AutoRun facts for kids
AutoRun and its friend AutoPlay are features in Microsoft Windows. They decide what your computer does when you connect a new device or put in a new disc.
AutoRun first appeared in Windows 95. It was made to help people easily install programs from CD-ROMs. When you put a CD into your computer, Windows checks it for a special file. This file tells the computer what to do. For software CDs, it usually starts the installation. AutoRun also works if you double-click a drive in Windows Explorer (like "My Computer").
Before Windows XP, people often used "AutoRun" and "AutoPlay" to mean the same thing. Developers might say "AutoRun," while users said "AutoPlay." This is why some Windows settings are called "AutoPlay" but change "AutoRun" settings. The file that gives instructions is called autorun.inf
When Windows XP came out, a new feature was added. This feature helps you choose what to do when you connect new media or devices. This new feature was called AutoPlay. From then on, AutoRun and AutoPlay became different things.
AutoRun is part of Windows Explorer. It lets discs and devices start programs. This happens using commands found in a file called autorun.inf
AutoRun is mostly used for installation CDs. The programs it starts are usually installers. The autorun.inf file can also set an icon for the device. This icon helps you see it easily in Explorer.
People still sometimes use AutoRun and AutoPlay interchangeably. This article uses "AutoRun" when talking about the first action. This is the action that finds and starts reading from a new disc or device.
Contents
AutoPlay
AutoPlay is a feature that came with Windows XP. It looks at removable media and devices. Then, based on what's inside (like pictures, music, or videos), it suggests what program to use. For example, it might suggest a photo viewer for pictures. If an autorun.inf file is present, it can add more choices for you.
AutoPlay works with a list of programs that can handle different media types. For example, there are programs for pictures, music, and video. Each type can have different programs that can play or show its content.
Your computer can be set to do a default action when it finds a certain type of media. Or, the AutoPlay window can pop up. This window asks you what you want to do.
How AutoRun Starts
The AutoRun process begins when your computer finds a new device or disc. Windows then tells other programs that something new has been connected. The Windows Explorer program is especially interested in this. After checking some settings, Windows might read the optional autorun.inf file. Then, it takes any necessary actions.
The first steps are similar in all Windows versions since Windows 95. However, how the autorun.inf file is read has changed a lot. Also, how AutoRun works with AutoPlay has changed. This has happened from Windows XP up to Windows 7. In Windows 10, you can even turn AutoRun on or off in the settings. You can also pick which external devices use AutoPlay.
Starting and Notifying
When a device with AutoRun-ready drivers gets new media, a "Media Change Notification" happens. This means Windows knows something has changed. The Windows OS then tells programs that a device change has happened. How it tells them depends on the device type.
If the device is a drive (like a CD) or a port, Windows sends a message to all main windows. Windows calls this a "basic" notification.
If the device is not one of these types, a program can sign up to get device notifications.
Devices that don't show up as drive letters (like C: or D:) are not handled by AutoRun. Any actions for these devices are done by their own software or by AutoPlay.
When Explorer hears about a drive change, it does several things:
- It checks if AutoRun has been turned off in the computer's settings. If AutoRun is off for that drive, Explorer stops.
- It checks if the main folder of the new media has an autorun.inf file. This file might be read.
- It sends a message to the window you are currently using. A program can stop AutoRun (and AutoPlay) at this point.
- It changes what happens when you double-click the drive icon. It also changes what appears when you right-click it. The autorun.inf file can control these actions.
- It adds an icon and text to the drive icon. These can be controlled by the autorun.inf file.
- It checks if the Shift key is held down. If it is, Windows Vista (and newer versions) will open the AutoPlay window. This happens even if settings say otherwise. Older Windows versions will not continue the process.
- Finally, if all these steps are passed, it will either:
- Do nothing else.
- Run the "AutoRun task." This is a program listed in the autorun.inf file.
- Open AutoPlay.
The choice depends on your Windows version, instructions from the autorun.inf file, and the type of media.
Changing How It Works
Before AutoPlay
On Windows versions older than Windows XP, an autorun.inf file on any drive type was read. Its instructions were followed right away, without you needing to do anything. This included removable drives (like USBs), fixed drives (like hard drives), and network drives.
AutoRun also worked with network drives that had a drive letter. It could also work with floppy drives if they had AutoRun-ready drivers.
By default, older Windows versions turned off AutoRun for network and removable drives. This left hard drives and CD-ROM drives active.
Introducing AutoPlay
When AutoPlay came out with Windows XP, the final action for some drive types changed. Instead of running a program, it would open AutoPlay. From Windows Vista, AutoPlay is part of almost everything related to media. There is no automatic running of the AutoRun task anymore.
Default settings in Windows XP and newer versions turned on AutoRun for removable drives. In Windows XP and higher (except Windows Server 2003), only unknown and network drive types are not active for AutoRun.
How the autorun.inf file is handled changes a lot between Windows versions. In Windows 7, only CD-ROM drives can start an AutoRun task. They are also the only ones that can change double-click behavior or context menus.
Computer Settings
AutoRun checks your computer's settings to decide if it should start actions for a drive. These settings can be changed in different ways. One way is using Group Policy.
The main settings are called NoDriveTypeAutoRunNoDriveAutoRun
Drive Types
Drives are grouped into types, like:
- Removable drives: Like USB flash drives.
- Fixed drives: Like your computer's hard disk.
- Remote drives: Like network drives.
- CD-ROM drives: For CDs, DVDs, or Blu-ray discs.
Changing Settings
You can change these settings directly using a tool called regeditreg.exe
These settings can also be changed using Group Policy. This can be done for one computer or for many computers in a network.
You might need to log out or restart your computer for the changes to work.
How Settings Are Used
The NoDriveAutoRunNoDriveTypeAutoRun
When deciding whether to start AutoRun, both settings are checked. If either setting says a drive should be turned off, then AutoRun is turned off for that drive.
NoDriveTypeAutoRun
This setting turns AutoRun on or off for all drives of a certain type. It reflects the setting of the related AutoPlay Group Policy. If this setting is not present, the default value is used. A setting for the whole computer will always override a setting for a single user.
This setting uses a special code. If a certain part of the code is set to 1, it turns off AutoRun for that type of drive. For example, setting all parts to 1 would turn off AutoRun for all types of drives.
The default setting for this depends on your Windows version.
NoDriveAutoRun
This setting turns AutoRun on or off for individual drives. It is not linked to a Group Policy and does not exist by default. If it's not present, the value is considered 0. A setting for the whole computer overrides a user's setting.
This setting uses a special code for each of the 26 drive letters (A to Z). If a part of the code is set to 1, it turns off AutoRun for that specific drive. For example, if the code is set to 0x8, AutoRun is turned off for drive D.
Group Policy
The only Group Policy settings for AutoRun affect the NoDriveTypeAutoRun
When a policy is Enabled, Group Policy adds the NoDriveTypeAutoRun
The names and locations of these policies can be a bit different between Windows versions. The list of settings is usually short. For example, on Windows 2000, turning off "Autoplay" for "CD-ROM drives" also turns off AutoRun for removable drives, network drives, and unknown drives.
You cannot use this setting to turn on AutoRun for drives that are off by default. You also can't turn off AutoRun for drives not listed. To turn off or on specific drives, you might need to edit the computer's settings manually.
Windows Vista, Windows Server 2008
In these versions, the policy to "Turn off Autoplay" can be set for CD-ROM, DVD-ROM, and removable drives, or for all drives.
Two other policies were added:
- Default behavior for AutoRun: This sets what happens when AutoRun commands are found in autorun.inf files. Before Windows Vista, programs would run automatically. From Windows Vista, AutoPlay opens and shows the AutoRun task as an option. If this policy is turned on, you can choose to completely stop autorun.inf commands. Or, you can make them run automatically like in older Windows versions.
- Don't set the always do this checkbox: If this policy is turned on, the "Always do this..." box in the AutoPlay window will not be checked by default.
Windows 7, Windows Server 2008 R2
In these Windows versions, an autorun.inf file can only start an AutoRun task or change how double-clicking works for CD-ROM drives. There are no policy settings that can change this. The policy locations are similar to Windows Vista. A new policy was added:
- Turn off Autoplay for non-volume devices: If this policy is on, AutoPlay will be turned off for devices that don't show up as drives.
Changing AutoRun Behavior
Pressing the Shift Key
If you hold down the Shift key at a certain point, Windows Vista will open the AutoPlay window. This happens even if other settings say it shouldn't. Older Windows versions will not run the AutoRun task. You must use the left Shift key. Holding the right Shift key for eight seconds does something else.
You need to hold Shift until Windows checks for it. This can take some time, especially for CD-ROMs to start spinning. It's not always a reliable way to stop AutoRun.
Auto Insert Notification
You can stop some "Media Change Notification" events by changing certain settings. For CD-ROM drives, this is called "Auto Insert Notification."
For CD-ROM drives, changing a specific setting to 0 will turn off Auto Insert Notification only for CD-ROM drives. You will need to restart Windows.
- 0 means it does not send a message.
- 1 means it sends a message.
In Windows 95/98/ME, you could change this setting in Device Manager.
Even though the setting is called "AutoRun," it only stops the message. This message does start AutoRun, but it also tells Explorer to update what it shows.
So, turning this off also stops AutoRun for CD-ROMs. But Explorer will not update its view when you put in a new CD. It will show the old CD's contents until you press F5. This can be confusing.
Because of this, you should not turn off the Media Change Notification message unless there's no other choice. You can turn off AutoRun for specific drives using Group Policy or other settings.
There's also a setting to stop the message for specific types of CD-ROM drives, like CD-ROM changers. This setting should not be changed from its default.
Editing Group Policy
You can stop AutoRun on certain drives using Group Policy. However, the Group Policy Editor is not available on Home versions of Windows XP. It also doesn't let you pick very specific drives.
Still, Group Policy is the usual way to turn off AutoRun for many computers in a network.
Registry Files
You can create a special file that, when run, makes changes to your computer's settings.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ffNote: The file should always end with a blank line.
In this example, AutoRun would be turned off for all drives and all users. You would need to run this as an Administrator. A restart would be needed for the setting to fully work.
Initialization File Mapping
Windows Vista and newer versions have a policy called "Default behavior for AutoRun." This can stop your computer from reading an autorun.inf file on any drive. This helps prevent harmful programs from using autorun.inf to infect your computer. Older Windows versions don't have this policy. But you can use a trick called "initialisation file mapping."
An autorun.inf file is a standard Windows settings file. Windows uses special commands to get its settings. These commands can be redirected. The following example shows how to make all autorun.inf settings come from a place that doesn't exist:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"Since this place doesn't exist, it's like the autorun.inf file has no settings. This applies to any autorun.inf file on any drive.
If you use this trick, installing software from a CD or DVD that usually auto-runs will no longer be automatic. You will need to look at the CD's autorun.inf file. Then, you'll have to manually run the correct installation program.
Safety and Problems
Microsoft knew that "code might run without you knowing." So, they released a "Fixit" tool to turn off AutoRun. This was for users who didn't want to change settings themselves.
The AutoRun Disable Problem
From Windows 2000 to Windows Server 2008, AutoRun settings were not handled correctly. This led to a security problem. Windows 95 and 98 were not affected.
When AutoRun is turned off, Windows should stop checking. But it still read any autorun.inf file it found. It did everything except actually starting a program or AutoPlay.
This meant you could still be attacked by harmful software. This software used the autorun.inf to change what happened when you double-clicked a drive. Double-clicking the drive icon could infect your computer. Even right-clicking and choosing "Explore" or "Open" was not safe. This is because these menu items could also be changed by the autorun.inf file.
This problem was fixed with several security updates.
Other Issues
- If your computer joins a network, the
NoDriveTypeAutoRun - Some programs might change AutoRun settings on purpose. Older CD burning software, like Roxio, was known to do this.
- If a security setting called "Restrict CD-ROM access to locally logged-on user only" is turned on, AutoRun might not work. Windows installers will also not work. This is because they won't be able to access the CD-ROM. This setting should be turned off (set to 0).
- RealPlayer 10 used to interfere with AutoPlay. This could make it seem like AutoRun or AutoPlay wasn't working at all.
How Attacks Happen
Harmful software has used AutoRun for a long time. Before Windows Vista, if you put in a CD-ROM, it would follow any autorun.inf instructions without asking you. This made fake CD-ROMs a way to infect computers.
Some audio CDs, which you wouldn't expect to have software, can also contain a data part with an autorun.inf. Some companies, like Sony BMG, used this to install harmful software. This software tried to stop you from copying the music.
U3 flash drives can act like a CD-ROM. This can make Windows run commands from the autorun.inf file on the fake CD-ROM.
Devices like the Huawei E220 modem use this method to install their drivers. However, plugging in a flash drive from an unknown source is risky. Tools like USB Switchblade make U3 flash drive attacks easy. Since attacks can be made with simple scripts, anti-virus software might not stop them. This could lead to your data or passwords being stolen.
With a normal flash drive, harmful software might try to trick you. It might make you click on a tempting item in the AutoPlay window. For example, a message promising free games could trick many users. Also, double-clicking the drive icon will automatically use the autorun.inf. Even advanced users could fall for this.
You can set AutoPlay to make choices for you. By checking the "Always do this" box, harmful software on a flash drive can run silently and automatically.
AutoRun harmful software has also been found on hard drives, digital picture frames, and other devices. Being careful with external devices is important for security. A 2011 Microsoft study found that 26% of all Windows computer infections were from USB flash drives. These used the AutoRun feature. Other reports also showed that autorun.inf abuse was a top threat in 2011.
Stopping Attacks
Besides basic safety steps, like:
- Not always using your computer with full Administrator powers.
- Installing all security updates.
You can reduce your risk by using Group Policy and other settings. Here are some ways:
- Turn off AutoRun (but remember the AutoRun disable problem).
- Use the "Default behavior for AutoRun" Group Policy in Vista to stop autorun.inf commands.
- Use initialization file mapping to make autorun.inf sections useless.
- In Windows 7, only CD and DVD drives can use autorun.inf to start programs. Windows XP and later can be updated to work the same way. This update was added to Windows Update in 2011. Now, Windows 7's AutoRun behavior is the default for all current Windows versions.
Microsoft also suggested these actions during the Conficker worm attacks:
- Stop autorun.inf from running on network drives by:
- Deleting any autorun.inf file from the main folder of a network drive.
- Preventing new files from being created in the main folder of a network drive.
- Stop the use of USB storage devices by:
- Using USB settings in your computer's BIOS.
- Using specific settings in your computer's system.
- Setting USB devices to read-only. This stops unknown harmful software from spreading and protects your data.
See Also
In Spanish: Autorun para niños
- AutoPlay
- autorun.inf
Images for kids
-
This image shows how the bits in the NoDriveTypeAutoRun setting work.
