Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AutoRun registry values/Spybot Resident


  • Please log in to reply
6 replies to this topic

#1 PNO

PNO

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 25 November 2011 - 01:23 AM

I noticed something today through the Spybot S&D resident monitor that I don't understand and I was wondering if someone could shed any light on it.

I'd noticed last night that I'd inadvertently unchecked the option to "show info balloon" in the Spybot menu in my system tray - so I re-checked it. I took a look at the Spybot Resident log too - wanted to see what - if anything - I'd missed with the info balloon disabled. I noticed some registry changes that had occurred on startup regularly having to do with both "NoDriveTypeAutoRun" and "CDRAutoRun". These changes had to do with the values of these two in the registry but since I had no understanding of the values and minimal understanding of the functions - I just closed the log and shutdown later.

This morning at startup I was greeted by an "info balloon" from Spybot telling me that those same registry values were wanting to change. Since I hadn't had any time to research the information from the log I saw last night - I disallowed the changes. Each time they were disallowed - another balloon would immediately follow asking for the change again. After about 20 go-rounds of that - I toggled the "remember this decision" box and disallowed both changes. This immediately gave me a small cascade of spybot "info balloons" on my desktop regarding these two registry entries and the log file was repeatedly appending these same changes and denials several times a minute. I had a social function to attend so I left the PC on and offline and only earlier this evening had some opportunity to research a bit more as to what was going on. All the meanwhile the log file of these change requests had been growing!

The two entries are as follows:

11/24/11 9:23:11 PM Denied (based on user blacklist) value "CDRAutoRun" (new data: "hex:00,00,00,") changed in System Startup user entry!
11/24/11 9:23:12 PM Denied (based on user blacklist) value "NoDriveTypeAutoRun" (new data: "hex:95,00,00,") changed in System Startup user entry!

(end text example)

I searched about the Autorun function and about the implication of the values given and decided that - even though they might not be the perfect values for both of these autorun function - that they were probably acceptable on the short-term. I went into Spybot and reversed the denial of change and that stopped the incessant appending of the resident log file for Spybot.

What I then noticed was that the values had changed from 95,00,00,00 on the NoDrive TypeAutoRun to 95,00,00 and from 00,00,00,00 on the CDRAutoRun to 00,00,00. Basically - it wanted to drop the last two digits on these values.

I use Avast 4.8 antivirus and get new definitions daily - so while away this afternoon - I ran a check on my drives and it found no threats or malware. (for what that's worth...)

What is the implication of these two digits being dropped from these values in the registry?

From some of what I've read this evening - the value of 95,00,00,00 on the NoDrive TypeAutoRun is default - and it seems that there are safer settings for this value - so I'd appreciate input about that too. Perhaps related - I've not done any registry modification yet - and am a complete NOOB in that regard.

I'd prefer CDs not autorun - and have that selected as my preference in the Device Manager. I've also been playing a bit with a Linux Mint 9 live CD lately but since I'm going into that at boot the autorun option doesn't seem to affect that - but I don't want to impair my ability to continue using the live CD until I get the guts to actually install it!

The OS is 98se - if that's of use.

BC AdBot (Login to Remove)

 


#2 PNO

PNO
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 25 November 2011 - 03:52 PM

As a follow-up to yesterday's post...

This morning at boot or start-up the Spybot S&D resident again indicated that the registry value for NoDriveTypeAutoRun wanted to change from 95,00,00,00 to 95,00,00 and the value of CDRAutoRun from 00,00,00,00 to 00,00,00 - the difference being the dropping of the last two digits of the hex value.

I went ahead and approved the change in order to avoid the barrage of attempted changes and denials that I wrote about above that occurred yesterday. Still I'm unsure about the implication of the change in registry value for these two factors and why the machine seems to want to do this.

#3 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:11:49 PM

Posted 26 November 2011 - 09:34 PM

You apparently are running TeaTimer from Spybot.
Frankly I think it is more trouble than it is worth for the reasons that you have stated. It confuses the user with its own messages.
Spybot is one of the few programs left that work with 98 but I suspect that they will pull support for 98 when version 2 releases, whenever that may be.

You can prevent a cd from auto starting by holding down the SHIFT key when you insert the cd.
In the beginning there was the command line.

#4 4dude

4dude

  • Members
  • 578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 PM

Posted 04 December 2011 - 01:16 AM

You can also goto device manager and then CDROM and uncheck "Auto insert notification" then you will have to start the CD manaully....

#5 PNO

PNO
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 05 December 2011 - 09:37 PM

I want to thank both of you for your input. I was aware of both of those means to control the CD autorun. I have noticed that when an audio CD was inserted in the drive the Windows CD Player would activate and begin to play the disc regardless of what I'd selected in Device Manager. I did tend to look at this as an instance of 'autorun' as I generally use another player for audio CDs. That said - the solution was in the file association preferences - I tracked it down and set it blank. Haven't tested the change yet - but that should cover that issue.

I was looking at this from the view of security and 'best practices' and was more concerned about the "NoDrive TypeAutoRun" setting - and the insistence at every boot to drop the two digits off the hex value in the registry. This has happened with the "CDRAutoRun" since when I first posted about it here several days ago. A few days ago (at a boot-up) the value of the "NoDriveTypeAutoRun"changed from 95,00,00 to 0 - according to the SpyBot Resident or Tea Timer. I went ahead and allowed it and vowed to research the matter more later.

I guess what I was looking for when I posted about this here was an easy answer or two about the registry and these two values - with an eye towards what would be the best setting for these two values in terms of security and user control of my PC. An example is this snippet of text that I copied from somewhere online when I was trying to learn more about this:

<i>In registry, look for NoDriveTypeAutoRun
95 is default value, but dangerous; this autoruns HD too!
9D is better value, allows CD autorun, suppresses HD autorun
B5 disables CD autorun, enables HD autorun (bad)
BD disables CD autorun, disables HD autorun (better)
00 allows all devices to autorun (supremo bad)
FF allows no devices to autorun (supremo safe)</i>

This certainly seems to point to some of the issues I've mentioned - but brings up more questions than answers (to me anyway!) at this point. First - the info may not even be correct. Second - This bit about the HD and autorun - what exactly does that entail? It doesn't sound good but I don't know enough about the subject to be sure of WTH that's actually referring to. The HD 'autoruns' every time I boot - don't see any problem with that? Thirdly - knowing almost nothing about the Registry and being less than comfortable with the idea of editing it - the way of expressing these values - of actually entering them into the Registry - eludes me. I suspect the person who wrote that brief bit I quoted above assumed any reader would just change the first two characters of the string: 95,00,00,00 with the characters he provided - But I don't _know_ that and don't feel like buggering my registry to find out - particularly if the writer was wrong!

Well - at least no one came right out and told me to RTFM - but - in the absence of anyone wanting to spoon feed me any quick answers about these registry settings and the number of characters that are supposed to be in the Registry values - I am setting about to do exactly that - in my ample free time! I found a good article written on the registry on this site that I'll work my way through as time allows. (sorry - no link - I forgot to Bookmark the URL and will have to search it up again myself) When I finish that article I'll tackle this one:

Chapter 31 - Windows 98 Registry
http://technet.microsoft.com/en-us/library/cc768201.aspx

I'm sure there's good info in that MS article... but even skimming through it makes me go cross-eyed and want to make myself a stiff drink!

#6 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:11:49 PM

Posted 05 December 2011 - 11:35 PM

Hehehe!

Had to make one before I even perused that Technet article.

Thats pretty heavy stuff.
How did you stumble upon it?

The question as I see it is do you want cd's etc to autoplay or not?
Holding down Shift while inserting the disk is always the easiest.
In the beginning there was the command line.

#7 PNO

PNO
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 06 December 2011 - 02:12 AM

Actually - I'm more concerned about the NoDriveTypeAutoRun business - but I'm not exactly sure of all the functions of that particular value - though it seems to supercede the CDRAutoRun value.

Take a look at some of the drives covered within that value:
http://www.msfn.org/board/topic/75640-what-are-all-the-different-settings-for-nodrivetypeautorun/page__view__findpost__p__514721

Now - that link applies to win2000/xp/2003 - but I'm fairly certain the generalities apply to 98. Also note that the preferences for the value are expressed differently - 0x00000000 vs what would probably be 00,00,00,00 in a 98 registry. This is covered a bit here:
http://www.autoruntools.com/autorun-inf.php#disable_enable

There's more about autorun and NoDriveTypeAutoRun in this MS article - but it's written for xp/2000/2003 so it may not entirely apply:
How to disable the Autorun functionality in Windows
http://support.microsoft.com/kb/967715

I tend to look at PC settings and preferences from the view of security and user control. I want my PC to operate in a more 'hardened' manner than what's usually default - and I tend to get annoyed when machines get too 'helpful' for their own good. (therein the paradox...)

What's ironic is that I've blissfully gone about my frittering with a PC for 13 some years and never really knew about autorun - CDR or NoDrive Type - and wouldn't have even gotten into this rabbit hole if the Spybot Resident hadn't started going batsh*t about it a week or so ago. (possibly longer as I inadvertently had the SB Res Information Balloons disabled...) I understand how this applies, Eyesee - to your first comment about SpyBot S&D - but I do consider it a tool - useful in its way. Sometimes just a prompt to get more educated!

Reminds me of a quote by Marshall McLuhan that occasionally rattles around in my brainpan: "If it works, it's obsolete".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users