Welcome to MSDN Blogs Sign in | Join | Help

Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)

On the front page of MSN.com today, there’s details about a new worm, Conficker, that spreads using the good old fashioned autorun.inf tricks.  It infects USB drives so that, when you plug the drive into another computer, it automatically runs and infects the machine.  The article mentioned a post on Nick Brown’s blog that instructs you on various ways to disable autorun.inf files and gives a .REG file for disabling autorun.inf.

Here’s the .REG file:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Recently, I’ve started to like taking small registry hacks and turning them into functions, so here’s a pair of functions that I wrote to automate this registry setting with PowerShell.

function Disable-AutoRun
{
    $item = Get-Item `
        "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" `
        -ErrorAction SilentlyContinue
    if (-not $item) {
        $item = New-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf"
    }
    Set-ItemProperty $item.PSPath "(default)" "@SYS:DoesNotExist"
}

Here's Nick's explanation of how it works:

This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.

In case you want to enable autorun again, you can use this function:

function Enable-AutoRun
{
    Remove-Item "REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\AutoRun.inf" -Force
}

Hope this Helps,

James Brundage [MSFT]

Published Saturday, January 17, 2009 8:07 PM by PowerShellTeam

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)

James, thanks for posting this.  It does seems that this solution, jointly found by my colleague Emin Atac and me, is the simplest way to stop worms on removable storage.  We rolled it out on our corporate network 15 months ago when these worms were just a minor annoyance and I know from talking to other network administrators that this form of malware has become a major headache in the meantime.

Nick

Saturday, January 17, 2009 7:40 PM by Nick Brown

# re: Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)

Thanks for the response Nick.  I hope you're finding PowerShell helpful in your enterprise.

James Brundage [MSFT]

Sunday, January 18, 2009 4:12 PM by PowerShellTeam

# Windows PowerShell Blog : Using PowerShell to Protect Against Conficker (Enabling and Disabling AutoRun.inf)

Thank you for submitting this cool story - Trackback from DotNetShoutout

Friday, January 23, 2009 10:11 AM by DotNetShoutout

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker