共用方式為


Windows XP Service Pack 2 Application Compatibility - Supplemental Scripts

By Peter Costantini, The Scripting Guys, Microsoft Corporation

The scripts in this collection are counterparts to the scripts that ship with the "Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2" (called "the Guide" for the rest of this paper) and which are documented in the Appendix. You can download a Windows Installer (.msi) file that installs the Guide and its associated scripts from:
https://www.microsoft.com/downloads/

Most of the scripts require that Windows XP Service Pack 2 be installed on the computers against which they are run. The exceptions include the scenario-based scripts explained in the list of scripts below, which show methods for deploying Service Pack 2. The Service Pack 2 download and resources for IT professionals can be found at:
https://www.microsoft.com/technet/winxpsp2/

While the scripts installed with the Guide are mainly batch files and VBScript scripts that use Windows Script Host (WSH), the scripts in this collection primarily use Windows Management Instrumentation (WMI) and the Windows Firewall COM object model. They are illustrations of how to use alternative scripting techniques to accomplish the same tasks; which works better for your particular needs depends on those specific needs and on your scripting preferences.

Because WMI enables built-in remoting through Distributed Component Object Model (DCOM), these scripts can run more easily against multiple remote computers. At the same time, these scripts are generally more complex because they:

  • Use variables for changeable parameters rather than hard-coding them.

  • Do some error checking.

  • In some cases, use a text file for input.

  • In some cases, are broken down into subroutines and function.

The Windows Firewall object model, however, does not use DCOM remoting and works only on the local computer.

Most of these scripts correspond directly to the scripts included with the Guide. Such scripts have the same filename with "-wmi" appended. In the case of the Windows Firewall scripts, "-com" is appended instead to the filename because Windows Firewall uses its own COM object model rather than WMI. A few scripts here have extra functionality. And finally, some additional scripts not corresponding to any Guide script have been included in this collection.

These scripts are offered as examples to be adapted to the particular needs of users. In most cases, they cannot be run as is. Rather, you must substitute correct parameters for your particular computer or network in place of the generic ones included in the scripts and input text files. In most cases, such parameters are commented in the scripts.

On This Page

Scripts
Scenario 1
Scenario 2
Support

Scripts

Filename

Associated Files

Purpose

Notes

AddOn-wmi.vbs

 

Disables a specific Internet Explorer add-on.

 

AddOn-wmi-multi.vbs

addon-hosts.txt

Disables a specific Internet Explorer add-on on multiple computers.

 

AllowPop-wmi.vbs

 

Permits pop-ups in Internet Explorer for specific sites.

 

AllowPop-wmi-multi.vbs

allowpop-hosts.txt

Permits pop-ups in Internet Explorer for specific sites on multiple computers.

 

Attachments-wmi.vbs

 

Turns off or on attachment restrictions for Outlook Express.

 

Attachments-wmi-multi.vbs

attach-hosts.csv

Turns off or on attachment restrictions for Outlook Express on multiple computers.

 

ClosePorts-com.vbs

 

Closes specified ports in Windows Firewall, retains the stored port settings.

Runs only against local computer. No script in the Guide scripts corresponds to this script: closeport.vbs in those scripts deletes a port and corresponds to RemovePorts-wmi.vbs.

ClosePrograms-com.vbs

 

Disables exceptions for specified apps in Windows Firewall, but retains the stored app settings.

Runs only against local computer. No script in the Guide scripts corresponds to this script: closeprogram.vbs in those scripts delets the programand corresponds to RemovePrograms-wmi.vbs.

DCOMSec-wmi.vbs

 

Exempts applications from the DCOM activation security check.

 

DCOMSec-wmi-multi.vbs

dcomsec-hosts.csv

Exempts applications from the DCOM activation security check on multiple computers.

 

FwDisable.vbs

 

Disables Windows Firewall, which is enabled by default on XP SP2.

Runs only against local computer. Not included in the Guide scripts.

FwEnable.vbs

 

Enables Windows Firewall.

Runs only against local computer. Not included in the Guide scripts.

FwListExceptions.vbs

 

lists the open ports and authorized apps for Windows Firewall.

Runs only against local computer. Not included in the Guide scripts.

FwRemoteAdminDisable.vbs

 

Disables remote administration for Windows Firewall.

Runs only against local computer. Not included in the Guide scripts

FwRemoteAdminEnable.vbs

 

Enables remote administration for Windows Firewall. Remote administration is disabled by default in Windows XP Service Pack 2.

Runs only against local computer. Not included in the Guide scripts

install.vbs

Part of Scenarios 1 & 2

 

See section on Scenarios 1 & 2 below.

Install-local.vbs

Part of Scenarios 1 & 2

 

See section on Scenarios 1 & 2 below.

LocalMachineLockdown-wmi.vbs

 

Turns on or off local machine lockdown for the iexplore.exe process.

 

LocalMachineLockdown-wmi-multi.vbs

lockdown-hosts.csv

Turns on or off local machine lockdown for the iexplore.exe process on multiple computers.

