Categories
Uncategorized

Sysprep Windows 7 & Secunia PSI

I am cooking up an unattended Windows 7 installation image for our users. This is done by carefully preparing a Reference VM using the Audit Mode. This basically means it logs on as administrator, and after sysprepping with the new CopyProfile option, this becomes the profile for newly created users.

I ran into an issue that when the newly created user logs in after installation, Secunia PSI is not started any more.

The reason is that if you install it in Windows 7 (and probably in Vista as well), PSI is not a real service, but merely a task that runs with highest privileges at logon. The task is configured to run with the credentials of the user that installed it – in this case Administrator. However, that account is wiped during sysprep, hence the task cannot be run.

Since I consider Secunia PSI to be vital, I searched around but no solution. I guess because PSI is not meant to be sysprepped and all, and you need Secunia’s corporate version (CSI) for that.
Since CSI was not a suitable solution in our scenario, I worked around quite nicely.

In the sysprep unattended xml file, define a script to be run right after initial logon of the new user. This is done using the FirstLogonCommands option. Suppose it is C:\tmp\runonce.bat.

The new Task Schedular in Windows Vista and 7 is able to import and export its tasks as XML files. The trick is to remove the existing task, which is using the Administrator account, and create a new one using the same XML code, but with the credentials changed to the new user.

Since there is no sed/awk in Windows, I had to resort to a vbscript called SearchAndReplace.vbs, which you can download here: http://www.ericphelps.com/scripting/samples/

The relevant part of my runonce.bat looks like this:

C:\tmp\SearchAndReplace.vbs C:\tmp\Secunia.txt Administrator %USERNAME%
schtasks /delete /TN "Secunia PSI Logon Task"
schtasks /create /TN "Secunia PSI Logon Task" /xml C:\tmp\Secunia.txt

The Secunia.txt is an XML export of the original Secunia PSI Task, and has the string Administrator. This is replaced by the new user, and then imported back. For some obscure reason, the search/replace does not work when the file has an xml extension – that is why I use txt – whatever. You can create it yourself using schtasks.exe.

After the next reboot or logoff-logon PSI will happily start up 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *