AutoRun changes in Windows 7

The Microsoft Security Response Center (MSRC) have announced some AutoRun changes for Windows 7.

Currently Conficker and other malware is taking advantage of the AutoRun functionality as a spreading mechanism. AutoRun is used to start some programs automatically when a CD or another media is inserted into a computer. The main purpose of AutoRun is to provide a software response to hardware actions that a user starts on a computer.

In order to help prevent malware from spreading (such as Conficker) using the AutoRun mechanism, the Windows 7 engineering team made two important changes to the product:

  1. AutoPlay will no longer support the AutoRun functionality for non-optical removable media. In other words, AutoPlay will still work for CD/DVDs but it will no longer work for USB drives. For example, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed. This will block the increasing social engineer threat highlighted in the SIR. The dialogs below highlight the difference that users will see after this change. Before the change, the malware is leveraging AutoRun (box in red) to confuse the user. After the change, AutoRun will no longer work, so the AutoPlay options are safe


    Before the change (left) After the change (right)

  2. A dialog change was done to clarify that the program being executed is running from external media.


    Before the change (left) After the change (right)

For more information please visit the Windows 7 Blog.

Report a problem with article
Previous Story

iPhone OS 3.0 beta 4 and iTunes 8.2 pre-release available

Next Story

NY family has to pay the RIAA $7,000 after court case

52 Comments

Commenting is disabled on this article.

Autorun can be good or bad, depending on how you see it.

I haven't tested the 7100 build i installed on my lap yesterday, but hopefully this can be enabled on a per-user basis.

I never understood why Microsoft would have the OS attempt to run ANYTHING automatically like that.

Especially in XP - where the OS defaults to having your account:
- Be an Admin Account.
- Not have a password.
- No UAC of any sort.
- Execute anything inserted, regardless of how damaging it may be.

Gee, I wonder how they got such a reputation of poor security.

The problem is at that time they were thinking of convenience. Security wasn't as big of an issue as it is now. Versions prior to Windows XP didn't have this ability with removable non-optical media. I'm actually kinda glad to see it go too but I think this will spawn a new generation of U3 (ugh...) like devices.

What are you talking about? It didn't mention ANYTHING regarding running automatically. It just said that the "Install and Run" option can be spoofed to look like the "open the folder" option just because the icon and text looks identical. So they just removed it totally. It only runs automatically when the checkbox is ticked.

I don't understand why they do this for Win 7 since this is exactly what UAC is for. Years from now, people will forget and wonder why this OS does not have this simple feature.

Not sure I like this. CDs/DVDs are going away - flash is the distribution media of the future. Autorun is good for end users (what if they don't know to run setup.exe?). They should have tweaked the dialog to make it more obvious which options were being presented from the storage device instead of removing autorun all together. Maybe if they moved the options from the device to the bottom, changed the font/color, and added some text about only selecting options from a publisher you trust.

This is just taking the easy way out. Instead of fixing the feature with the issue, they just removed the feature.

[sarcasm]You can get viruses from the Internet, why doesn't MS just remove support for the Internet from Windows 7?[/sarcasm]

If a user doesn't know to run setup.exe, they can read the install guide or manual like every other product humans buy.

All it takes is learning about setup.exe one time and a user knows to look for it for the rest of their computer using days. This is like arguing that a newbie might not know to push the left mouse button to select something.

What if it's not a setup.exe? What if there's a flash menu, video, related web site - there are all kinds of useful things you can put in to an autorun - now for flash media, it's all gone.

JonathanMarston said,
What if it's not a setup.exe? What if there's a flash menu, video, related web site - there are all kinds of useful things you can put in to an autorun - now for flash media, it's all gone.


There is one filename that has stuck with me for more than 15 years now, and it's was traditionally the single most useful file for a first-time user of a program, and almost every set of installation media included one of these files. It housed related links, explanations of the different files and what you could do with them, contact information, and sometimes changes since the last version. It was always in the root, right next to setup.exe, install.bat, what have you. I learned about it at the very beginning, and even its name is pretty freakin straight-forward about what you should do with it. It wasn't uncommon to see the .txt extension changed to .1st, just to make it that much more clear.

Have a guess?

/everything else can be built into setup.exe
//if a developer wants to release software with an install executable named something other than setup or install, complain to HIM, not to Microsoft
///lord knows they didn't have any trouble sticking to the standard autorun.inf filename, setup.exe can't be too difficult

Sounds like a good improvement... I hope this feature comes to Windows Vista in an update... Sounds like a good step security wise. Especially considering how much effort they put into securing Vista...

ha.. they just kicked themselves in the butt. I've written a couple autorun programs for that are distributed on SD cards. One brings up and installs the windows mobile 6 sales kit for sales people at cell phone stores. The other was pretty much the same but for a particular cell phone company. While my client was not MS, their end client was.

yay they are improving themselves.
i actually hope windows 7 comes out in 2010 just so they can fix all bugs and exploits. offcourse no off the shelf release is perfect but considering an OS is complicated in itself it's encouraging to see the confidence MS is having towards 7

Microsoft seems to have had a long hard look at everything that was going to be in Windows 7 and they have done a magnificent job of trying to make everything good for the user of Windows 7.
The next iteration of Windows will have a hard job beating this one.

Just turn it off if you dont want it, it takes a few seconds in Vista.

In XP it was also fairly easy to do, easiest way was to install power tools from MS which had the option.

mmck said,
In XP it was also fairly easy to do, easiest way was to install power tools from MS which had the option.

If even many T guys don't known (or care) about power tools, or more specifically about tweakui, then you can't expect that the average joe will be able to do such task.

I think MS is obfuscating some worthy features on purpose.


VIVIsectVI said,
Sweet. Way to stay a decade behind the game Ubuntu.

Ubuntu started very, very late, so bashing like that is just a display of utter ignorance, so stop trolling.

rakeshishere said,
Conficker Worm Variant F(F***K) will take over Windows 7 machine in the future :P

You wrote it, didn't you?

The one in the red box is a fake message, it won't open the drive to view files, it runs the virus. They now made it so you can't run files, only open the drive to view it contents.

...should've, could've would've...
what is important is that they have, finally
Phew, it was even hard for me to say that, could M$ be warming my heart?

yep, Thankyou Microsoft for Hearing our feedback, because i always had problems with vistas Autorun and now there fixed.