Windows XP Service Pack 2 Application Compatibility - Supplemental Scripts
By Peter Costantini, The Scripting Guys, Microsoft Corporation
The scripts in this collection are counterparts to the scripts that ship with the "Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2" (called "the Guide" for the rest of this paper) and which are documented in the Appendix. You can download a Windows Installer (.msi) file that installs the Guide and its associated scripts from:
https://www.microsoft.com/downloads/
Most of the scripts require that Windows XP Service Pack 2 be installed on the computers against which they are run. The exceptions include the scenario-based scripts explained in the list of scripts below, which show methods for deploying Service Pack 2. The Service Pack 2 download and resources for IT professionals can be found at:
https://www.microsoft.com/technet/winxpsp2/
While the scripts installed with the Guide are mainly batch files and VBScript scripts that use Windows Script Host (WSH), the scripts in this collection primarily use Windows Management Instrumentation (WMI) and the Windows Firewall COM object model. They are illustrations of how to use alternative scripting techniques to accomplish the same tasks; which works better for your particular needs depends on those specific needs and on your scripting preferences.
Because WMI enables built-in remoting through Distributed Component Object Model (DCOM), these scripts can run more easily against multiple remote computers. At the same time, these scripts are generally more complex because they:
Use variables for changeable parameters rather than hard-coding them.
Do some error checking.
In some cases, use a text file for input.
In some cases, are broken down into subroutines and function.
The Windows Firewall object model, however, does not use DCOM remoting and works only on the local computer.
Most of these scripts correspond directly to the scripts included with the Guide. Such scripts have the same filename with "-wmi" appended. In the case of the Windows Firewall scripts, "-com" is appended instead to the filename because Windows Firewall uses its own COM object model rather than WMI. A few scripts here have extra functionality. And finally, some additional scripts not corresponding to any Guide script have been included in this collection.
These scripts are offered as examples to be adapted to the particular needs of users. In most cases, they cannot be run as is. Rather, you must substitute correct parameters for your particular computer or network in place of the generic ones included in the scripts and input text files. In most cases, such parameters are commented in the scripts.
On This Page
Scripts
Scenario 1
Scenario 2
Support
Scripts
Filename |
Associated Files |
Purpose |
Notes |
|---|---|---|---|
|
Disables a specific Internet Explorer add-on. |
|
|
addon-hosts.txt |
Disables a specific Internet Explorer add-on on multiple computers. |
|
|
|
Permits pop-ups in Internet Explorer for specific sites. |
|
|
allowpop-hosts.txt |
Permits pop-ups in Internet Explorer for specific sites on multiple computers. |
|
|
|
Turns off or on attachment restrictions for Outlook Express. |
|
|
attach-hosts.csv |
Turns off or on attachment restrictions for Outlook Express on multiple computers. |
|
|
|
Closes specified ports in Windows Firewall, retains the stored port settings. |
Runs only against local computer. No script in the Guide scripts corresponds to this script: closeport.vbs in those scripts deletes a port and corresponds to RemovePorts-wmi.vbs. |
|
|
Disables exceptions for specified apps in Windows Firewall, but retains the stored app settings. |
Runs only against local computer. No script in the Guide scripts corresponds to this script: closeprogram.vbs in those scripts delets the programand corresponds to RemovePrograms-wmi.vbs. |
|
|
Exempts applications from the DCOM activation security check. |
|
|
dcomsec-hosts.csv |
Exempts applications from the DCOM activation security check on multiple computers. |
|
|
|
Disables Windows Firewall, which is enabled by default on XP SP2. |
Runs only against local computer. Not included in the Guide scripts. |
|
|
Enables Windows Firewall. |
Runs only against local computer. Not included in the Guide scripts. |
|
|
lists the open ports and authorized apps for Windows Firewall. |
Runs only against local computer. Not included in the Guide scripts. |
|
|
Disables remote administration for Windows Firewall. |
Runs only against local computer. Not included in the Guide scripts |
|
|
Enables remote administration for Windows Firewall. Remote administration is disabled by default in Windows XP Service Pack 2. |
Runs only against local computer. Not included in the Guide scripts |
|
Part of Scenarios 1 & 2 |
|
See section on Scenarios 1 & 2 below. |
|
Part of Scenarios 1 & 2 |
|
See section on Scenarios 1 & 2 below. |
|
|
Turns on or off local machine lockdown for the iexplore.exe process. |
|
|
lockdown-hosts.csv |
Turns on or off local machine lockdown for the iexplore.exe process on multiple computers. |
|
|
|
Opens specified ports in Windows Firewall. |
Runs only against local computer. Corresponds to openport.vbs in the Guide scripts, but can open multiple ports. |
|
|
Adds specified programs to the Windows Firewall exceptions list. |
Runs only against local computer. Corresponds to openprogram.vbs in the Guide scripts, but can authorize multiple programs. |
|
|
Deletes specified ports in the Windows Firewall. |
Runs only against local computer. Corresponds to closeport.vbs in the Guide scripts, but can delete multiple ports. |
|
|
Deletes exceptions for specified apps in Windows Firewall. |
Runs only against local computer. Corresponds to closeprogram.vbs in the Guide scripts, but can delete multiple programs. |
|
|
Configures RPC security to bypass new restrictions in Windows XP Service Pack 2 and allow anonymous call back. |
|
|
rpcsec-hosts.csv |
Configures RPC security to bypass new restrictions in Windows XP Service Pack 2 and allow anonymous call back on multiple computers. |
|
|
Part of Scenarios 1 & 2 |
|
See section on Scenarios 1 & 2 below. |
|
computers.txt |
Deploys Windows XP Service Pack 2 on multiple computers and configures Windows Firewall. |
See section on Scenario 1 below. |
|
install.vbs |
Installs Windows XP Service Pack 2 on a local mobile computer and configures Windows Firewall. |
See section on Scenario 2 below. |
|
|
Opens specified ports and authorizes specified applications in Windows Firewall. |
Runs only against local computer. |
|
|
Turns on or off the zone elevation restriction for the iexplore.exe process. |
|
|
zoneelev-hosts.csv |
Turns on or off the zone elevation restriction for the iexplore.exe process on multiple computers. |
|
|
|
Configures the settings for a specific Internet Explorer security zone. |
|
|
zones-hosts.txt |
Configures the settings for a specific Internet Explorer security zone on multiple computers. |
|
Scenario 1
For a full explanation of Scenario 1, see Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2.
