AutoRun
Windows AutoRun
The Windows AutoRun facility is not everybody's taste: Silly questions, mindless searching, tendency to it's own live and just not working...
So, just deactivate it, best using my tool AutoRunSettings.
Microsoft's TweakUI for XP can do it too on first view but it cannot deactivate AutoRun for hard drives and it activates AutoRun for network and unknown drives because it completely ignores the Windows default values.
USBDLM's AutoRun functions
USBDLM has two mechanisms to start programs on arrival of a drive and on insertion of a media (card, disk, CD/DVD), see below.
By default the command is executed in the context of the active user. If there is no user active, the command-line is not executed, except there is system=1 configured for this open line.
Remote user are considered since V4.4.3, but only one. Multiple active users are available on servers only. If there are more than one active user then USBDLM selects one depending on the setting "RemoteSessions" in section [Settings]:
RemoteSessions=0 remote sessions are ignored
RemoteSessions=1 remote sessions are considered when there is no active local user (default)
RemoteSessions=2 local and remote users are handled as equal
If there are multiple equal users then the user "wins" which logged on as last one.
In contrast to Windows' AutoRun, USBDLM's AutoRun works too if the drive is mounted into an NTFS folder or if it got no mount point at all.
By holding down the Shift key the execution can be skipped. Since Vista this works only if Force=0 is configured in the section because determining the keyboard status take some effort here.
Since V4.8.8 USBDLM supports opening document files with their associated application.
E.g.
open=%drive%\test.txt
would open the text file in the text processor.
If the path contains spaces and command-line parameters are used, then the path must be quoted. Sample:
open="C:\Program Files\AntiVir\AntiVir.exe" %drive% /scan
This is true too when environment variables are used which lead to spaces when expanded. Sample:
open="%ProgramFiles%\AntiVir\AntiVir.exe" %drive% /scan
With SafeCommandLines=1 in section [Settings] this is required whenever the command-line contains a space character. Sample
open=C:\Tools\test.exe -t
Seems obvious but could also mean an "C:\Tools\test.exe -t.exe". Therefore better always quote the path of the executable:
open="C:\Tools\test.exe" -t
By default the root of the drive is used as working directory. By means of a line workdir=xxx a different one can be specified.
Since V4.6 executable files are searched first in the Windows search path (environment variable PATH), then in the working directory.
This has been changed for security reasons: If for instance there is configured open=explorer %drive% then all a bad guy has to do is to put a bad explorer.exe on a USB drive and attach it...
An additional search path can be configured, e.g.
[Settings]
OpenSearchPath=C:\BatchFiles
AutoRun events on insertion or removal of a cardreader's media configured for the first time may work after reattaching the device or after a restart of the USBDLM service only. This is because for receiving these notifications USBDLM must register for them and this is done only if required. The decision if it is required or not is done only on arrival of a drive and on USBDLM's startup.
The USBDLM variables can be made available to the executed program as environment variables. A list of variables must be configured.
Sample for the drive (like U:) in the variable %drive%
[Settings]
UsbdlmVariablesToOpenEnvironment=%drive%
Both mechanisms described below can be executed on user logon to deal with drives present at startup.
[Settings]
AutoRunOnLogon=1
Under Windows 2000 this does not work because there is no logon notification. We have to do it once on startup of the USBDLM service here:
[Settings]
AutoRunOnStartup=1
1. autorun.inf on the attached drive
The autorun.inf is a Windows mechanism. One function is the open= line to execute a command-line when a drive is attached. With each Windows version this has been limited more an more. Under XP this works with CD-ROM drives only without further user inquiry. This is the reason for such great solutions as U3 drives or selfinstaller devices which are using a fake CD-ROM drive.
Since Vista even this works after asking the user only.
USBDLM can execute the open= line in an autorun.inf on removable drives, hard drives, CD/DVD and Floppies
drives.
Sample for drives with removable media:
[Settings]
AutoRunInf=1
Values for other types, add if required:
Removable: 1
Hard drives: 2
CD-ROMs 4
Floppies 8
Unknown 16
Remote 32
Sample for removable drives, hard drives and CD-ROMs:
[Settings]
AutoRunInf=7
Floppy drives have no insert notification, therefore AutoRun works (if at all) only when an external Floppy with a disk present is attached to the system.
Sample for opening a Windows Explorer window thru an autorun.inf on the attached drive or inserted media:
[Autorun]
open="%windir%\explorer" .
openstyle=max
On x64 systems the section [Autorun.Amd64] is read first. If the value is not found in this section then [Autorun] is read.
A window style can be suggested using an openstyle= line, this is USBDLM specific and not supported by Windows' autorun.inf.
Many programs consider this (as the Windows Notepad), other do not (as the Windows Calculator).
The available styles are:
max maximized
min minimized
hidden hidden
noactivate normal, but the window is not activated, it does not get the focus
Since Vista it's quite tricky to start a program from a service and get its window activated. If this is not required at all then please configure
openstyle=noactivate
If required a delay until the program is executed can be added. The default unit is milliseconds, 's' for Seconds and 'h' for hours can be used. The maximum value is 24 hours:
delay=10s
Of course the autorun.inf can be easily abused. Therefore USBDLM can protect this by a key:
[Settings]
AutoRunKey=MySecretKey
Only if the same line is found in the autorun.inf's [open] section on the drive the open= line is executed.
Another security option is to execute the AutoRun without admin privileges:
[Settings]
AutorunInfRestricted=1
If the current user isn't an admin, then this setting makes no difference.
Of course a SETUP.EXE started from a CD drive may then not have enough privileges to install its software...
Since V4.3 most extension as open1 to open9, wait, delay etc work here too.
Label and Icon from autorun.inf
Since V4.4 the items label and icon can be read from an autorun.inf file and written to the registry values DefaultLabel and DefaultIcon for this drive.
This can be useful if the autorun.inf is completely disabled or if it just does not work...
It must be activated separately for label and icon same way as show above.
Sample for Label and Icon on CDROM drives:
[Settings]
AutoRunInfLabel=4
AutoRunInfIcon=4
2. Global AutoRun settings in the USBDLM.INI
2.1 Triggered by volumes
[OnArrival]
open=%windir%\System32\calc.exe
This would start the Windows Calculator when a USB drive is attached or a media is inserted into a REMOVABLE or FIXED type drive.
If you need this for other types of drives, configure one or multiple DriveTypes. If you do so then the default "REMOVABLE or FIXED" is no more:
; for CD and Network drives
[OnArrival]
DriveType1=CDROM
DriveType2=REMOTE
open=%windir%\System32\calc.exe
The command can be executed without admin privileges (no difference if the active user is no admin):
[OnArrival]
open=%windir%\System32\calc.exe
restricted=1
or with full system privileges in the context "LocalSystem":
[OnArrival]
open=%windir%\System32\calc.exe
system=1
You will never see this program because it's in the "LocalSystem" context it's not allowed offhand to show a window on the user's desktop.
Using this is useful when system tools shall be started but the user is a restricted one as shown below in Sample 6.
Since Vista admin user work with a split access token. One incarnation is "limited" the other is not limited and called "elevated". This is what you get when processes started manually selecting "Run as administrator".
By default USBDLM starts processes limited. If you need something "elevated":
[OnArrival]
open=%windir%\System32\calc.exe
elevated=1
As parameter for the program you can use variables as %drive% for the drive ( as X: ) or %root% for its root folder ( as X:\ ).
This can be made depending on criteria as described under Drive letters depending on certain criteria.
An additional criteria is the volume's drive letter, so a line as Letter=X is a criteria here! Only a single letter or an NTFS mountpoint work here in one Letter= line.
An NTFS mountpoint needs a trailing backslash here to work.
Furthermore there is the default criteria MinDriveSize=1, so OnArrival events are executed by default only when the drive size is at least one Byte (a media is present in the drive). To execute OnArrival for drives without a media, configure MinDriveSize=- or MinDriveSize=0
USBDLM checks sections [OnArrival1] to [OnArrival99], and finally [OnArrival] (without a number).
A window style can be suggested using an openstyle= line as shown above.
To prevent the user skips the AutoRun by holding down the shift key you can set Force=1 in a section.
To prevent a process is started even it is already running, configure OneInstance=1:
[OnArrival]
open=%windir%\System32\calc.exe
OneInstance=1
To ensure the integrity of the executable file, an MD5 hash value can be configured:
[OnArrival]
open=%windir%\System32\calc.exe
md5=DDCD9FCD B7E1956E E69F8E58 B8C8BF0D
Only if the MD5 hash value of the executable is equal to the configured one, it is executed.
