Computer Forensics

A quick way to completely prevent any AUTORUN.INF from auto execution is to deceive windows and make it think that there is no content in the autorun.inf that windows encounters.

All you do is to do is to save these 3 lines to a file and execute it.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

What happens internally is “Whenever you(Windows) have to handle a file called AUTORUN.INF, don’t use the values from the file. You’ll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\…\=@DoesNotExist.” And since that key does not exist, it’s as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. And hence worms with such design cannot get in unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.

One of the best ways of getting your computer infected is by sharing an actively infected Pen Drive or Memory Stick. When you insert a Memory stick or a CD, windows loks for the file called “Autorun,ini” in the device’s root directory. If it is found, it tries to execute it. A malware can easily create this file and help in its replication. Windows registry holds this setting whether to read the file autorun.ini or not. To change the setting,

Save this content in a .reg file and execute.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095

Now, after inserting this information to the registry, windows does not check for autorun.ini when you insert a device. Conversely, If you double-click the drive letter from “My Computer”, the “autorun.ini” still executes.