous configuration if it is required. Windows 2000 and Windows Vista do not use this registry subkey.

HonorAutorunSetting registry subkey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\

Registry Value

Collapse this tableExpand this table

Value Data type Range Default value
HonorAutorunSetting REG_DWORD 0x0–0xFF 0x01

When you install update 967715, the HonorAutorunSetting registry key is created only in the HKEY_LOCAL_MACHINE registry hive. The registry key has a default value of 0x1. This value enables the functionality that is present in the current update. Before you install the current update, this registry key is not present in the system. You can obtain prepackage installation Autorun behavior by manually setting the registry key to 0. (To do this, type 0 instead of 1 in step 6 of the following procedures to manually set the registry key.) HonorAutorunSetting is always read from the HKEY_LOCAL_MACHINE registry hive even if the HonorAutorunSetting entry is also configured in the HKEY_CURRENT_USER registry hive.

Back to the top

How to set the HonorAutorunSetting registry key manually

Windows Server 2003 and Windows XP

  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\

  4. Right-click in the right side pane, point to New, and then click DWORD Value.
  5. Type HonorAutorunSetting, and then press ENTER.
  6. In the Value data box, type 1, click Hexadecimal if it is not already selected, and then click OK.
  7. Exit Registry Editor.
  8. Restart the system for the new settings to take effect.

Link tham khao: http://support.microsoft.com/kb/967715

Leave a Comment

Bạn làm theo hướng dẫn của hình bên dưới để submit comment
Clickcha - The One-Click Captcha