Condividi tramite


The Case of the Missing AutoPlay

 I’ve been presenting talks on Windows Vista kernel changes since TechEd US in the summer of 2006 and one of the features I cover in the session is ReadyBoost, a write-through disk caching technology that can potentially improve system performance by leveraging flash media as a disk cache. I explain ReadyBoost in depth in my TechNet Magazine article, “Inside the Windows Vista Kernel: Part 2”, but the basic idea is that, since flash has significantly better random access latency than disk, ReadyBoost intercepts disk accesses and directs random-access reads to its cache when the cache holds the data, but sends sequential access to directly to the disk. During my presentation, I insert a USB key, whereupon Windows displays an AutoPlay dialog that includes an option to configure the device for ReadyBoost caching:

 

The first time I gave the talk, the demonstration went flawlessly, but in subsequent deliveries I didn’t get the AutoPlay experience. I would notice the lack of AutoPlay as I ran through the demonstrations before a session, but was always pressed for time and so couldn’t investigate. As a workaround, I would manual open the properties dialog of the device’s volume after insertion to show the ReadyBoost page that’s displayed when you click on the “Speed up my system” link on the AutoPlay dialog.

The last time I presented the session, at TechEd/ITforum in Barcelona in November, I had some extra time beforehand so I decided to find out why AutoPlay wasn’t working. The first thing I did was to check the AutoPlay settings, which you configure in the AutoPlay section of the Control Panel’s Hardware and Sound page. Some of the entries were set to “Ask me every time”, which shouldn’t have had any effect, and even after resetting to the defaults, AutoPlay still didn’t work:

 

At this point I had to look under the hood at an insertion’s associated Registry and file system activity to see if that would reveal the reason why Explorer wasn’t honoring the Control Panel’s AutoPlay settings. I ran Process Monitor, configured the filter to include Explorer’s Registry operations, and re-inserted the key. Then I stopped the capture and looked at what Process Monitor had collected.

A staggering 22,000 events meant that scanning through the trace event-by-event would take hours and there were no obvious error codes to search for, so I had to think of some keyword that might lead me to the relevant lines. I first searched for “autoplay”, but came up empty. I knew that Explorer looks for a file named Autorun.inf in the root directory of removable media volumes, which can contain pointers to an icon to show for the volume and an executable that launches when the user double-clicks on the volume, so I next searched for “autorun”. The first hit didn’t look interesting because it referred to the volume’s mount-point GUID, information that Windows generates dynamically when it notices a new volume:

 

The next hits were just a few entries later and all referred to values that store Group Policy settings:

 

The queries of the first two locations resulted in NAME NOT FOUND errors, indicating that the policies weren’t defined, but a query of HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun was successful. Process Monitor showed the value Explorer had read in the Details column:

 

I didn’t know how to interpret a setting of 255, so I executed a Web search for “nodrivetypeautorun” and found a page in the Windows 2000 Resource Kit that describes the value as a bitmask specifying which device types have AutoPlay disabled. A value of 255 decimal (0xFF hexadecimal) disables AutoPlay on all devices:

 

I used Process Monitor’s Jump-To functionality to launch Regedit and navigate directly to the value, opened the value editor, and changed the setting to 0 to enable AutoPlay on all devices. Next I had to test the change. I removed and reinserted the key and, to my satisfaction, the AutoPlay dialog appeared. Note that on Windows Vista, AutoPlay no longer means "automatically execute what's in Autorun.inf", but rather, "show me my options", so I wasn't introcuding a potential security issue.

The case was almost closed, but I had one detail to wrap up. AutoPlay was disabled on my system by the Group Policy configuration of the Microsoft domain to which the system is joined. That explained why the demonstration had worked for the first few times: my first deliveries of the session were before I had joined Microsoft. It also meant that the value would get restored to its previous setting the next time I logged on and Group Policy reapplied the domain’s configuration. If I happened to logon before the session the demonstration would break again.

