Turning on "Data Execution Prevention" on Windows XP computers

system · January 15, 2010, 9:49pm

(imported topic written by jmlafreniere91)

Hello, due to the latest “0-day” vulnerability (see case Google – China) affecting Adobe Reader and all versions of IE, we would like to enable the DEP feature for all programs (see article: http://technet.microsoft.com/en-us/library/cc700810.aspx).

I’ve found this script on the Web that works well. Basically, it verifies and adds an entry in the BOOT.INI file:

@echo off

set app=%SYSTEMROOT%\system32\bootcfg.exe

set tout=5

:: test if app exists

if not exist %app% goto end

%app% | find /i “/fastdetect /noexecute=optout” > nul

if not errorlevel 1 (

goto end

) else (

goto configboot

)

:configboot

%app% | find /c /i “Boot entry ID” | find /i “1” > nul

%app% | find /i “Microsoft Windows XP Profession” > nul

if not errorlevel 1 (

%app% /raw “/fastdetect /NoExecute=OptOut” /id 1

%app% /timeout %tout%

)

:end

@echo on

I’d like to get the exact code to create a Bigfix fixlet.

It works when using the Windows Software Distribution Wizard, when uploading a script (.cmd) to the server, but I would like Bigfix to check if the entry in the BOOT.INI file is already present, so it doesn’t run on a computer that has already been patched.

Many thanks,

Jim

system · January 19, 2010, 7:09pm

(imported comment written by SystemAdmin)

Something like this for your relevance might work:

exists lines whose (it contains “Microsoft Windows XP Professional” and it does not contain “/fastdetect /NoExecute=OptOut”) of file “c:\boot.ini”

Look around for examples of how to run scripts within an action.

system · January 20, 2010, 7:08pm

(imported comment written by jmlafreniere91)

Thanks, look like it works.

For those who have both French and English versions of Windows XP, here’s the line I use in the relevance field:

(name of it = “WinXP”) of operating system AND exists lines whose (it contains “Microsoft Windows XP Profession” AND it does NOT contain “/fastdetect /NoExecute=OptOut”) of file “c:\boot.ini”

Note that I use “Microsoft Windows XP Profession” instead of “Microsoft Windows XP Professional”, because:

English is “Microsoft Windows XP Professional”

French is “Microsoft Windows XP Professionnel”

Also note that the Bigfix makes a difference between uppercases and lowercases, in: “/fastdetect /NoExecute=OptOut”

Regards,

Jim