CSP-CERT® Resources:
Preventing Malware by disabling Autorun & AutoPlay in Windows using Control Panel and Local Group Policy Editor

by CSP-CERT® Blue Team
posted February 2018



In this article, we will see how we can protect ourselves from malware that spreads through flash drives and other media storage on Windows-based Operating Systems.

AutoPlay & Autorun features are enabled by default on a fresh Windows OS installation.

AutoPlay is a Windows feature that allows the setup file of programs or music/videos on a media device to start immediately.

Autorun on the other hand allows commands contained in the autorun.inf file of a storage device to execute. These are typically used to launch installation programs and other routines.

These two features are the reason why upon plugging-in a flash drive, CD/DVD or any storage media on a freshly installed Windows OS, a prompt opens up requesting for which action to take.

In this article, we will see how we can protect ourselves from malware that spreads through flash drives and other media storage on Windows-based Operating Systems.

One of the common cases, when Windows XP and Vista were still popular, is with the shortcut virus which spreads malware through flash drives shared by people on internet cafes, schools, etc.

Since Windows 7, Microsoft implemented changes on how AutoPlay and Autorun function due to some malware taking advantage of its mechanisms.

AutoPlay and Autorun still works for CD/DVDs and other storage media but it no longer works for USB storage drives (See Figure 1 & 2). Reference: https://blogs.technet.microsoft.com/srd/2009/04/28/autorun-changes-in-windows-7/


Figure 1: Plugging-in a Flash Drive with autorun executable on a fresh Windows 10 installation

Figure 2: Inserting a DVD on a fresh Windows 10 installation

In Figure 2 “Run setup.exe” is present while in Figure 1 there is no such option.

Since all malware requires execution at some point and adversaries can’t use these two functions as easily like in older versions of Windows, some USB drives now pose as a CD/DVD drive to ensure that AutoPlay & Autorun will work, thereby achieving execution if the user mistakenly executes via AutoPlay pop-up.

To add an extra layer of security on a physical level, it is better to disable these two functions altogether for all types of removable media storage and to manually navigate through the storage media using Windows Explorer.

Disabling AutoPlay & Autorun

AutoPlay and Autorun can be disabled through the following:

1. Control Panel

Open Control Panel > Hardware > AutoPlay

  • Uncheck “Use AutoPlay for all media and devices”
  • Set the default action to “Take no action” for all types of devices
  • Click “Save”



2. Local Group Policy Editor

Open the Run prompt by clicking on the “Windows + R” Key and typing in “gpedit.msc” then pressing enter to open Local Group Policy Editor.



Upon opening the Local Group Policy Editor, navigate to the following:

Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies


Double click on each setting to configure it.








Although this article does not guarantee 100% security and safety from physical attacks via USB devices, it can help add a layer of security to your devices.

We hope that this article is helpful.