Turning on "Data Execution Prevention" on Windows XP computers

(imported topic written by jmlafreniere91)

Hello, due to the latest “0-day” vulnerability (see case Google – China) affecting Adobe Reader and all versions of IE, we would like to enable the DEP feature for all programs (see article: http://technet.microsoft.com/en-us/library/cc700810.aspx).

I’ve found this script on the Web that works well. Basically, it verifies and adds an entry in the BOOT.INI file:

@echo off

set app=%SYSTEMROOT%\system32\bootcfg.exe

set tout=5

:: test if app exists

if not exist %app% goto end

%app% | find /i “/fastdetect /noexecute=optout” > nul

if not errorlevel 1 (

goto end

) else (

goto configboot



%app% | find /c /i “Boot entry ID” | find /i “1” > nul

%app% | find /i “Microsoft Windows XP Profession” > nul

if not errorlevel 1 (

%app% /raw “/fastdetect /NoExecute=OptOut” /id 1

%app% /timeout %tout%




@echo on

I’d like to get the exact code to create a Bigfix fixlet.

It works when using the Windows Software Distribution Wizard, when uploading a script (.cmd) to the server, but I would like Bigfix to check if the entry in the BOOT.INI file is already present, so it doesn’t run on a computer that has already been patched.

Many thanks,


(imported comment written by SystemAdmin)

Something like this for your relevance might work:

exists lines whose (it contains “Microsoft Windows XP Professional” and it does not contain “/fastdetect /NoExecute=OptOut”) of file “c:\boot.ini”

Look around for examples of how to run scripts within an action.

(imported comment written by jmlafreniere91)

Thanks, look like it works.

For those who have both French and English versions of Windows XP, here’s the line I use in the relevance field:

(name of it = “WinXP”) of operating system AND exists lines whose (it contains “Microsoft Windows XP Profession” AND it does NOT contain “/fastdetect /NoExecute=OptOut”) of file “c:\boot.ini”

Note that I use “Microsoft Windows XP Profession” instead of “Microsoft Windows XP Professional”, because:

English is “Microsoft Windows XP Professional”

French is “Microsoft Windows XP Professionnel”

Also note that the Bigfix makes a difference between uppercases and lowercases, in: “/fastdetect /NoExecute=OptOut”