PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Microsoft Finally Turns Off AutoRun in Latest Windows Update

Larry Seltzer
 & Larry Seltzer

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

In addition to releasing a large number of security updates on Tuesday, Microsoft released an important change to the behavior of Windows XP and Windows Vista. Windows will not run or offer to run programs automatically off of USB media, both flash keys and hard disks.

This feature goes all the way back to Windows 95, which automatically played music CDs and ran programs on CD-ROMs. This was called AutoPlay and has evolved into a broader set of features AutoRun. The feature has turned into a big security problem on USB media.

Malware programs these days typically search for USB-based storage and write themselves to it. When the key or hard disk is inserted into a new computer, the AutoRun menu offers to run the malware which is disguised as something to entice the user.

This malicious use has become so common that Microsoft is disabling it by default. Users who apply the update will still see an AutoRun menu when they plug in a key, but it will not have any options for running programs off of the device. This is the behavior that Windows 7 has had from its release. Certain high-end, security-hardened USB keys will still have the old behavior, as will CDs and DVDs.

The update is not labeled as a security update but it is rated "Important," so users with the recommended settings for Windows Update will have it installed automatically. If you want to re-enable the feature, Microsoft has also created a Fix It to turn it back on.

About Our Expert

Larry Seltzer

Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—much to his own amazement—he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

He is co-author of Linksys Networks: The Official Guide, author of ADMIN911: Windows 2000 Terminal Services and Webmaster of ADMIN911 and CPA911.

Larry can be reached at larryseltzer@ziffdavis.com.

Check out Larry Seltzer's introductory column: Ziff Davis' Security Supersite: Blocking the Bad Guys

Read the latest from Larry Seltzer

Read full bio