How to Disable Windows Autorun

How to Disable Windows Autorun


Windows operating systems have two similar features called autorun and autoplay. Autorun first appeared as a feature in Windows 95. When you insert removable media (such as a CD) in your computer, the autorun feature automatically runs a program on the removable media. Autoplay appears with Windows XP and allows a user to select which program to use with different sorts of media. Autoplay seeks input from the user as to which program to use in association with different media; autorun is responsible for running that program once the user indicates their preference.


These features, unfortunately, have become a popular way of distributing malware to laptops and other computing devices. Best practices recommend disabling the autorun feature.

Advantages and Disadvantages of Recommended Solution

Several procedures are available for disabling the autorun feature. All claim to be effective. The principle advantage of following the procedure below is that you will prevent your laptop or other computing device from being compromised via any exploit that involves the autorun feature. The chief disadvantage is that software on external media, such as CDs, DVDs, or USB keys, will no longer run automatically when the external media is inserted in your computer. You will have to use Windows Explorer to open the drive and manually double-click the software program that would have run automatically otherwise. As always, you should exercise caution when working with external media. Scan the media using your antivirus program before opening (double-clicking) on any program that comes with the media.

Recommended Solution

To disable the Windows autorun feature, follow the instructions below from the Canadian Cyber Incident Response Centre (CCIRC). The procedure is given here as a convenience to users. The procedure, along with other useful notes, can be found on the CCIRC site (see Disabling Autorun). Note that although Microsoft recommends a different procedure, the CCIRC claims that even after downloading the Microsoft fix, it still allows parts of the autorun.inf (which contains the directions for autorun) to execute.


To block all autorun.inf files from executing, which can be applied as a global policy by changing the registry keys, perform the following step:

  • Start Notepad.
  • Copy the following text below and paste it into Notepad. Everything between the square brackets should be on one line.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
  • Save the file with the name NoAutoRun.reg. Make sure to include the .reg extension.
  • Right click on your .reg file and choose Merge. Confirm any warning prompts to add the information to the registry.
    • Alternately, you can use the following command: REG IMPORT NoAutoRun.reg.
  • Restart computer.

Changing this registry key will prevent any part of the autorun.inf file to execute, even if the computer has seen the device before the registry change and has it cached in the MountPoint2 key. It also disables the autorun features without causing other negative side effects. CCIRC recommends this procedure as an effective solution, especially in a corporate network.

It should be noted that CERT CC updated their recommendations for disabling autorun to include deleting the MountPoint2 registry key along with adding SYS:DoesNotExist. This is because they have found that even with the SYS:DoesNotExist key added, a cached entry in the Mountpoint2 key will still override it and cause autorun to launch. Through our extensive testing, we were unable to replicate this and as a result, CCIRC still recommends adding only the SYS:DoesNotExist registry.

CCIRC does not currently recommend deleting the MountPoint2 registry key because of the lack of information available on it.

For further reading:

US-CERT: Microsoft Windows Does Not Disable AutoRun Properly

US-CERT: The Dangers of Windows AutoRun

Microsoft: Update for Windows XP (KB950582)

Microsoft: Microsoft Security Advisory (967940): Update for Windows Autorun

Canadian CIRC: Disabling Autorun

F-Secure: Social Engineering Autoplay and Windows 7