Windows: Batch File to Run Every Time Computer Boots

[warcrow]

Hi guys,

Need some help here is some WinXP batch files.

In the office we have some loaner laptops. We plan to lock down the laptop USB ports for security reasons. Management does not want to disable the ports via the BIOS but via a script we've come up with (I've attached the USB code to disable the ports.) so basically it's easy on and easy off (scripts localed on the C drive for admins only).

Objective:

Run a batch file every time a computer boots.


I've tried:

Start Up Folder
To make things easy I was going to drop the script into the Start Up folder under all users, but realized that wouldnt work because you have to be an admin permissions to run the script and we make all users use the guest account.

Autoexec.bat
I've tried dropping the code into the autoexec.bat so that it runs every time the computer boots, but for some reason it doesnt run.

Registry
I have now moved on to the registry. I figured this is the best way to make it run all the time. I when to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


Added a key with: C:\System32\cmd.exe /c yourpath\yourbatch.bat

no dice. Anyone have any suggestions or know what might be going on?

 

[Aberforth]

How about running batch files using Task Scheduler? I dunno about XP but in Vista you schedule tasks like this: http://img27.imageshack.us/img27/76/blahblahf.jpg or you can simply use GUI automation tools like AutoIT (which i prefer).

 

[Ken g6]

Yep, Scheduled Tasks should do it. You can run a task, at System Startup, as a given user, if you enter that user's password.

 

[warcrow]

Good suggestion, but the problem is that we re-image these machine very often so it would require setup every time.

I'm looking for something more automatic. I think the best bet is to go with Group Policy. I'm actually currently trying to figure out how to write to local GP on the machine via command line. That would be great, but Google isnt helping me out much.

 

[drebo]

Domain logon script is the way I'd do this.

 

[imported_hopeless]

Have you tried saving your code as a seperate file, than placing a line in the autoexec to run that file?

 

[warcrow]

Originally posted by: drebo
Domain logon script is the way I'd do this.

This cannot be a login script, it needs to be a Startup script. A login script utilizes a users permissions to run a login script and we need admin rights to disable USB thumb drives.

 

[warcrow]

Originally posted by: hopeless
Have you tried saving your code as a seperate file, than placing a line in the autoexec to run that file?

In the OP I mention this yes. I tried dropping the code (didnt work) and making a "CALL" to the batch. Neither worked unfortunately.

 

[Apathetic]

Originally posted by: warcrow
Good suggestion, but the problem is that we re-image these machine very often so it would require setup every time.

I'm looking for something more automatic. I think the best bet is to go with Group Policy. I'm actually currently trying to figure out how to write to local GP on the machine via command line. That would be great, but Google isnt helping me out much.

I'm confused. Can't you just add the scheduled task to the image?

Dave

 

[warcrow]

Originally posted by: Apathetic

Originally posted by: warcrow
Good suggestion, but the problem is that we re-image these machine very often so it would require setup every time.

I'm looking for something more automatic. I think the best bet is to go with Group Policy. I'm actually currently trying to figure out how to write to local GP on the machine via command line. That would be great, but Google isnt helping me out much.

I'm confused. Can't you just add the scheduled task to the image?

Dave

Management doesnt want to create a new image here, and a scheduled task uses login credentials.

 

[drebo]

Use Symantec Endpoint Protection. It has the capability to disable USB port access, among other removable storage capabilities.

 

[Ken g6]

Scheduled tasks seem to be stored in .job files in c:\%WINDIR%\Tasks. I'm not sure if the password is stored in there, but if it is, couldn't you just push out that file?

 

[JACKDRUID]

user profiie -> logon script

hardware profile with disabled usb drive

 

[warcrow]

Originally posted by: drebo
Use Symantec Endpoint Protection. It has the capability to disable USB port access, among other removable storage capabilities.

Really? Interesting.

We actually do use SEP in our environment. Does it completely disable USB access? We have USB KBs and Mice. The script that we've developed just disabled USB thumb drives.

I'll chat with out security (SEP admins) team and see if they can shed some light on this.

 

[warcrow]

Originally posted by: JACKDRUID
user profiie -> logon script

hardware profile with disabled usb drive

Thanks for the effort JACKDRUID but unfortunately this has been addressed in this thread.

 

[tfinch2]

Originally posted by: Ken g6
Scheduled tasks seem to be stored in .job files in c:\%WINDIR%\Tasks. I'm not sure if the password is stored in there, but if it is, couldn't you just push out that file?

That's what I do on our W2K systems that do not have the capability to create scheduled tasks from the CLI. The task can run as NT Authority\System user with no password required.

For W2K3+ systems, use the schtasks command.