 

OpenPorts-com.vbs

 

Opens specified ports in Windows Firewall.

Runs only against local computer. Corresponds to openport.vbs in the Guide scripts, but can open multiple ports.

OpenPrograms-com.vbs

 

Adds specified programs to the Windows Firewall exceptions list.

Runs only against local computer. Corresponds to openprogram.vbs in the Guide scripts, but can authorize multiple programs.

RemovePorts-com.vbs

 

Deletes specified ports in the Windows Firewall.

Runs only against local computer. Corresponds to closeport.vbs in the Guide scripts, but can delete multiple ports.

RemovePrograms-com.vbs

 

Deletes exceptions for specified apps in Windows Firewall.

Runs only against local computer. Corresponds to closeprogram.vbs in the Guide scripts, but can delete multiple programs.

RpcSec-wmi.vbs

 

Configures RPC security to bypass new restrictions in Windows XP Service Pack 2 and allow anonymous call back.

 

RpcSec-wmi-multi.vbs

rpcsec-hosts.csv

Configures RPC security to bypass new restrictions in Windows XP Service Pack 2 and allow anonymous call back on multiple computers.

 

runonce.vbs

Part of Scenarios 1 & 2

 

See section on Scenarios 1 & 2 below.

scenario1.vbs

computers.txt
install.vbs
Install-local.vbs
runonce.vbs

Deploys Windows XP Service Pack 2 on multiple computers and configures Windows Firewall.

See section on Scenario 1 below.

scenario2.vbs

install.vbs
Install-local.vbs
runonce.vbs

Installs Windows XP Service Pack 2 on a local mobile computer and configures Windows Firewall.

See section on Scenario 2 below.

WinFire-com.vbs

 

Opens specified ports and authorizes specified applications in Windows Firewall.

Runs only against local computer.

ZoneElevation-wmi.vbs

 

Turns on or off the zone elevation restriction for the iexplore.exe process.

 

ZoneElevation-wmi-multi.vbs

zoneelev-hosts.csv

Turns on or off the zone elevation restriction for the iexplore.exe process on multiple computers.

 

Zones-wmi.vbs

 

Configures the settings for a specific Internet Explorer security zone.

 

Zones-wmi-multi.vbs

zones-hosts.txt

Configures the settings for a specific Internet Explorer security zone on multiple computers.

 

Scenario 1

For a full explanation of Scenario 1, see Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2.

Contoso Ltd. is a medium-sized international pharmaceutical company with a dedicated IT department. Contoso want to deploy Windows XP Service Pack 2 and configure the Windows Firewall for Remote Management.

This supplemental version of Scenario 1 shows how to accomplish these goals by using VBScript scripts that use primarily Windows Management Instrumentation (WMI) and the Windows Firewall COM object model.

This scenario assumes that:

  • Credentials under which scripts are run have administrative privileges on each host.

  • Names of computers and files in variables are changed to reflect actual computers and network. Some of the names in the scripts are placeholders.

  • Necessary scripts are present on the administrative workstation in the same folder.

  • The SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present on a network share accessible to all network hosts against which the scripts are run. This share does not have to be (but may be) the same one on the administrative workstation where the scripts are stored and Scenario1.vbs is run.

To copy the SP2 setup to each host and run it locally:

  • Rename install.vbs to an alternative name (such as install-remote.vbs) and rename install-local.vbs to install.vbs as described below.

  • Change the line in scenario1.vbs CopyFiles function that creates the array of files to:

    arrFiles = Array("install.vbs", "runonce.vbs", "WindowsXP-KB835935-SP2-ENU.exe")
    
  • Make sure that the SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present in the same folder as the scripts. In this variation on the scenario, it must be copied to each network host before installation.

The SP2 setup executable file size is over 260 megabytes, and could generate considerable network traffic if copied to many clients, so running it from a server may be preferable depending on network and storage considerations.

Filename

Preparation

Purpose

Notes

scenario1.vbs

 

Runs on local admin workstation. Gets list of remote hosts from computers.txt and copies the following files to each machine: install.vbs, runonce.vbs, update.exe. After files are copied, runs install.vbs as a local process on each remote machine.

If running the Windows XP Service Pack 2 setup from a setup file to be copied to the local computer, change the line that creates the array in the CopyFiles function to read:

arrFiles = Array _
("install.vbs", "runonce.vbs", _
 "WindowsXP-KB835935-SP2-ENU.exe")

computers.txt

Edit to include actual client names.
Do not include double back slashes "\\" before the client name.
Make sure there is not an empty new line after the final entry, as the script would interpret this as a nameless machine.

List of accessible network hosts on which to run scripts.

 

install.vbs

Change variables to reflect actual computer and network.

  • Runs SP2 installation from a Windows XP Service Pack 2 executable on a remote server.

  • Sets AutoAdmin and RunOnce registry entries on host.

  • Logs results to text file, <computername>-sp2-instlog.txt and copies the file back to admin workstation.

  • Forces a reboot, after which runonce.vbs runs automatically.

To install Service Pack 2 from a setup file already copied to the local computer, rename install.vbs to a name such as install-remote.vbs and rename install-local.vbs to install.vbs.

install-local.vbs

Change variables to reflect actual computer and network.

  • Runs SP2 installation from a Windows XP Service Pack 2 executable on the local machine.

  • Rest of functionality is the same as install.vbs.

To install Service Pack 2 from a setup file already copied to the local computer, rename install.vbs to a name such as install-remote.vbs and rename install-local.vbs to install.vbs.

runonce.vbs

Change variables to reflect actual network.

  • Runs after machine reboots for first time, launched by RunOnce reg entry.

  • Configures Windows Firewall to allow certain programs and open certain ports.

  • Enables remote administration on Windows Firewall.

  • Removes AutoAdmin and RunOnce registry entries.

  • Logs results to text file, <computername>-sp2-clnuplog.txt and copies the file back to admin workstation.

  • Again forces a reboot.

 

Scenario 2

For a full explanation of Scenario 2, see Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2.

Contoso has a small remote subsidiary with several mobile users. They have been instructed to report to the office for one day within a two week period to have Service Pack 2 installed and configured. The user is instructed to run a script on the local computer that uses the runas command to complete the installation. The user is prompted to enter a specific password with local Administrator rights only.

This supplemental version of Scenario 2 shows how to accomplish these goals by using VBScript scripts that use primarily Windows Management Instrumentation (WMI) and the Windows Firewall COM object model.

This scenario assumes that:

  • Necessary scripts are present on the administrative workstation in the same folder.

  • Credentials under which scripts are run have administrative privileges on the local computer. User must be given Administrator credentials and enter them when prompted by runas.

  • Names of computers and files in variables are changed to reflect actual computers and network. Some of the names in the scripts are placeholders.

  • The SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present on a network share accessible, via the subsidiary's network, to the computer on which the scripts are run.

To run the SP2 setup on the local computer:

  • Rename install.vbs to an alternative name (such as install-remote.vbs) and rename install-local.vbs to install.vbs as described below.

  • Make sure that the SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present on the local computer in the same folder as the scripts. In this variation on the scenario, it must be copied to the local computer before installation.

The SP2 setup executable file size is over 260 megabytes, and could generate considerable network traffic if copied to many clients, so running it from a server may be preferable depending on network and storage considerations.

Filename

Preparation

Purpose

Notes

scenario2.vbs

Change variables to reflect actual computer as necessary.

Runs on the local computer of a non-Administrator user in a branch office.The user must enter the local Administrator password.
The script runs the Windows XP SP2 setup and configuration script specified by strScript (install.vbs), which ends by rebooting the machine.
When the machine starts up again, another script (runonce.vbs) runs under administrative credentials and performs more configuration. The the machine reboots for a second time.

 

scenario2.cmd

Change UNC path to reflect actual computer as necessary.

Batch file that performs the same function as scenario2.vbs.

Shown as an alternative example to the .vbs script.

install.vbs

Change variables to reflect actual computer and network.

  • Runs SP2 installation from a Windows XP Service Pack 2 executable on a remote server.

  • Sets AutoAdmin and RunOnce registry entries on host.

  • Logs results to text file, <computername>-sp2-instlog.txt.

  • Forces a reboot, after which runonce.vbs runs automatically.

Same script as used with scenario1.vbs, but changes must be made to variable so that script saves logs locally.
To install Service Pack 2 from a setup file already copied to the local computer, rename install.vbs to a name such as install-remote.vbs and rename install-local.vbs to install.vbs.
To run this script with scenario2.vbs, change the UNC path to which the log file is copied to a local path.

install-local.vbs

Change variables to reflect actual computer and network.

  • Runs SP2 installation from a Windows XP Service Pack 2 executable on the local machine.

  • Rest of functionality is the same as install.vbs.

Same script as used with scenario1.vbs, but changes must be made to variable so that script saves logs locally.
To install Service Pack 2 from a setup file already copied to the local computer, rename install.vbs to a name such as install-remote.vbs and rename install-local.vbs to install.vbs.
To run this script with scenario2.vbs, change the UNC path to which the log file is copied to a local path.

runonce.vbs

Change variables to reflect actual network.
Change value assigned to g_strRemoteFolder to a local folder, "c:\temp-ac\logs"

  • Runs after machine reboots for first time, launched by RunOnce reg entry.

  • Configures Windows Firewall to allow certain programs and open certain ports.

  • Enables remote administration on Windows Firewall.

  • Removes AutoAdmin and RunOnce registry entries.

  • Logs results to text file, <computername>-sp2-clnuplog.txt.

  • Again forces a reboot.

Same script as used with scenario1.vbs.
To run this script with scenario2.vbs, change the UNC path to which the log file is copied to a local path.

Support

For online peer support, join The Official Scripting Guys Forum! To provide feedback or report bugs in sample scripts, please start a new discussion on the Discussions tab for this script.

Disclaimer

The sample scripts described on this page are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.