Engineering Windows 7

Welcome to our blog dedicated to the engineering of Microsoft Windows 7

Improvements to AutoPlay

Improvements to AutoPlay

  • Comments 59

As mentioned before on this blog (regarding our UAC changes) and on the IE blog (regarding the SmartScreen® filter for malware), we have an increased focus to enable customers to be in control and feel confident about the software that they choose to run on their computers. Folks on this blog have also commented about the concerns they have specifically in the AutoPlay area. This blog entry addresses some of the changes that we have made to increase customer confidence when using their media and devices with Windows.  It is authored by Arik Cohen, a program manager on the Core User Experience team. –Steven  [Note: There was a technical problem so this post was reposted in its entirety.]

Certain malware, including the Conficker worm, have started making use of the capabilities of AutoRun to provide a seemingly benign task to people – which masquerades as a Trojan Horse to get malware onto the computer. The malware then infects future devices plugged into that computer with the same Trojan Horse. For further information about Conficker please visit http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

In the following example for a USB flash drive that has photos, malware registers as the benign task of “Open folders to view files.” If you select the first “Open folders to view files” (circled in red), you would be running malware. However, if you select the second task (circled in green), you would be safe running the Windows task.

Infected USB AutoPlay
Infected USB AutoPlay

People are confused why they have two tasks that appear to do the same thing – and even a knowledgeable person who is careful not to run software from an untrusted source can easily make the mistake of selecting the first task. As a result, people lose confidence and don’t feel in control.

A growing attack

While presenting an AutoRun task in AutoPlay has been available since Windows XP, we have seen a marked increase in the amount of malware that is using AutoRun as a potential method of propagation. According to the Security Intelligence Report, an enterprise study by Forefront Client Security found that the category of malware that can propagate via AutoRun accounted for 17.7% of infections in the second half of 2008 – the largest single category of malware infections.

The chart below shows the increasing amount of detection reports by Microsoft anti-virus software of the class of infections that spread via AutoRun. (Note: The actual method of infection cannot be determined.)

Infection Detections of Malware that Spread via AutoRun

Infection Detections of Malware that Spread via AutoRun

Currently, disabling AutoPlay completely is the only solution for consumers and enterprises to gain confidence with the use of USB flash devices on their computer. Guidance on disabling AutoPlay is available here.

Increasing customer confidence

Windows 7 introduces key changes to AutoPlay that keep you from being exposed inadvertently to malware like Conficker when doing your common scenarios with devices (e.g., get to the files on your USB flash drive, download pictures from an SD card, etc.).

In particular, Windows will no longer display the AutoRun task in the AutoPlay dialog for devices that are not removable optical media (CD/DVD.) because there is no way to identify the origin of these entries. Was it put there by the IHV, a person, or a piece of malware? Removing this AutoRun task will block the current propagation method abused by malware and help customers stay protected. People will still be able to access all of the other AutoPlay tasks that are installed on their computer.

With these changes, if you insert a USB flash drive that has photos and has been infected by malware, you can be confident that the tasks displayed are all from software already on your computer:

Infected USB AutoPlay after AutoPlay changes

Infected USB AutoPlay after AutoPlay changes

On the other hand, if you insert a CD that offers software to install, Windows will still display the AutoRun task provided by the ISV during their media creation process. For example:

AutoPlay for a CD that offers an AutoRun Task

AutoPlay for a CD that offers an AutoRun Task

You will first see this updated AutoRun experience in the Windows 7 RC build, and we will be bringing this change to Vista and XP in the future.

Ecosystem Impact

We are working with our ecosystem partners to help mitigate situations where this AutoRun change will have an impact on them.

CDs and DVDs (including CD emulation), where the IHV specified AutoRun task authored during manufacturing, will continue to provide the AutoRun choice allowing customers to run the specified software. IHVs of generic mass storage devices should expect that people will browse the contents of the device to launch any software. The new behavior will allow customers to continue to use AutoPlay (including all Windows and ISV installed tasks) to access their media and devices while not being presented with tasks from malware. Additionally, device classes, such as portable media players and cell phones, now support Device Stage™ on Windows 7. Device Stage offers the IHV a multifunction alternative to AutoPlay where they can present links to software and common tasks, and provides additional features as you use the device.

As you try out the Windows 7 RC, we hope these changes will make you feel more confident and in control when using your media and devices.

-Arik Cohen

Leave a Comment
  • Please add 8 and 4 and type the answer here:
  • Post
  • Hey Arik-

    Thanks for the write-up and advice.  We implemented a device using CD-ROM emulation for a flash drive and for the most part it works well.  My Autoplay.inf selections are launched successfully on XP, Vista, and Win7.

    I have noticed that on some laptops, if I insert the device immediately after docking the laptop to its docking station, Autoplay does not launch.  

    I used the Autoplay Diagnostic Tool attached to this article (http://msdn.microsoft.com/en-us/magazine/cc301341.aspx) and noticed that prints of "Just Docked -> No Autoplay!" are displayed.  I can still browse to the drive, right-click, and launch the Autoplay app.  If I wait for some time (several minutes) before inserting the device, Autoplay seems to work correctly.

    I'm not sure if you still follow this blog, but any insight into why the O/S is apparently disabling Autoplay for my use-case would be much appreciated.

  • I like this system.And I am using this system.It word powerful.

  • Thank you for the feedback.  I wanted to chime in directly on limulus's comment about GPRS modems.

    In our testing, most of the GPRS modems are not affected by the change because they expose their driver partition as a emulated CD drive.  This partition can continue to display an AutoRun task to you.  For example, the TRU-Install driver installation used by many of these devices like the Sprint Compass 597 or O2 Compass 885 continues to run without any changes.  

    Because a particular device must declare itself as a emulated CD drive in the firmware of the device, we can trust that the IHV has done that for the purpose of exposing the device content like their physical installation CDs and malware cannot cause a generic USB flash drive to mimic this experience.

    - Arik Cohen

  • I like this system.And I am using this system.It word powerful.

  • There is a bug since Windows Vista with autoplay: if folder Autorun.inf exists in root flash drive, Windows Explorer doesn't show drive label at all, but lets to change it if you set new one in drive properties (and will still show empty label on next properties open). So, user can't see label at all (even in disk management), but third party software (e.g. Total Commander) shows right drive label anyway.

  • Hello, very professional high level of writing it! So many people to comment, let me also to comment on it. Because good writing, and I learned a lot, and I am glad to see such a beautiful thing. Thanks very much  !the same time,  i love <a href="www.supplyusb.com/Kingston-usb-flash-drive-c9.html">kingstonusb memory </a>

    Good, good! Agree to your point of view, learn and follow your point of view of the practice of paper! I gain very much! Thank you, wonderful writing, beautiful illustrations, so I feel very comfortable. At the same time I also like <a href="www.supplyusb.com/Kingston-usb-flash-drive-c9.html">kingstonusb memory </a> very much !much !

  • Does anyone know whether this update gets downloaded automatically and as a mandatory update or optional update? I have a few machines that behave differently on this KB. Any info would be much appreciated.

  • What if we want to have a portable program (such as 2-way sync) to auto run? can we still do that?

  • good..but autoplay itself is not popping out on my windows 7 64 bit home premium..what should i do??

  • i hope it's not an attack on my magic jack ,it's like maybe i should take wait and see stance fer now

  • I installed 971029 on a 64 bit Vista pc and after install it would not come back up. Booted in safe mode, uninstalled it and PC boots OK

  • Typical M$ arrogance

     Make it a CHOICE. Let US decide how to setup autoplay when and as we want to

    CHOICE !!

    OUR way NOT M$'s !

    "A function or feature without an on-off switch is just a bug that needs to be fixed by the addition of an on-off switch"

  • So your USB flash drive has a nasty program on it. Autorun.inf will no longer work so you explore the drive and run the nasty program anyway. Therefore the solution is for Microsoft to remove the functionality to run programs!

    Now here is the solution. Everyone running Windows has to be running an antivirus program right? That will capture the nasty program whether it's run manually or from autorun.inf. No need to have done this. Restore autorun feature please.

    This backward step IMHO does nothing for security and just removes what was a very useful facility.

  • While this does fix the problem it is unfortunate for users such as myself who use AutoRun legitimately.  I use AutoRun to launch different applications on my portable hard drive and this "solution" is inconvenient.  Please add the option to disable these changes in the control panel or perhaps add a whitelist as soumyasch suggested below.

Page 4 of 4 (59 items) 1234