Contoso Ltd. is a medium-sized international pharmaceutical company with a dedicated IT department. Contoso want to deploy Windows XP Service Pack 2 and configure the Windows Firewall for Remote Management.
This supplemental version of Scenario 1 shows how to accomplish these goals by using VBScript scripts that use primarily Windows Management Instrumentation (WMI) and the Windows Firewall COM object model.
This scenario assumes that:
Credentials under which scripts are run have administrative privileges on each host.
Names of computers and files in variables are changed to reflect actual computers and network. Some of the names in the scripts are placeholders.
Necessary scripts are present on the administrative workstation in the same folder.
The SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present on a network share accessible to all network hosts against which the scripts are run. This share does not have to be (but may be) the same one on the administrative workstation where the scripts are stored and Scenario1.vbs is run.
To copy the SP2 setup to each host and run it locally:
Rename install.vbs to an alternative name (such as install-remote.vbs) and rename install-local.vbs to install.vbs as described below.
Change the line in scenario1.vbs CopyFiles function that creates the array of files to:
arrFiles = Array("install.vbs", "runonce.vbs", "WindowsXP-KB835935-SP2-ENU.exe")Make sure that the SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present in the same folder as the scripts. In this variation on the scenario, it must be copied to each network host before installation.
The SP2 setup executable file size is over 260 megabytes, and could generate considerable network traffic if copied to many clients, so running it from a server may be preferable depending on network and storage considerations.
Filename |
Preparation |
Purpose |
Notes |
|---|---|---|---|
|
Runs on local admin workstation. Gets list of remote hosts from computers.txt and copies the following files to each machine: install.vbs, runonce.vbs, update.exe. After files are copied, runs install.vbs as a local process on each remote machine. |
If running the Windows XP Service Pack 2 setup from a setup file to be copied to the local computer, change the line that creates the array in the CopyFiles function to read: |
|
computers.txt |
Edit to include actual client names. |
List of accessible network hosts on which to run scripts. |
|
Change variables to reflect actual computer and network. |
|
To install Service Pack 2 from a setup file already copied to the local computer, rename install.vbs to a name such as install-remote.vbs and rename install-local.vbs to install.vbs. |
|
Change variables to reflect actual computer and network. |
|
To install Service Pack 2 from a setup file already copied to the local computer, rename install.vbs to a name such as install-remote.vbs and rename install-local.vbs to install.vbs. |
|
Change variables to reflect actual network. |
|
|
Scenario 2
For a full explanation of Scenario 2, see Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2.
Contoso has a small remote subsidiary with several mobile users. They have been instructed to report to the office for one day within a two week period to have Service Pack 2 installed and configured. The user is instructed to run a script on the local computer that uses the runas command to complete the installation. The user is prompted to enter a specific password with local Administrator rights only.
This supplemental version of Scenario 2 shows how to accomplish these goals by using VBScript scripts that use primarily Windows Management Instrumentation (WMI) and the Windows Firewall COM object model.
This scenario assumes that:
Necessary scripts are present on the administrative workstation in the same folder.
Credentials under which scripts are run have administrative privileges on the local computer. User must be given Administrator credentials and enter them when prompted by runas.
Names of computers and files in variables are changed to reflect actual computers and network. Some of the names in the scripts are placeholders.
The SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present on a network share accessible, via the subsidiary's network, to the computer on which the scripts are run.
To run the SP2 setup on the local computer:
Rename install.vbs to an alternative name (such as install-remote.vbs) and rename install-local.vbs to install.vbs as described below.
Make sure that the SP2 setup executable (WindowsXP-KB835935-SP2-ENU.exe) is present on the local computer in the same folder as the scripts. In this variation on the scenario, it must be copied to the local computer before installation.
The SP2 setup executable file size is over 260 megabytes, and could generate considerable network traffic if copied to many clients, so running it from a server may be preferable depending on network and storage considerations.
Filename |
Preparation |
Purpose |
Notes |
|---|---|---|---|
Change variables to reflect actual computer as necessary. |
Runs on the local computer of a non-Administrator user in a branch office.The user must enter the local Administrator password. |
|
|
scenario2.cmd |
Change UNC path to reflect actual computer as necessary. |
Batch file that performs the same function as scenario2.vbs. |
Shown as an alternative example to the .vbs script. |
Change variables to reflect actual computer and network. |
|
Same script as used with scenario1.vbs, but changes must be made to variable so that script saves logs locally. |
|
Change variables to reflect actual computer and network. |
|
Same script as used with scenario1.vbs, but changes must be made to variable so that script saves logs locally. |
|
Change variables to reflect actual network. |
|
Same script as used with scenario1.vbs. |
Support
For online peer support, join The Official Scripting Guys Forum! To provide feedback or report bugs in sample scripts, please start a new discussion on the Discussions tab for this script.
Disclaimer
The sample scripts described on this page are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.