USB flash drives need a condom

Many Windows users are annoyed by the Autoplay feature. But Leo Notenboom recently explained why it is dangerous, rather than annoying.

Many of us, when we run across an unknown USB flash drive (a.k.a. thumb drive, pen drive, memory stick, etc.) will stick it in a computer to see what's on the thing. It's at this point that Autoplay can screw you big time.

Unlike with CDs, Autoplay on a USB flash drive will run a program immediately, no questions asked. Quoting Leo "USB Thumbdrives or flash drives are a non-obvious but easy way to spread malware." The only thing most malicious software needs is for you to run the program. The Windows Autoplay feature, for flash drives, hands this service to the bad guys on a silver platter.

The question posed to Leo was "I found a USB thumbdrive, plugged it in and now my system won't work. What happened?" His answer: the computer was probably infected with some type of malicious software.

To disable Autoplay totally, Leo suggests a free program from Microsoft for Windows XP called TweakUI. TweakUI is needed for Windows XP Home Edition users, but XP Professional can do this without the extra software (TweakUI will work on XP Professional).

The downloaded program, TweakUiPowertoySetup.exe, is only 146K. When you run the program it installs immediately, no questions asked, no decisions to be made. It does not create a desktop icon for itself, so you find it with Start -> All Programs -> Powertoys for Windows XP. To turn off AutoPlay system-wide, run TweakUI, start at My Computer -> Autoplay -> Types -> turn off the checkboxes.

Disabling Autoplay in Windows XP Pro with Group Policy

Windows XP Professional can disable Autoplay using the built-in Group Policy feature (see above). To invoke the Group Policy Editor, click the Start button, then Run and enter "gpedit.msc" without the quotes. Go to Computer Configuration -> Administrative Templates -> System. Scroll down to "Turn off Autoplay" and double click on it. It starts out in a "Not Configured" state. Click on the "Enabled" radio button, then for "Turn off Autoplay on" select "All drives"

Windows 2000

Windows 2000 does not, by default, Autoplay on USB flash drives. Nonetheless, it supports Group Policies that can be used to disable Autoplay system-wide. Quoting the operating system itself:

"By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. If you enable this policy, you can also disable Autoplay on CD-ROM drives, or disable Autoplay on all drives."

Disabling Autoplay in Windows 2000 with Group Policy

The procedure to disable Autoplay system-wide is very much like that in XP Professional. Click the Start button, then Run, and enter "gpedit.msc" without the quotes. Go to Computer Configuration -> Administrative Templates -> System. Scroll down to "Disable Autoplay" and double-click on it.

At this point, the terminology couldn't be any worse. What does it mean to disable the policy that disables Autoplay? Do two wrongs make a right? As shown above, enable the policy and then "Disable Autoplay on All drives."

Update: March 16, 2008: Just for good luck, make a Restore Point before changing the Autoplay default. See Four tips to using System Restore on Windows XP.

Update: March 17, 2008: Added section on Windows 2000.

See a summary of all my Defensive Computing postings.