Disabling DEP in SP2 using KiX? - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Disabling DEP in SP2 using KiX?

Page 1 of 1

1

Topic Options

#145419 - 2005-08-11 04:12 PM Disabling DEP in SP2 using KiX?
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	Hi all, In my company, we have not rolled out Windows XP SP2 to the general population yet, but are considering it. One of the two roadblocks to doing this is the problems we experience with our applications and DEP (Data Execution Prevention) (the other roadblock is the built-in firewall that is enabled by default). There is a way to turn off DEP system wide on a machine, but it requires modifying the critical file boot.ini. Here is the Microsoft article: Article on Disabling DEP Has anyone experimented with this? Has anyone already scripted something to add the AlwaysOff setting in the boot.ini? With my limited scripting expertise, I am very wary of doing ANYTHING to the boot.ini through a logon script (or through any other method for that matter). I almost put this in the "Discussions" category, but I am first and foremost a "Starter". Thanks for any discussion/suggestions. -jdogg
Top

#145420 - 2005-08-11 04:44 PM Re: Disabling DEP in SP2 using KiX?
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	The MS way to disable DEP works great but requires a modification of the boot.ini on ALL computers. Just creating one new boot.ini and copying it to all clients would be easier imho. This should do. !! WARNING: NOT TESTED !! Code: $Local = GetFileTime ("c:\boot.ini") $Remote = GetFileTime ("\\server\share\boot.ini") If $Local <> $Remote ;copy the original boot.ini file for backup. Copy "c:\boot.ini" "c:\bootini.old" /h ;copy new boot.ini file to client. Copy "\\server\share\boot.ini" "c:\boot.ini" /h EndIf For the XPSP2 firewall there is a UDF to en/disable it here. Edited by Mart (2005-08-11 04:47 PM) _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#145421 - 2005-08-11 04:53 PM Re: Disabling DEP in SP2 using KiX?
Bryce Bryce KiX Supporter Registered: 2000-02-29 Posts: 3167 Loc: Houston TX	Yikes! i would not do a mass copy of a single boot file to all systems unless you know for a fact that all of your systems boot.ini files are pointing to the same ide drive, channel, partition, and system folder!! if, you get the path wrong in this line... Code: [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn your computer will not boot! since this is a INI file, read/writeprofilestring would be the way to go.
Top

#145422 - 2005-08-11 04:55 PM Re: Disabling DEP in SP2 using KiX?
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Oke, good point. I just assumed that all pc's are the same and installed with a default image. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#145423 - 2005-08-11 05:02 PM Re: Disabling DEP in SP2 using KiX?
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	Being that the boot.ini can differ on all machines, isn't your method a way to severely cripple all machines? One method I was considering testing was to use WriteLine at the last blank line in the boot.ini and adding the exclusion. It seems like replacing the boot.ini is dangerous, whereas appending to it would be less dangerous (although I would still sweat over this a bit). Thanks for the FYI on the UDF for SP2 firewall disabling.
Top

#145424 - 2005-08-11 05:03 PM Re: Disabling DEP in SP2 using KiX?
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	Oops... Bryce beat me to it.
Top

#145425 - 2005-08-11 05:06 PM Re: Disabling DEP in SP2 using KiX?
Bryce Bryce KiX Supporter Registered: 2000-02-29 Posts: 3167 Loc: Houston TX	here is the boot string that you will need to modify.. Code: $boot = 'c:\boot.ini' $defaultboot = ReadProfileString($boot,'boot loader','default') $DefaultBootString = ReadProfileString($boot,'operating systems',$defaultboot) ? $DefaultBootString Now i have sp2 installed, so i have "/noexecute=AlwaysOff" installed by default, you will have to do some string checking to see if this switch is not already in the default boot string so you can change it from its dafault setting, or add it if it is not. Bryce
Top

#145426 - 2005-08-11 05:10 PM Re: Disabling DEP in SP2 using KiX?
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Yeah bryce is right. Like said I assumed all machines are the same with an identical image on it. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#145427 - 2005-08-11 05:11 PM Re: Disabling DEP in SP2 using KiX?
Bryce Bryce KiX Supporter Registered: 2000-02-29 Posts: 3167 Loc: Houston TX	Quote: Thanks for the FYI on the UDF for SP2 firewall disabling. You can also set a global setting in group policy for the SP2 firewall. Bryce
Top

#145428 - 2005-08-11 05:20 PM Re: Disabling DEP in SP2 using KiX?
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Can be done here in GPO: Quote: Computer Configuration\Administrative Templates\Extra Registry Settings\ SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall Computer Configuration\Administrative Templates\Extra Registry Settings\ SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall More info can be found here: ms page about configuring XPSP2 firewall _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#145429 - 2005-08-11 05:25 PM Re: Disabling DEP in SP2 using KiX?
jdogg jdogg Getting the hang of it Registered: 2003-09-11 Posts: 91 Loc: RTP, North Cakalaka, USA	Oooh... nice. Looks like some real options here. Thanks again guys. I am more immediately concerned with the DEP though, since we are upgrading our BlackICE software and DEP doesn't like the new version of BlackICE when installing on a newer machine with a processor that supports hardware-based DEP. So I will work on testing adding/modifying a line in the boot.ini (YIKES!) ("/noexecute=AlwaysOff") Any further suggestions on how to do this (in addition to Bryce's snippet above) would be appreciated since I am a total n00b when it comes to editing existing ini or txt files. Thanks again!
Top

#145430 - 2005-08-15 08:38 PM Re: Disabling DEP in SP2 using KiX?
Skatterbrainz Skatterbrainz Starting to like KiXtart Registered: 2002-10-17 Posts: 172 Loc: Virginia, USA	Sorry if this is off the path, but after years of MS beating developers over the head about moving from INI to registry, they go and make DEP settings in the boot.ini. No registry key alternative? What bonehead thought of that. With a regstry key, it could be controlled by a machine (group) policy so much easier. _________________________ silence is golden, but duct tape is silver
Top

#145431 - 2005-08-16 12:53 AM Re: Disabling DEP in SP2 using KiX?
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Because boot is read before the registry
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

0 registered and 764 anonymous users online.

Newest Members

ManuvdWielNL, Sir_Barrington, batdk82, StuTheCoder, M_Moore
17887 Registered Users

Generated in 0.069 seconds in which 0.027 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking