Runonce.vbs

作者: The Scripting Guys,Microsoft Corporation

這個指令碼會設定 Windows 防火牆,並清除 install.vbs 或 install-local.vbs 所設定的登錄項目。install.vbs 或 install-local.vbs 完成工作後,就會在網路主機上自動啟動,並執行下列工作:

  • 在重新開機之後首次執行,由 RunOnce 登錄項目啟動。

  • 設定 Windows 防火牆允許某些程式並開啟某些連接埠。您必須編輯這些設定,才能反映網路的設定。

  • 在 Windows 防火牆上啟用遠端管理,這樣便能在這部主機上再次執行遠端指令碼和系統管理工具。

  • 重設 AutoAdmin 及 RunOnce 登錄項目。

  • 將結果記錄到文字檔 computername-sp2-clnuplog.txt,並在「案例 1」中,將檔案複製回管理工作站。

  • 再次強制執行重新開機。

案例 1 和 2 以及每個指令碼的角色的進一步說明,都包含在位於以下網址的指令碼簡介中:

http://www.microsoft.com/technet/scriptcenter/solutions/appcompat/default.mspx (英文)

Runonce.vbs 對應於 runonce.cmd 並增加其功能;runonce.cmd 是《Application Compatibility Testing and Mitigation Guide for Window sXP Service Pack 2》(Window sXP Service Pack 2 應用程式相容性測試及緩和指南) 隨附的指令碼之一,並記錄在<附錄>中。您可以下載用來安裝該指南及其相關指令碼的 Windows Installer (.msi) 檔案,網址是:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9300BECF-2DEE-4772-ADD9-AD0EAF89C4A7&displaylang=en (英文)

若要使用指令碼,請複製程式碼並將它貼入「記事本」,再將指令碼儲存為 runonce.vbs。這個指令碼是設計來將它當作 scenario1.vbs 或 scenario2.vbs 所起始程序的一部份來自動執行。

指令碼


'******************************************************************************
'runonce.vbs
'Author: Peter Costantini, the Microsoft Scripting Guys
'Date: 9/1/04
'Must be deployed to a client by scenario1.vbs, or present on the local
'computer for scenario2.vbs.
'Runs on client when it reboots because specified in RunOnce reg entry.
'Assumes that scenario1.vbs, install.vbs and the Windows XP Service Pack 2
'setup program have already run.
'1. Configures Windows Firewall to allow certain programs and open certain
'ports.
'2. Enables remote administration on Windows Firewall.
'3. Removes the AutoAdmin and RunOnce registry settings that were necessary
'   for this script to run.
'4. Forces a reboot of the local machine so that the changes take effect.
'******************************************************************************

On Error Resume Next

'Initialize global constants and variables.
Const FOR_APPENDING = 8
g_strLocalFolder = "c:\temp-ac"
'Change name of computer to actual administrative workstation or local folder
'to which log should be copied.
g_strRemoteFolder = "\\<adminwkstn>\c$\scripts-ac"
'If running this script with scenario2.vbs, change to a local folder, e.g.:
'g_strRemoteFolder = "c:\temp-ac\logs"

'Get computer name.
g_strComputer = GetComputerName
g_strLogFile = g_strComputer & "-sp2-clnuplog.txt"

'Create log file.
Set g_objFSO = CreateObject("Scripting.FileSystemObject")
Set g_objTextStream = g_objFSO.OpenTextFile(g_strLogFile, FOR_APPENDING, True)
g_objTextStream.WriteLine "Windows XP Service Pack 2 " & _
 "Cleanup and Firewall Log: Phase 2"
g_objTextStream.WriteLine Now
g_objTextStream.WriteLine g_strComputer
g_objTextStream.WriteLine String(Len(g_strComputer), "-")

'Handle logic of calling functions and sub-routines.
ConfigWinFire
blnCleanUpReg = CleanUpReg
If blnCleanUpReg = False Then
  CopyLog
  WScript.Quit
End If
Reboot

