You are here

Autorun: The Limiting Factor to Portable Apps

34 posts / 0 new
Last post
tlivingston
Offline
Last seen: 15 years 1 month ago
Joined: 2008-10-20 11:57
Autorun: The Limiting Factor to Portable Apps

I love portable apps, I really do. But how can we ever expect this to take off with the public when autolaunching is such a pain? Can we really expect people to know to click into my computer, and then into the drive letter, EACH time they want to launch the software? To me, this is a massive Achilles Heal.

Perhaps this is why the browser is so successful? "Autolaunching" is dead simple, all you need is a browser and a URL. However, the major draw back of the browser is access to the local computer. I know for me I keep movies on my 32GB drive, which I can then play anywhere. I know a service could stream them to me off the net, but what if I don't have internet?

At the end of the day, I don't see why portable apps couldn't kill the browser. Really they are the same, the ability to access your software and content on any computer. There is only one thing browser has, no finicky auto launching.

When will this be fixed? Why hasn't Microsoft allowed a more intuitive way to do this? Will Windows 7 have anything? I don't see PA taking off until this can be fixed, so that any user can autolaunch on any computer.

Thoughts? Is there some way to do a hybrid of web app and portable app?

Just thought it would be an interesting discussion Blum

Ted

John T. Haller
John T. Haller's picture
Online
Last seen: 3 min 40 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Less Autorun

Vista and Windows 7 have disabled autorun for even CDROM drives as they should for security reasons.

On your own PC, you can install a tiny app that will allow you to autorun portableapps.com, though:
https://portableapps.com/node/13770

It's currently manual (you need to set it to start with your PC by itself) but a later release of the platform will let you install the autorunner on any PC you'd like.

Sometimes, the impossible can become possible, if you're awesome!

RMB Fixed
Offline
Last seen: 14 years 2 months ago
Joined: 2006-10-24 10:30
..

Wow John .. I didn't even understand what the heck he was talking about ..
"Browsers and autolaunch" ??
My answer would be something along the line of "learn to use your computer" ..

tlivingston
Offline
Last seen: 15 years 1 month ago
Joined: 2008-10-20 11:57
Hey RMB, maybe this

Hey RMB, maybe this discussion is a bit beyond you, but thank you for your constructive feedback

While we all know how to use portable apps, the public does not / will not. I am just trying to look beyond what we can do today, versus where the market is going. Clearly, the major (and in my opinion only) limiting factor to portable apps is their ability to autolaunch. If we could solve this, I believe that portable apps would be a better user experience than cloud computing, especially as the whole market moves towards using smart phones. In this way, you could take only your smartphone with you, and leverage desktop interfaces/ internet connections when necessary.

However, it seems that autolaunch will be doomed going forward Sad

rab040ma
Offline
Last seen: 4 months 3 weeks ago
Joined: 2007-08-27 13:35
It was doomed the first time

It was doomed the first time some idiot hacker used it to autolaunch a trojan from a CD.

If there were a realistic way to prevent trojans from auto-launching, while auto-launching the good stuff, it might be worth thinking about. So that means plan B.

The sequence that is around now works like this:

  • you insert the USB drive and wait while Windows recognizes and mounts it
  • if you happen to be looking at the screen instead of the drive, it says something about the drive being ready
  • you open the drive (with Explorer) and start using it

How is that counterintuitive? Or maybe a better question, what can be done besides autoplay or running a little program on every computer that recognizes PAM and starts it when the drive is inserted?

Is it really the case that most people enjoy being locked away from the file system? When I am on a cellphone or other computer with just app icons, I start getting claustrophobic. What I hear you saying is that most people find "clicking on My Computer to access the drive" to be inconvenient and awkward, and since I find it to be just another click, I'm not seeing it that way. An extra click is an extra click, and it does help if they have mastered the right click too, but is it really that awful for regular folks?

So, assuming I am not a normal person, can we break down the task or feeling of inconvenience that normal people feel to the constituent parts and think of something that could be done short of launching any old program indicated by autoplay, even malware?

MC

ottosykora
Offline
Last seen: 1 day 6 hours ago
Joined: 2007-10-11 17:48
sorry did not quite understand

OK, the autoplay is a problem, does not work many times, for security reasons should not work on any system at all.
So what you suggest? To open browser first, enter url (bookmark) and so find the way to the menu?
Yes, but the browser of the local machine? OK, where you take the url from then? this might be different all the time. If the browser attempts to open anything presented on any new drive found , well then we are back with the autoplay which we all agree should be avoided?

