Solved

Worklet to Disable any auto-run feature which allows files execution without user authorisation

  • 9 May 2023
  • 2 replies
  • 70 views

Badge

I saw that this was supported by worklets in a cyber essentials Automox PDF, however, I can’t seem to find the worklet that it is describing.

Does this already exist?

icon

Best answer by JohnG-Automox 12 May 2023, 18:32

View original

2 replies

Userlevel 3

Hi @Daniel Ballard!

 

Here is a worklet that you can use for disabling AutoRun on a device.

 

Evaluation Code:

<#

.SYNOPSIS
Windows - Configuration - Disable AutoRun

.DESCRIPTION
This worklet disables the AutoRun feature on a Windows device.
It will prevent programs from automatically running from an external drive when it is attached to a computer.
Because malware can exploit AutoRun, disabling it is recommended.

.NOTES
Author: John Guarracino
Date: May 10, 2023

.USAGE
Optional: The $regValue variable can be changed to block a specific drive type.

The following values are acceptable:
# '1' Disables AutoRun on drives of unknown type
# '4' Disables AutoRun on removable drives
# '8' Disables AutoRun on fixed drives
# '10' Disables AutoRun on network drives
# '20' Disables AutoRun on CD-ROM drives
# '40' Disables AutoRun on RAM disks
# '255' Disables AutoRun on all kinds of drives

The default value is '255' or disable AutoRun on ALL drive types.

#>

#Change to the desired value
$regValue = '255'

#Predefined variables
$regPath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'
$regName = 'NoDriveTypeAutoRun'
$exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue).$regName

if ($exists -eq $regValue)
{
Write-Output "AutoRun is already disabled. Now exiting."
Exit 0
}

else
{
Write-Output "The device is not compliant. Flagging for remediation."
Exit 1
}

 

Remediation Code:

<#

.SYNOPSIS
Windows - Configuration - Disable AutoRun

.DESCRIPTION
This worklet disables the AutoRun feature on a Windows device.
It will prevent programs from automatically running from an external drive when it is attached to a computer.
Because malware can exploit AutoRun, disabling it is recommended.

.NOTES
Author: John Guarracino
Date: May 10, 2023

.USAGE
Optional: The $regValue variable can be changed to block a specific drive type.

The following values are acceptable:
# '1' Disables AutoRun on drives of unknown type
# '4' Disables AutoRun on removable drives
# '8' Disables AutoRun on fixed drives
# '10' Disables AutoRun on network drives
# '20' Disables AutoRun on CD-ROM drives
# '40' Disables AutoRun on RAM disks
# '255' Disables AutoRun on all kinds of drives

The default value is '255' or disable AutoRun on ALL drive types.

#>

#Change to the desired value
$regValue = '255'

#Predefined variables
$regPath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'
$regName = 'NoDriveTypeAutoRun'
$exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue).$regName

if ($exists -eq $regValue)
{
Write-Output "AutoRun is already disabled. Now exiting."
Exit 0
}

else
{
try
{
New-ItemProperty -Path $regPath -Name $regName -Value $regValue -Type Dword
Write-Output "AutoRun has been disabled."
Exit 0
}

catch
{
Write-Output "An error has occured:"
$Exception = $error[0].Exception.Message + "`nAt Line " + $error[0].InvocationInfo.ScriptLineNumber
Write-Output $Exception
Exit 1
}
}

 

This worklet will be published in the Worklet Catalog later today for ease of use, but until then, feel free to try and test out the code.

 

Let me know if you have any questions.

 

Have a great day!

Userlevel 3

Hi @Daniel Ballard,


Just an FYI here, this worklet is now published in the Worklet Catalog for your use!

 

It can be found with the name Windows - Configuration - Disable AutoRun

 

 

Have a great weekend!

Reply