The MD5 is case insensitive, spaces don't matter.
You can also grab the open line from an autorun.inf file:
[OnArrival]
open=%drive%\autorun.inf
Sample 1:
- FotoSoftware for drives with a volume label "CANON_DC" or "NIKON_DC"
- nothing for drive X
- otherwise a maximized Explorer window, but not if it's a card reader without a card (size 0)
[OnArrival]
VolumeLabel1=CANON_DC
VolumeLabel2=NIKON_DC
open="C:\Program Files\PhotoSoftware\PhotoSoftware.exe" %root%
[OnArrival]
Letter=X
open=
;all others
[OnArrival]
open="%windir%\explorer.exe" %root%
openstyle=max
Sample 2:
- If the file DATA.TXT exist, copy it from the drive to C:\Data
[OnArrival1]
FileExists=%drive%\DATA.TXT
open="%windir%\System32\cmd.exe" /c copy "%drive%\DATA.TXT" "C:\Data"
cmd is the Windows command processor, /c means "execute command and end then", copy is a command which the cmd knows and copies files.
The same hidden:
[OnArrival]
FileExists=%drive%\DATA.TXT
open="%windir%\System32\cmd.exe" /c copy "%drive%\DATA.TXT" "C:\Data"
openstyle=hidden
Sample 3:
AutoMount a TrueCrypt container file with name secret.tc on T:, open an Explorer windows with the mounted TrueCrypt volume
[OnArrival]
FileExists=%drive%\secret.tc
open="C:\Program Files\TrueCrypt\TrueCrypt.exe" /q /v "%drive%\secret.tc" /L T
[OnArrival]
DeviceType=TrueCryptVolume
open="%windir%\explorer" %root%
Sample 4:
AutoMount a TrueCrypt volume, remove its drive letter and open an Explorer window with the mounted TrueCrypt volume
;remove the volume's drive letter, it's useless
[DriveLetters]
DeviceType1=TrueCrypt
DeviceType2=ReadSharingViolation
Letter=-
;mount it on J:
[OnArrival]
DeviceType=TrueCrypt
open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /v %PartitionName% /L J
;an Explorer window with the mounted TrueCrypt volume
[OnArrival]
DeviceType=TrueCryptVolume
open="%windir%\explorer" %root%
%PartitionName% is a USBDLM variable{linkID=} which USBDLM replaces with something like
\Device\Harddisk2\Partition1 as expected by TrueCrypt.
The DeviceType ReadSharingViolation applies for drives already mounted by TrueCrypt. Since TrueCrypt get exclusive access USBDLM cannot read test data - the attempt it's rejected with ERROR_SHARING_VIOLATION, that's what the name comes from.
This usually happens when the USBDLM service is manually restarted. We want the letter removed but the volume shall not being mounted again by TrueCrypt, that's what this sample does.
It does not work if a "fixed" drive is completely used as TrueCrypt container because in this case there is no logical drive on the disk and USBDLM isn't triggered. Create a single partition then and use this a TrueCrypt container. This is suggested by TrueCrypt and prevents the Windows Disk Management from screwing up the volume by "initializing" the drive which sounds less harmful than the Windows Explorer's suggestion to format the TrueCrypt container volume...
Sample 5:
- a USB drive on U: and create a share Drive_U for it, on "safe removal" delete the share (openstyle=hidden prevents the console window from appearing when starting the NET.EXE):
[DriveLetters]
Letter1=U
[OnArrival]
Letter=U
open="%windir%\System32\net.exe" share FlashDrive_U=U:\
openstyle=hidden
; on safe removal the share must be deleted, otherwise the safe removal would be denied if the share is accessed
[OnRemovalRequest]
Letter=U
open="%windir%\System32\net.exe" share FlashDrive_U /D
openstyle=hidden
; in case there was not safe removal
[OnRemoval]
Letter=U
open="%windir%\System32\net.exe" share FlashDrive_U /D
openstyle=hidden
Since Vista with active UAC a system=1 or elevated=1 is required to get the privileges required to create a share.