Sorry but here I am slightly confused as what was the message in your original thread?

Otto Sykora
Basel, Switzerland

aahhaa
Offline
Last seen: 13 years 10 months ago
Joined: 2008-12-04 14:31
back in the Stone Age

We used to have ROM carts for the likes of the Vic20. The data on them couldn't be changed, so you couldn't pass malware around.

It would be nice if you could partition a drive, stock it with your software, and then password lock it to prevent changes. There could also be a separate quarantine area for temporary files that would be scrubbed after use.

I think a lot of people are being driven to smartphones because they can't stand the hassle & paranoia of computer maintenance these days...
(I just got one of those 'URGENT URGENT VIRUS SWEEPING INTERNET- PASS IT ON' emails from somebody who should know better- and the body of their email contained their entire address book. If computers were cars, we wouldn't put up with this plague of incompetent driving.)

ottosykora
Offline
Last seen: 1 day 6 hours ago
Joined: 2007-10-11 17:48
agree with that

>It would be nice if you could partition a drive, stock it with your software, and then password lock it to prevent changes. There could also be a separate quarantine area for temporary files that would be scrubbed after use.I think a lot of people are being driven to smartphones because they can't stand the hassle & paranoia of computer maintenance these days...

Otto Sykora
Basel, Switzerland

m-p-3
m-p-3's picture
Offline
Last seen: 3 months 3 weeks ago
Joined: 2006-06-17 21:25
Microsoft did a tool (for

Microsoft did a tool (for their operating system, obviously) that describes what you are talking about.
Look for SteadyState.

tlivingston
Offline
Last seen: 15 years 1 month ago
Joined: 2008-10-20 11:57
Sandbox?

Why can't the portable apps be "sandboxed" to only changing files on the USB drive itself? At the end of the day, security is necessary so I don't plug in my USB key and infect someone elses computer. But why can't you autolaunch the software off the USB key, but the platform restricts the portable apps to only accessing, modifying, and creating apps on the USB key itself, not the local computer.

This would give us all the functionality we need, while also protecting the local machine.

John T. Haller
John T. Haller's picture
Online
Last seen: 3 min 40 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Can't

There is no way from the USB side to entirely restrict stuff from writing to the local machine. If the initial EXE is infected with a virus (which is autorun), you're dead in the water already. There is no way around that. Even if you're using a virtual machine, the software that runs the VM can become infected. Same thing.

Sometimes, the impossible can become possible, if you're awesome!

tlivingston
Offline
Last seen: 15 years 1 month ago
Joined: 2008-10-20 11:57
What if the Portable Apps

What if the Portable Apps platform itself limited apps running on it from affecting the local computer? I'm not sure if this is what you mean by running VM (although I am an engineer by training, I am not no where near close to an expert on this)?

I'm just wondering why a "secure" platform can't be created, that, when everything runs within the platform, ensures the security of the host computer. Isn't this essentially what a browser is?

John T. Haller
John T. Haller's picture
Online
Last seen: 3 min 40 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Technically Impossible

This is technically impossible without something installed on the local host which, of course, kills off the whole "portable" thing. Period.

Sometimes, the impossible can become possible, if you're awesome!

tlivingston
Offline
Last seen: 15 years 1 month ago
Joined: 2008-10-20 11:57
Thanks John

I really appreciate your comments. I suppose this is why we will never see a portable version of Adobe AIR? The platform looks promising, combining a lot of the pros of internet apps with the pros of desktop apps, but you still have to install the app on every desktop that you want to use it on (a big advantage that web apps have).

http://www.adobe.com/products/air/comparison/

Ted

tlivingston
Offline
Last seen: 15 years 1 month ago
Joined: 2008-10-20 11:57
And one last comment, I'm not

And one last comment, I'm not sure if this does kill off the "portable" thing. Web apps require a browser to be installed, but they are still "portable". This is only impossible for PA if you can't create a secure/ compelling enough platform that people are willing to install, like they were with the browser.

John T. Haller
John T. Haller's picture
Online
Last seen: 3 min 40 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Very Different

Web apps and portable apps are two very different things and we will not get into that yet again in this topic. Web apps have privacy issues, security issues, functionality issues and are in no way close to the features and power available through local software. If you wish to have one of those discussions, please search the forums for one we've already had.