'******************************************************************************

Function GetComputerName

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\." _
 &"\root\cimv2")
Set colSystems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem")
For Each objSytem In colSystems
  GetComputerName = objSytem.Name
Next

End Function

'******************************************************************************

Sub ConfigWinFire

Const NET_FW_IP_PROTOCOL_TCP = 6
Const NET_FW_IP_PROTOCOL_UDP = 17
'First dimension of arrNewPorts must equal # of ports to be added minus 1.
Dim arrNewPorts(3,2)
'First dimension of arrNewApps must equal # of apps to be allowed minus 1.
Dim arrNewApps(2,1)

'Edit this list to add or remove ports on the exceptions list.
'Scope, and Enabled are optional properties not used here.
'Default for Scope is NET_FW_SCOPE_ALL. Default for Enabled is True.

arrNewPorts(0,0) = "FPS" 'Name
arrNewPorts(0,1) = 137 'Port
arrNewPorts(0,2) = NET_FW_IP_PROTOCOL_UDP 'Protocol

arrNewPorts(1,0) = "FPS1"
arrNewPorts(1,1) = 138
arrNewPorts(1,2) = NET_FW_IP_PROTOCOL_UDP

arrNewPorts(2,0) = "FPS2"
arrNewPorts(2,1) = 139
arrNewPorts(2,2) = NET_FW_IP_PROTOCOL_TCP

arrNewPorts(3,0) = "FPS3"
arrNewPorts(3,1) = 445
arrNewPorts(3,2) = NET_FW_IP_PROTOCOL_TCP

'Edit this list to add or remove programs on the exceptions list.
'Scope, and Enabled are optional properties not used here.
'Default for Scope is NET_FW_SCOPE_ALL. Default for Enabled is True.

arrNewApps(0,0) = "NsLookup" 'Name
arrNewApps(0,1) = "%windir%\system32\nslookup.exe" 'ProcessImageFileName
'Must be a fully qualified path, but can contain environment variables.

arrNewApps(1,0) = "Notepad"
arrNewApps(1,1) = "%windir%\system32\notepad.exe"

arrNewApps(2,0) = "Calculator"
arrNewApps(2,1) = "%windir%\system32\calc.exe"

'Create the firewall manager object.
Set objFwMgr = CreateObject("HNetCfg.FwMgr")
If Err <> 0 Then
  g_objTextStream.WriteLine "Unable to connect to Windows Firewall."
  Exit Sub
End If
'Get the current profile for the local firewall policy.
Set objProfile = objFwMgr.LocalPolicy.CurrentProfile
Set colOpenPorts = objProfile.GloballyOpenPorts
Set colAuthorizedApps = objProfile.AuthorizedApplications

g_objTextStream.WriteLine VbCrLf & "Windows Firewall"
g_objTextStream.WriteLine VbCrLf & "Port Settings:"
g_objTextStream.WriteLine VbCrLf & "New open ports added:"
For i = 0 To UBound(arrNewPorts)
'Create an FWOpenPort object
  Set objOpenPort = CreateObject("HNetCfg.FWOpenPort")
  objOpenPort.Name = arrNewPorts(i, 0)
  objOpenPort.Port = arrNewPorts(i, 1)
  objOpenPort.Protocol = arrNewPorts(i, 2)
  colOpenPorts.Add objOpenPort
  If Err = 0 Then
    g_objTextStream.WriteLine "Name: " & objOpenPort.Name
    g_objTextStream.WriteLine "  Protocol: " & objOpenPort.Protocol
    g_objTextStream.WriteLine "  Port Number: " & objOpenPort.Port
  Else
    g_objTextStream.WriteLine "Unable to add port: " & arrNewPorts(i, 0)
    g_objTextStream.WriteLine "  Error Number:" & Err.Number
    g_objTextStream.WriteLine "  Source:" & Err.Source
    g_objTextStream.WriteLine "  Description:" & Err.Description
  End If
  Err.Clear
Next

g_objTextStream.WriteLine VbCrLf & "All open ports:"
For Each objPort In colOpenPorts
  g_objTextStream.WriteLine "Name: " & objPort.Name
  g_objTextStream.WriteLine "  Protocol: " & objPort.Protocol
  g_objTextStream.WriteLine "  Port Number: " & objPort.Port
  g_objTextStream.WriteLine "  Scope: " & objPort.Scope
  g_objTextStream.WriteLine "  Enabled: " & objPort.Enabled
Next

g_objTextStream.WriteLine VbCrLf & "Application Settings:"
g_objTextStream.WriteLine VbCrLf & "New authorized applications added:"
For i = 0 To UBound(arrNewPorts)
'Create an FwAuthorizedApplication object
  Set objAuthorizedApp = CreateObject("HNetCfg.FwAuthorizedApplication")
  objAuthorizedApp.Name = arrNewApps(i,0)
  objAuthorizedApp.ProcessImageFileName = arrNewApps(i, 1)
  colAuthorizedApps.Add objAuthorizedApp
  If Err = 0 Then
    g_objTextStream.WriteLine "Name: " & objAuthorizedApp.Name
    g_objTextStream.WriteLine "  Process Image File: " & _
     objAuthorizedApp.ProcessImageFileName
  Else
    g_objTextStream.WriteLine "Unable to add application: " & arrNewApps(i,0)
    g_objTextStream.WriteLine "  Error Number:" & Err.Number
    g_objTextStream.WriteLine "  Source:" & Err.Source
    g_objTextStream.WriteLine "  Description:" & Err.Description
  End If
  Err.Clear
Next

g_objTextStream.WriteLine VbCrLf & "All authorized applications:"
For Each objApp In colAuthorizedApps
  g_objTextStream.WriteLine "Name: " & objApp.Name
  g_objTextStream.WriteLine "  Protocol: " & objApp.ProcessImageFileName
  g_objTextStream.WriteLine "  Scope: " & objPort.Scope
  g_objTextStream.WriteLine "  Enabled: " & objPort.Enabled
Next

'Get remote admin settings.
Set objRemoteAdminSettings = objProfile.RemoteAdminSettings
'If remote administration not enabled, enable it.
If objRemoteAdminSettings.Enabled = False Then
  objRemoteAdminSettings.Enabled = True
  g_objTextStream.WriteLine VbCrLf & "Enabled Remote Administration."
Else
  g_objTextStream.WriteLine VbCrLf & "Remote Administration already enabled."
End If
g_objTextStream.WriteLine "Remote Administration Settings:"
g_objTextStream.WriteLine "Enabled: " & objRemoteAdminSettings.Enabled
If objRemoteAdminSettings.Scope = 0 Then
  strScope = "All" 'Default
ElseIf objRemoteAdminSettings.Scope = 1 Then
  strScope = "Local Subnet"
Else
  strScope = "UNKNOWN"
End If
g_objTextStream.WriteLine "Scope: " & strScope

End Sub

'******************************************************************************

Function CleanUpReg

Const HKEY_LOCAL_MACHINE = &H80000002
strKeyPath1 = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
strKeyPath2 = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strRunoncePath = g_strLocalFolder & "\runonce.vbs"
'Edit these variables to reset defaults to what they were previously.
strDefaultUserName = ""
strDefaultPassword = ""
strDefaultDomainName = ""
intAutoAdminLogon = 0
strRunOnceEntry = "MyScript"

Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
 strComputer & "\root\default:StdRegProv")

'Edit strDefaultUserName if default user should not be set to empty string.
intRet1 = objReg.SetStringValue(HKEY_LOCAL_MACHINE, strKeyPath1, _
 "DefaultUserName", strDefaultUserName)
If intRet1 <> 0 Then
  g_objTextStream.WriteLine "Error: DefaultUserName not configured."
End If

'Edit strDefaultPassword if default password should not be set to empty string.
intRet2 = objReg.SetStringValue(HKEY_LOCAL_MACHINE, strKeyPath1, _
 "DefaultPassword", strDefaultPassword)
If intRet2 <> 0 Then
  g_objTextStream.WriteLine "Error: DefaultPassword not configured."
End If