There’s no way to opt out of Group Policy updates short of removing the system from the domain or never connecting to the domain. However, because I have local administrative rights, I realized that I could prevent Group Policy from changing the value by setting the permissions on the policy’s key such that Group Policy wouldn’t have permission to do so. Group Policy processing occurs in the Local System account, so I opened Regedit’s permissions editor and removed write access for the Local System account:

 

I was now confident that the demonstration would work for my current delivery of the Vista Kernel Changes session, as well as any future ones, and I closed the case. Besides highlighting Process Monitor’s usefulness for uncovering a root cause, this example also illustrates the power of local administrative rights. A local administrator is the master of the computer and is able to do anything they want, including circumventing domain policies, something I covered in a previous blog post, and that's just one more reason enterprises should strive to have their end users run as standard users.

Comments

  • Anonymous
    January 01, 2003
    I recently inserted a 2GB SD card on this computer for the first time, but the ReadyBoost tab of the drive's Properties dialog continued to show "Do not use this device" selected - or some text that indicated the drive was too small.  I don't remember the specifics now, but the problem was that I had been using an SD card that didn't have enough capacity to support ReadyBoost.  That eventually set an option to stop checking for ReadyBoost compatibility.  I needed to manually override that option in the Properties dialog.

  • Anonymous
    January 01, 2003
    John: I wasn't aware of the autoplay repair wizard. Everyone: Thanks for the feedback. November and December were very busy months. I'll try to keep the blog regularly fed and I have a bunch of posts planned.

  • Anonymous
    January 01, 2003
    Who's copying who? :-)

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Wow, someone who wants autoplay, which does both of the following IIRC: Autodetecting new hardware and possible offering action choices....neat feature for some, distracting and annoying to others. Autorunning arbitrary content....umm Security? The settings of these two functions should be separate.  :)

  • Anonymous
    January 01, 2003
    @unfortunate:  most computers that are joined to a domain administered by others are not usually the personal property of the computer user, but are instead tools provided by an employer so that the user can do the job he or she is being paid to do.  Such users should have no expectation to be told of every configuration change or policy setting unless they need to know it to do their jobs.

  • Anonymous
    January 03, 2008
    Excellent, informative post, as always.  

  • Anonymous
    January 03, 2008
    The comment has been removed

  • Anonymous
    January 03, 2008
    The comment has been removed

  • Anonymous
    January 03, 2008
    Nice catch. I'll come into your cubicle first thing on Monday and remove your Administrator rights. You will also have your coffee machine rights suspended for a week for laughing in the face of company policy.

  • Anonymous
    January 03, 2008
    You don't really want to set it to 0 - you want to set it to the default value of 0x91 (under XP at least - see MSKB 895108) Otherwise it'll be enabled on floppy drives & network drives. In older versions of Windows (Windows 95) this meant that when you opened My Computer, you had to wait for it to scan these drives for autorun.inf in case they had an icon file entry - hardly ideal! Not sure if this is still the case for XP but it might be.

  • Anonymous
    January 03, 2008
    I think it's unfortunate that group policy settings are automatically applied without the user's knowledge or consent. I had no idea my registry settings were being modified by some external process. It would be helpful to present some kind of confirmation dialog, outlineing exactly what is changing on your computer.

  • Anonymous
    January 03, 2008
    The comment has been removed

  • Anonymous
    January 03, 2008
    Christopher Hill: "In older versions of Windows (Windows 95) this meant that when you opened My Computer, you had to wait for it to scan these drives for autorun.inf in case they had an icon file entry - hardly ideal!" Shhhh. I was looking forward to "The Case of the Unexplained Network Pauses."

  • Anonymous
    January 03, 2008
    Regarding AutoPlay, why was the SHIFT override feature removed in Vista? It was very handy.

  • Anonymous
    January 03, 2008
    The comment has been removed

  • Anonymous
    January 03, 2008
    Unfortunate: Acknowledgment is okay, but consent is not. Just imagine what corporate IT departments will think if they suddenly found Microsoft enables random staffs to bypass their restrictions...

  • Anonymous
    January 04, 2008
    It's great to see you back Mark. Great post as usual. For a second there I thought you had decided to become a hermit and relocate to Antarctica :-)

  • Anonymous
    January 04, 2008
    The comment has been removed

  • Anonymous
    January 06, 2008
    I see you take care of many interesting cases. What about screen saver, that sometimes just doesn't start, even it is set properly? Or power management system, which disables "Turn off monitor after..." whenever it likes. There are so many annoying things like this in Windows... or Explorer which hangs while searching for thumbnails for some files (video files but not only). Well, I hope all things you've found will be corrected in future fixes for Windows:)

  • Anonymous
    January 06, 2008
    Nice post. Its always good to hear how you tackle a process monitor dump, the sheer number of entries does make it difficult sometimes.

  • Anonymous
    January 09, 2008
    Nice post. But some remarks require an answer

  1. "A local administrator is the master of the computer and is able to do anything they want" Exactly! And as long as there is no need no normal user should require these privileges. But sometimes it is necessary, just as this case shows. You wouldn't be able to show the greatness of ReadyBoost!
  2. "just one more reason enterprises should strive to have their end users run as standard users" That's just what MS wants us to be! Stupid end-users depending on the benevolence of allmighty companies/governments.
  • Anonymous
    January 11, 2008
    Great post as always. Hey, are you channeling SecurityMonkey over at ITT? http://blogs.ittoolbox.com/security/investigator This was totally done in his style.  LOL!!!

  • Anonymous
    January 12, 2008
    The comment has been removed

  • Anonymous
    January 13, 2008
    The comment has been removed

  • Anonymous
    January 14, 2008
    The comment has been removed

  • Anonymous
    January 15, 2008
    This looked like a potential solution for an Autoplay issue (in XP) I have been dealing with for months. I had already run the AutoPlay Repair Wizard to no avail. So, I tried running thru this and got nowhere. It looks like I am missing 2 registry keys from:  HKLMSystemCCSEnum...!AlwaysEnable (Absent) <Not set> and HKLMSystemCCSEnum...!AlwaysDisable (Absent) <Not set>.  then I get a loving note at the bottom that says: Yup! You got problems, but I cannot fix them!  ANY ideas on something else I can try...anyone?  Buehler? Buehler?

  • Anonymous
    January 17, 2008
    Thanks for a good post. While I did not be deep in Vista, there some new thins for me explained. But one thins I do every time instaiilng OS for my own use: disable the service ShellHWDetection, because it's the simliest way to disable annoying window every time I plug-in USB/SD drives (some times I do it very frequently)

  • Anonymous
    January 24, 2008
    Autoplay, both the old behavior and the new Vista prompts are both annoying to me and must be disabled-and stay that way, especially on Windows systems. I've noticed Autoplay has even crept into Linux desktops (but it is much easier to disable-I hate the concept of the registry, give me plain text configuration files any day of the week). So it is funny to me to find someone who actually wants it to be enabled.

  • Anonymous
    January 24, 2008
    Very informative and helpful, thank you very much!

  • Anonymous
    January 30, 2008
    The comment has been removed

  • Anonymous
    June 12, 2008
    I tried this technique to deny "SYSTEM" access to some of the policy setting in XP and works like a charm.  I needed to override the Group Policy of "Classic Start Menu".  I have tried the same in Vista Enterprise SP1 but it does not seem to work.  The access seems to get reset to FULL Control everytime the system is re-starte.   Any  update on this situaiton would be greatly appreciated.

  • Anonymous
    June 08, 2009
    Hey for those whose issue has not been solved by reading this try uninstalling softwares that cause the problem ie: Real Player 10, Nero 7 etc. The autoplay dialog was mising from my pc and the right click menu as well. But on reading wikipedia's article,I decided on uninstalling Real Player and voilá it works!!!!!!

  • Anonymous
    July 22, 2009
    As usual Mark  does a great job, he is truly father of windows ,I assume Marks unix background makes him special about understanding core windows concepts.. Mark You are just great!!!