Sometimes, the impossible can become possible, if you're awesome!

mubed
Offline
Last seen: 13 years 11 months ago
Joined: 2009-01-26 23:52
Some Ideas

Just some ideas. Don't blame me if they're stupid:

1. OS on Stick
--------------
If you think of the scenario booting from USB drive, there must be a possibility to have an encrypted file system on it, which write protects the critical system files and is not accessable from other OS. Well this is not the principle of PortableApplicaion for Windows, but maybe, we'll have someday a Win on Stick!

2. Different format, different driver
-------------------------------------
When you insert a new USB device, Windows tries to find a driver for it. I'm not sure what happens, if Windows doesn't find anything. Is it possible to read the driver from the USB drive? in that case, the driver can be configured in a way that access to some files or areas (assuming different format of the drive) is restricted. I know this is a big programming effort, but maybe a solution

3. Don't Install, just run
--------------------------
You say PortableApps is not supposed to install anything on the system. OK, but you still can just run something like a service which a. restricts accesses and b. prevents changing of PAM or Autorun.inf. I know, this kills the open structure what we have now, but this could be seen as an alternative approach when safety is more important than open structure.

John T. Haller
John T. Haller's picture
Online
Last seen: 3 min 40 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Issues

#1 - Rebooting isn't allowed on most public PCs. It's inconvenient. You may not have access to any local data on the PC. You won't have access to local applications on the PC. It works for only a specific subset.

#2 - No. Only drivers come from Microsoft. Installing a driver off the USB would have the same security issues and won't be allowed. Same reason autorun is now dead.

#3 - No. I've already said this twice. Whatever runs first can be infected. Then it's game over. There is no way around it. Period.

An end user can handle a popup menu that asks them which of the five options they'd like to pick when they plug in a flash drive. The first option is Start PortableApps.com. It's pretty easy to just hit enter. Windows XP, Vista and 7 all do this when you insert a drive with PortableApps.com on it. Why is that such a huge deal to like 2 people in this discussion?

Sometimes, the impossible can become possible, if you're awesome!

mubed
Offline
Last seen: 13 years 11 months ago
Joined: 2009-01-26 23:52
Got it, but regarding...

#1,2,3: OK I got it.

Popup: Well, this has the problem that nothing pops up, when autorun is disabled, so I suggested (https://portableapps.com/node/17773) offering a fix or installing your listener by first use, if popup doesn't appear and you have to go and start PAM manually. But there are some security concerns about that.

For me, using the built-in autorun popup of Windows has also more benefits I mentioned in https://portableapps.com/node/17774, but as I said, first you must have your system popup the list and this was e.g. not the case on my PC before I fixed it with the tool from Uwe Sieber.

John T. Haller
John T. Haller's picture
Online
Last seen: 3 min 40 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Normally Is

When autorun is disabled as it is in Windows Vista and Windows 7 by default, that doesn't mean the popup doesn't come up. It means that CDs don't autorun (so U3's fake CD partition is useless). The popup with the selections still comes up.

The only reason the popup would not come up is if the user had some piece of software improperly disable CD autorun by entirely disabling autorun. Or they purposely disabled autorun entirely and they know what to do.

Sometimes, the impossible can become possible, if you're awesome!

mubed
Offline
Last seen: 13 years 11 months ago
Joined: 2009-01-26 23:52
Autorun or Popup

OK, what I meant was disabled is not Autorun, but the popup menu, and using the tool I mentioned I could fix it. So I had the idea to integrate such a thing in PortableApps to be able to fix this, when the popup doesn't appear.

John T. Haller
John T. Haller's picture
Online
Last seen: 3 min 40 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Rare

It's a rare circumstance and usually only on personal computers where the end user has disabled it themselves. On other computers, it would be very bad form (read: against the rules at schools, work, etc) to alter the way it works.

So, no, we will not be doing this. We will have a utility users can install on their own PCs to autorun the PortableApps.com Platform, though (sans popup).

Sometimes, the impossible can become possible, if you're awesome!

legnakrad
Offline
Last seen: 10 months 4 weeks ago
Joined: 2008-04-15 22:41
does this works ?

hello,

if i use a usb drive with ntfs file system, the file Autorun.inf with read-only attribute and in security defined only read permissions to SYSTEM and nothing else: would this prevent the modification of the autorun.inf in an infected computer ?

tia

l

Jimbo
Offline
Last seen: 4 years 2 months ago
Joined: 2007-12-17 05:43
no.

Since the virus would be most likely running as the system account, which has full access, can change any file, the permisssions of any file, the ownership of any file, etc.

It wouldn't even slow "well written" malware down.

The MAZZTer
The MAZZTer's picture
Offline
Last seen: 1 year 2 months ago
Developer
Joined: 2006-11-17 15:31
#1 - As John said booting

#1 - As John said booting from a drive may not be possible on all public PCs, and if someone catches you doing it (especially if they're not entirely computer savvy) they may have you thrown out for "hacking" the computer.

Using a VM on a drive may be possible. QEMU should be fairly portable by itself. I don't think any of the other common choices are... unfortunately QEMU is an emulator not a virtualizer so it is slower than other choices... there is an optional driver (KQEMU) you can install temporarily on the public PC if you have the access rights which would speed it up a bit. Still it is more cumbersome than using native apps... but then again you can customize your VM how you want, and don't have to worry about application portability since nothing will leave the VM sandbox.

#2 - Impossible, but not because of John's reason. Third party manufacturers HAVE to write drivers for their hardware, it's just Microsoft that hands out keys to allow the drivers to be signed. Signed drivers can be installed by any user AFAIK (at least for hardware ones) while overriding the lockout for unsigned drivers requires administrator access (and on 64-bit Vista, unsigned drivers are not permitted at all by default).

The reason it is impossible to install a driver FROM a USB device FOR that device should be obvious. The USB driver tells Windows how to talk to the USB device. So how does Windows know how to talk to the USB device in order to download the driver from it? It can't. That's why most such devices come with a CD with the drivers on THAT instead.

You also can get a hint though the Add New Hardware wizard and Found New Hardware wizards, which lay out the ways Windows can find drivers: on your local computer (Windows copies a bunch of drivers when you install Windows) CD drives (as before, for bundled drivers) and Windows Update (for more recent drivers available online).

#3 - How do you "restrict access"? As John said, once a virus runs on your computer, it can do anything you can do, including modify files on the drive. Oh yeah, if you do "restrict access", how do you determine whether a user is trying to update a portable app or if it's a virus trying to change the app? You can't, really.

Vista and 7 already "restrict access" in a way by using UAC and thus allowing users to use the "Limited User" account mode while still gaining occasional access to Administrator mode when its needed. Even still this only protects the local system, as it should be.

Right now the only way to "restrict access" would be to launch programs in a special reduced security context... like how Google Chrome and IE7 Vista currently work. However this obviously won't work well because a) we aren't going to specifically launch a virus at all and b) if we launch all portable apps like this, most won't work due to the fact they would expect to be run as a Limited User or Administrator. Also c) it would only be affective AFTER the usb device is already infected... and the autorun compromised and your "restrict access" program bypassed anyway.

Signature automatically removed for being too awesome.

The MAZZTer
The MAZZTer's picture
Offline
Last seen: 1 year 2 months ago
Developer
Joined: 2006-11-17 15:31
Linux allows you to mount

Linux allows you to mount drives "read-only" to avoid changing them, which can be very useful in certain circumstances. Windows is lacking this seemingly obvious feature, all the way up to the 7 beta. I would hope at least the Server versions have it (I've never used them).

There is the "read-only" file attribute but it's a legacy DOS compatibility feature, only originally designed to keep files from being accidentally changed or deleted. It's not there for security and can be turned off and on like a light switch.

TrueCrypt is encryption software which allows you to encrypt a whole drive, or make an encrypted virtual disk image on a drive. It supports mounting its volumes as read only, but like the legacy DOS light switch I mentioned it's not for security and can probably be easily circumvented... maybe by hacking the TrueCrypt driver in memory... at the very least the TrueCrypt file or encrypted partition can be written to directly, and thus corrupted.

Anyways keep in mind that if a virus ends up running on your system it can do anything you can do... including remounting a read-only drive as read-write.

Signature automatically removed for being too awesome.

johnlgalt
Offline
Last seen: 4 years 8 months ago
Joined: 2008-03-07 02:14
However, W7 does include a

However, W7 does include a completely new side of things - the ability to load a .VHD from the boot menu - thereby allowing one to create said VHD for emergencies, kinda like a Win-PE system without having but being a live install. Once you've made the VHD, you just let it sit there and forget about it....

However, that is neither here nor there - As an earlier poster said, the main reason Autorun (and many, many other good ideas from all sorts of platforms) are dead is simply because someone with a malicious mind saw the opportunity to exploit a feature for malicious use - and that, in and of itself, will never stop. The best we can hope to have is to have an unhackable system with redundant backups so even if we take our PA UFDs to infected machines, they will not be harmed. That and keeping our own devices malware free are pretty much all we can hope to achieve.

__

JG

gluxon
gluxon's picture
Offline
Last seen: 3 years 6 months ago
Developer
Joined: 2008-06-21 19:26
But...

You can just add a reg key to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"... it's not really that complicated Blum

The MAZZTer
The MAZZTer's picture
Offline
Last seen: 1 year 2 months ago
Developer
Joined: 2006-11-17 15:31
"At the end of the day, I

"At the end of the day, I don't see why portable apps couldn't kill the browser. Really they are the same, the ability to access your software and content on any computer. There is only one thing browser has, no finicky auto launching."

This reminds me of the story when the lady called AOL and asked them to send her the internet on a floppy disk (yeah she probably didn't mean that exactly but its still funny).

Seriously, although local software has always been more powerful than web-based, web-based IS getting smarter and better. But more important is the fact that the Internet can simply do so many things you can't do locally, and I'm talking about the constant updating of information. You just can't compare a web browser to a local program because of the completely different purposes they serve. I personally have a PORTABLE web browser ON my portable device! Does that blow your mind or what? Blum

Oh and I keep autorun off. I personally hate the dialog popping up whenever I slip in a DVD almost as much as I hated the programs autorunning. I definitely prefer the timely control that going into Explorer to launch the autorun provides. Of course usually I'll just use the Command Prompt instead. Blum

Signature automatically removed for being too awesome.

mubed
Offline
Last seen: 13 years 11 months ago
Joined: 2009-01-26 23:52
I think...

I think the ultimate solution must come from Microsoft. They must define an interface for portable applications. I'm thinking of a special structure for example like DVD structure, which is detected by Windows. Then the portable applications are shown in the start menu, and they are gone when you unplug the USB drive. This could be considered as a new application paradigm against the statically installed applications and will co-exist with web-based applications.

incognite
Offline
Last seen: 15 years 1 week ago
Joined: 2008-08-28 06:40
Actually

I just use them on my local file system, no need for USB or anything dodgey like that and if I need to go portable I can I simply copy and go then delete and copy back when I return; no need for this backup business at all.

Anyhow, I just want to see the installation side worked out such as carrying my installers along with my unpacked versions so if I mess up settings I can start again. What would be helpful here is a Restore Settings function inside PAM that can work on the installed application base of the "program".

As for autorun it was always such a pain I'm glad it's gone but it was still a pain for a while with the Explore/Open thing not really working but it appears to be fixed so I'll just go on using it to mount virtual partitions and so forth with commercial software, since at least now PA includes a very excellent CD/DVD burning program which I think is wholly admirable

reepicheep
Offline
Last seen: 11 years 8 months ago
Joined: 2008-04-29 11:32
US CERT Vulnerability Report

The US CERT (Computer Emergency Response Team) recently posted (21st January 2009*) a vulnerability annoucement about Windows Auto-Run that included this statement:

Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.

Vulnerability announcements from CERT (a branch of the US DoD) are usually made after a manufacturer has made updates available to all customers. For details of this one go here

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

or to the CERT blog at

http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

(*) I'm having a snow day and ctaching up on my backlog of email.

SevenVirtues
Offline
Last seen: 15 years 1 month ago
Joined: 2009-02-25 16:13
I'm not quite sure what your

I'm not quite sure what your point is, I believe it is the fact that the Portable Apps Menu doesn't automatically launch?

In Vista I successfully did this by accident, without installing any third party apps. I was playing around with the .inf file. I will have to try again as I change it soon after, if I successfully do this again I will post it here.

rab040ma
Offline
Last seen: 4 months 3 weeks ago
Joined: 2007-08-27 13:35
Here's Microsoft's response

Here's Microsoft's response to the CERT notice:

http://www.microsoft.com/technet/security/advisory/967940.mspx

MC

Log in or register to post comments