'Uncomment these lines and edit strDefaultDomainName if default domain
'for the username needs to be reset.
'intRet3 = objReg.SetStringValue(HKEY_LOCAL_MACHINE, strKeyPath1, _
' "DefaultDomainName", strDefaultDomainName)
'If intRet3 <> 0 Then
'  g_objTextStream.WriteLine "Error: DefaultDomainName not configured."
'End If

'Turn off AutoAdminLogon
intRet4 = objReg.SetStringValue(HKEY_LOCAL_MACHINE, strKeyPath1, _
 "AutoAdminLogon", intAutoAdminLogon)
If intRet4 <> 0 Then
  g_objTextStream.WriteLine "Error: AutoAdminLogon not configured."
End If

'Delete MyScript entry, which ran this script once, from RunOnce subkey.
intRet5 = objReg.DeleteValue(HKEY_LOCAL_MACHINE, strKeyPath2, _
 strRunOnceEntry)
If intRet5 <> 0 Then
  g_objTextStream.WriteLine "Error: MyScript RunOnce entry not configured."
End If

'Check that all registry write operations succeeded.
If (intRet1 + intRet2 + intRet3 + intRet4 + intRet5) = 0 Then
  g_objTextStream.WriteLine "AutoAdminLogon and RunOnce values reset to " & _
   "empty or deleted."
  CleanUpReg = True
Else
  g_objTextStream.WriteLine "Error: AutoAdminLogon and RunOnce could not " & _
   "be fully reset or deleted."
  CleanUpReg = False
End If

End Function

'******************************************************************************

Sub Reboot

Const FORCED_REBOOT = 6

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate," & _
 "(Shutdown)}")
Set colOSes = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem")
g_objTextStream.WriteLine "Attempting to reboot ..."
For Each objOS In colOSes 'only one
'  intReturn = objOS.Win32Shutdown(FORCED_REBOOT)
  If intReturn <> 0 Then
    Set g_objTextStream = g_objFSO.OpenTextFile(g_strLogFile, FOR_APPENDING, True)
    g_objTextStream.WriteLine Now
    g_objTextStream.WriteLine "Error: Unable to reboot." & VbCrLf & _
     "Return code: " & intReturn
    CopyLog
  End If
Next

End Sub

'******************************************************************************

Sub CopyLog

'Close text file.
g_objTextStream.WriteLine "Closing log and attempting to copy log to " & _
 "administrative workstation."
g_objTextStream.WriteLine
g_objTextStream.WriteLine String(80, "-")
g_objTextStream.WriteLine
g_objTextStream.Close

'If remote folder does not exist, create it.
If Not g_objFSO.FolderExists(g_strRemoteFolder) Then
  g_objFSO.CreateFolder(g_strRemoteFolder)
  If Err <> 0 Then
    Err.Clear
    Exit Sub
  End If
End If
'Copy log.
g_objFSO.CopyFile g_strLogFile, g_strRemoteFolder & "\"

End Sub


如需線上對等支援,請加入 msnews.microsoft.com 新聞伺服器上的 microsoft.public.windows.server.scripting (英文) 社群。若您想要對範例指令碼或指令碼指南,提供意見、回報問題,請與 Microsoft TechNet (英文) 連絡。

免責聲明

此範例指令碼不支援任何 Microsoft 標準技術支援方案或服務。上述的範例指令碼係依「現況」提供,不附帶任何擔保。Microsoft 公司不提供任何的默示擔保,包括但不限於任何商業適售性及特定用途之適用性的默示擔保。您必須承擔此範例指令碼或文件所造成的一切風險。在任何情況下,無論是使用或無法使用此範例指令碼或文件所造成的損害 (包括但不限於營業之損失、營業之中斷、營業資訊之滅失及其他金錢損失),Microsoft 公司、作者群或此指令碼之創作、製造或散發有關之人員概不負責,即使 Microsoft 已經被告知損害發生之可能性亦同。

顯示: