Engineering Windows 7

Welcome to our blog dedicated to the engineering of Microsoft Windows 7

Improvements to AutoPlay

Improvements to AutoPlay

  • Comments 59

As mentioned before on this blog (regarding our UAC changes) and on the IE blog (regarding the SmartScreen® filter for malware), we have an increased focus to enable customers to be in control and feel confident about the software that they choose to run on their computers. Folks on this blog have also commented about the concerns they have specifically in the AutoPlay area. This blog entry addresses some of the changes that we have made to increase customer confidence when using their media and devices with Windows.  It is authored by Arik Cohen, a program manager on the Core User Experience team. –Steven  [Note: There was a technical problem so this post was reposted in its entirety.]

Certain malware, including the Conficker worm, have started making use of the capabilities of AutoRun to provide a seemingly benign task to people – which masquerades as a Trojan Horse to get malware onto the computer. The malware then infects future devices plugged into that computer with the same Trojan Horse. For further information about Conficker please visit http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

In the following example for a USB flash drive that has photos, malware registers as the benign task of “Open folders to view files.” If you select the first “Open folders to view files” (circled in red), you would be running malware. However, if you select the second task (circled in green), you would be safe running the Windows task.

Infected USB AutoPlay
Infected USB AutoPlay

People are confused why they have two tasks that appear to do the same thing – and even a knowledgeable person who is careful not to run software from an untrusted source can easily make the mistake of selecting the first task. As a result, people lose confidence and don’t feel in control.

A growing attack

While presenting an AutoRun task in AutoPlay has been available since Windows XP, we have seen a marked increase in the amount of malware that is using AutoRun as a potential method of propagation. According to the Security Intelligence Report, an enterprise study by Forefront Client Security found that the category of malware that can propagate via AutoRun accounted for 17.7% of infections in the second half of 2008 – the largest single category of malware infections.

The chart below shows the increasing amount of detection reports by Microsoft anti-virus software of the class of infections that spread via AutoRun. (Note: The actual method of infection cannot be determined.)

Infection Detections of Malware that Spread via AutoRun

Infection Detections of Malware that Spread via AutoRun

Currently, disabling AutoPlay completely is the only solution for consumers and enterprises to gain confidence with the use of USB flash devices on their computer. Guidance on disabling AutoPlay is available here.

Increasing customer confidence

Windows 7 introduces key changes to AutoPlay that keep you from being exposed inadvertently to malware like Conficker when doing your common scenarios with devices (e.g., get to the files on your USB flash drive, download pictures from an SD card, etc.).

In particular, Windows will no longer display the AutoRun task in the AutoPlay dialog for devices that are not removable optical media (CD/DVD.) because there is no way to identify the origin of these entries. Was it put there by the IHV, a person, or a piece of malware? Removing this AutoRun task will block the current propagation method abused by malware and help customers stay protected. People will still be able to access all of the other AutoPlay tasks that are installed on their computer.

With these changes, if you insert a USB flash drive that has photos and has been infected by malware, you can be confident that the tasks displayed are all from software already on your computer:

Infected USB AutoPlay after AutoPlay changes

Infected USB AutoPlay after AutoPlay changes

On the other hand, if you insert a CD that offers software to install, Windows will still display the AutoRun task provided by the ISV during their media creation process. For example:

AutoPlay for a CD that offers an AutoRun Task

AutoPlay for a CD that offers an AutoRun Task

You will first see this updated AutoRun experience in the Windows 7 RC build, and we will be bringing this change to Vista and XP in the future.

Ecosystem Impact

We are working with our ecosystem partners to help mitigate situations where this AutoRun change will have an impact on them.

CDs and DVDs (including CD emulation), where the IHV specified AutoRun task authored during manufacturing, will continue to provide the AutoRun choice allowing customers to run the specified software. IHVs of generic mass storage devices should expect that people will browse the contents of the device to launch any software. The new behavior will allow customers to continue to use AutoPlay (including all Windows and ISV installed tasks) to access their media and devices while not being presented with tasks from malware. Additionally, device classes, such as portable media players and cell phones, now support Device Stage™ on Windows 7. Device Stage offers the IHV a multifunction alternative to AutoPlay where they can present links to software and common tasks, and provides additional features as you use the device.

As you try out the Windows 7 RC, we hope these changes will make you feel more confident and in control when using your media and devices.

-Arik Cohen

Leave a Comment
  • Please add 8 and 4 and type the answer here:
  • Post
  • I believe this solution disables functionality used by millions of users (the ability to easily start legitimate software installed on portable devices like the PortableApps.com Platform) while still leaving a vulnerability that has been used in the past (malware autorunning from CDs/DVDs like Sony's malicious software fiasco).

    A better solution would be to check for signed code.  This could be easily accomplished using the existing infrastructure (including revoking remotely) and presented to the user simply with a minimum of coding changes.

    I've put together a complete proposal with the details and screenshots here:

    http://johnhaller.com/jh/useful_stuff/windows_7_autoplay/

  • This has been a part of Windows functionality for over a decade. While a few mal-ware proponents have taken liberty with Autoplay and Autorun functionality, many more actual customers and users have found it a boon.

    I agree that security and having confidence in the Windows environment is paramount, however it just seems like you're "throwing out the baby with the bathwater" here.

    The Dev Team sure is proud of their "deep insight" features, why not apply that same thinking to AutoPlay? In the dialog, add visual indicators regarding the validity (digital sig's anyone?) of the executables. Your illustration--with the red and green outlines--seems to be an excellent start; why not grow on that concept?

    "Spoofs" are easy to detect, since they are mocking the appearance of the UI defaults... we don't even need WinDefender to check it, it's obvious because it's a copy-cat!

    (Nodding to others in the thread) Regarding selective AutoPlay actions with respect to individual media; for anyone that works with more than 10 different removable drives in the course of a day, picking specific behavior for each drive could surely be a boon. Moreover, eliminating AutoPlay framework for removable/re-writable media would impact a significant portion of IT professionals that have crafted independent (sometimes ingenious) solutions around that framework.

    AutoPlay was conjured-up in the age of the CD-ROM... well before the advent of flash-memory media. The problem has been that the AutoPlay framework "stood still" while a wave of removable media washed over the industry; today, there's just as much a chance that users will insert USB key drives or card-readers than a CD-ROM or DVD. AutoPlay should reflect that fact, as well as anticipate potential abuses.

    Re-consider this move; have you really come all this way just to axe an idea that was introduced before its time?

  • It's good that you have removed AutoPlay, but could you please also return the option "Do nothing" in this windows? It was in Win XP. Theoretically, there also was a possibility to remember this choice (did not work always, though). But not in Vista, nor in Win 7. Why? It's *terribly* annoying. Why I insert my flash drive I do not want _any_ windows to appear. Return this option, please.

  • I noticed that Internet Explorer 8 automatically checks the hashes of any file downloads, and can block potentially suspicious files. Would it be a better idea to have a similar implementation for the Auto-Play feature?

  • Here's a pretty simple idea that I'm surprised no one has mentioned yet.

    Why don't you just disallow anyone from creating an AutoRun/AutoPlay option that is named "Open folder to view files"? (or other variants/languages)

    Prevent ASCII or those ALT+keypad codes or any other workaround, and that should reduce the chances of anyone mistaking file execution from file viewing.

  • For me, it would be nice if there's an option to run anti-virus scan on autoplay.

  • The problem has been that the AutoPlay framework "stood still" while a wave of removable media washed over the industry; today, there's just as much a chance that users will insert USB key drives or card-readers than a CD-ROM or DVD. AutoPlay should reflect that fact, as well as anticipate potential abuses.

  • There still remains the kind of malware who hide the folders and create some executables files named accordingly to the hidden folders. For that, it would be nice to have a way to differentiate an executable file from the others !

  • I think that a serious problemis the fact that the autoplay framework feature basically froze which a torrent of removable media flooded the market. It is in need of a complete overhaul, I hope to see this in the newly released version of windows.

  • As limulus mentioned, it will break some software, like for instance a usb stick (with CDrom partition)which launches a screenreader for blind people. Under XP, when the user plugs the USB stick, the software is automagically launched without further action, so even a blind people can run it. Now, under W7, it will require the user to click a button... err remember, he's blind !

    What do you suggest ?

    We cannot require that his computer (potentially it could be a public computer) is preconfigured to "always run" the software from CD.

  • The biggest and easiest improvement to the AutoRun/AutoPlay feature would be an easy and reliable way to turn it off completely. This feature is hugely annoying and a security hole, why is there no checkbox in the control panel to do ABSOLUTELY NOTHING when a new drive is connected?  Like, completely and absolutely, no exceptions, no content handlers, no autoinstalls, no nothing. When it's not possible, I feel that I am simply not in control of my own PC, and this absolutely sucks and makes me want to install Ubuntu.

    I don't want the Windows Explorer to hand-hold me, just don't look into my disks until I've told you to, how hard is that? On the Vista, you have to install a patch to be able to disable it, can it get any worse? Why am I not in control of my own PC?

  • Great stuff.That sounds pretty cool. Really helpful thanks for the Article, Great job, hope we can expect more advanced....

  • So THIS is why my grandmother can no longer plug in her digital camera with her USB cord and have her once smart computer upload her pictures for her.  You have just made her life about 600% harder.  Manually navigating to her pictures is a bit of a difficulty for her at her advanced age, especially when her computer used to do the hard work for her.

    She is at NO RISK of getting viruses or malware from her own camera.  So how can I fix this horrible "all or nothing" solution you've implemented?  She just wants her camera to automatically retrieve her pictures like it has done for years!

  • I don't see why there cannot just be a warning dialog which you are unable to disable if third party software is selected to run. Something like, "WARNING, you are attempting to run third software that cannot be verified by Microsoft and could potentially spread a virus. Only continue if you are sure this software is virus free".

    I run my own software from a USB key on a touch screen EPOS systems to assist with the set up and prep of the POS. With no mouse and no autorun it makes the job more difficult.

    Another idea would be to word the option "Run Unverified <program name> .exe" where the only changable wording is the <program name>.

  • I don't like that this feature has been completely removed. There should be an option to enable it for specific devices and specific software that has been approved by the system administration.

    P.S. Is it on purpose that the posting comments function is not working in Firefox because the code is not displayed.

Page 3 of 4 (59 items) 1234