Sample 6:
- a USB flash drive at A:, if A: is in use, remount A: to B: and assign A: then:
;mount to A: if available, otherwise unmount
[DriveLetters]
Letter=A
Letter=-
;if unmounted, remount A: to B: and assign A:
[OnArrival]
Letter=-
open=c:\A_to_B_and_drive_to_A.cmd %VolumeName%
system=1
In the command script c:\A_to_B_and_drive_to_A.cmd:
ReMount A: B:
mountvol A: %1
%VolumeName% is a USBDLM variable{linkID=} which USBDLM replaces by something like \\?\Volume{aa6d706a-15da-11dc-a38f-0013d31dd4c5}\, as expected by the Windows command-line tool MountVol.
ReMount is my command-line tool for changing drive letters. Download:
http://www.uwe-sieber.de/drivetools_e.html#remount
Assign A: to the previous drive when the USB flash drive has been removed:
[OnRemoval]
Letter=A
open=ReMount B: A:
system=1
The line system=1 makes USBDLM executing the command line in the context "LocalSystem" where itself is running. This is required for restricted users when tools as MountVol or ReMount are executed, because they will not work without admin privileges. And they don't pop up...
Furthermore such an item is executed too when no user is logged on.
Multiple open commands
Since V4.3 you can let execute up to 10 commands. Use open1= to open9= and open= then. Additional parameters as openstyle, restricted etc must be numbered then too and have effect on the open line with the same number, so in contrast to all other section types there is a relation between items with the same number!
Sample 7 (USBDLM V4.3+):
- start the Windows Calculator twice, one restricted and one normal
[OnArrival]
open1=calc.exe
restricted1=1
open2=calc.exe
restricted2=0
- start the Windows Calculator and the Windows Notepad (maximized) as soon as the Calculator ends or after 10 Seconds wait
[OnArrival]
open1=calc.exe
wait1=10000
open2=notepad.exe
openstyle2=max
Since V5 the numbering isn't required, an open line starts a new parameter set:
Sample 7 (USBDLM V5.0):
[OnArrival]
open=calc.exe
wait=10000
open=notepad.exe
openstyle=max
Sample 8:
- remove the drive letter of a USB drive, dismount its file system by means of EjectMedia, copy an image to it by means of DD für Windows, finally safely remove it by means of RemoveDrive:
[DriveLetters]
Letter=-
[OnArrival]
Letter=-
open="C:\Tools\EjectMedia.exe" %VolumeName% -D
wait=1000
open="C:\Tools\DD.exe" -if=C:\usb-image1.bin -of=\\.\%PureVolumeName%
wait=600000
open="C:\Tools\RemoveDrive.exe" %VolumeName% -L
For direct write to a volume or a disk device admin privileges are required. Since Vista with active UAC you need a elevated2=1 or system2=1 too, with the latter you will not see the console windows because it runs in the "Local System" context.
If you want to write to the disk device then the target for DD is \\.\%PhysicalDrive%DeviceNumber%
2.2 Triggered by disks
Especially for disks without partitions there are the events [OnDiskArrival], [OnDiskRemovalRequest], [OnDiskRemoval] which work like the volume triggered events described above. Of course volume specific criteria cannot work here.
Sample:
; mount a disk which is entirely used as TrueCrypt container to J:
[OnDiskArrival]
DeviceType=TrueCrypt
open="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" /q /v \Device\Harddisk%DeviceNumber%\Partition0 /letter J
AutoRuns on user logon / user switch
Configured AutoRun events are executed by default on arrival of a drive or on insertion of a media only.
If USBDLM shall do this on user logon or user switch:
[Settings]
AutoRunOnLogon=1
With an auto logon the USBDLM service may not be started yet on logon, so it misses the logon event. Workaround: When there are fewer than two minutes since the system is started and the a user is already logged on when the USBDLM services starts, then the AutoRuns are executed too.
Windows 2000 does not support the required notification messages, so USBDLM cannot AutoRun on logon.
Diagnostic
If there are problems with the command line parameters, working directory, being admin or not, window style etc., it might be helpful to check this by executing my debug tool TestCommandLine:
http://www.uwe-sieber.de/files/testcommandline.zip
By default is closes after 10 Seconds. By clicking on the countdown the timeout starts over again. By command-line -t:xx a different timeout in seconds can be specified.
The window of TestCommandline does not become active and it ignores the given window style (but shows it).
If a program is started hidden or in the context "LocalSystem" then it is invisible. In these cases USBDLM since V4.7.2 redirects the output of console programs to the logfile. By default with log-level 3, another log-level can be configured, e.g.
[Settings]
RedirectLogLevel=2