I'm guessing that like others on campus, we starting seeing a larger volume of user profile viruses beginning this fall that were proving to be quite the headache. Our solution was to force DEP to execute in OptOut mode instead of its default of OptIn on Microsoft's workstation OS's. It's proven extremely effective in stopping the bulk of these exploits before they have a chance to execute. If you aren't familiar with DEP, here is some reading I would recommend: http://support.microsoft.com/kb/875352 You'll need to do some extensive software testing before you roll it out, but it is possible to set up process exclusions if you do hit a conflict. Older java applications are the worst about this, but I have found that replacing the jvm.dll file in the JRE with one from JRE1.6 through JRE 1.6u9 (anything after that is a major overhaul and doesn't work) fixes compatibility. I wrote this script and set it to execute at system shutdown, but system startup should work as well. I wouldn't recommend adding it to a user logon script since it requires admin rights. I didn't write any error handling for systems that don't support the NX bit as we don't have those in our environment. Keep that in mind if it is the case for you. @@echo off Echo DEP OptOut Mode Script for Windows XP/Vista/2003/2008 Echo. Echo David Graff Echo Michigan State University Physical Plant Echo [log in to unmask] Echo 12/28/2009 v1.3 Echo. Echo. Echo Detecting Operating System: ver | find "5.1.2600" > NUL && goto XP ver | find "5.2.3790" > NUL && goto 2003 ver | find "6.0.600" > NUL && goto Vista_2008 ver | find "6.1.7" > NUL && goto Vista_2008 goto wrong_OS :XP :2003 Echo. Echo Windows XP/2003 detected Echo. if not exist %homedrive%\boot.ini goto boot.ini_not_found find /I "/NoExecute=OptOut" %homedrive%\boot.ini > NUL && goto DEP_on find /I "/NoExecute=AlwaysOn" %homedrive%\boot.ini > NUL && goto DEP_on Echo Updating boot.ini Echo. bootcfg /raw "/fastdetect /NoExecute=OptOut" /id 1 || goto admin_rights Echo. eventcreate /id 1 /l SYSTEM /so "Data Execution Prevention" /t INFORMATION /d "Data Execution Prevention policy successfully changed to Opt Out mode." exit /b 0 :Vista_2008 Echo. Echo Windows Vista/2008/7 detected Echo. bcdedit.exe > NUL || goto admin_rights bcdedit.exe | find /I "OptOut" > NUL && goto DEP_on bcdedit.exe | find /I "AlwaysOn" > NUL && goto DEP_on Echo Enabling DEP OptOut mode. bcdedit.exe /set nx OptOut > NUL || goto admin_rights Echo. eventcreate /id 10 /l SYSTEM /so "Data Execution Prevention" /t INFORMATION /d "Data Execution Prevention policy successfully changed to Opt Out mode." exit /b 0 :wrong_OS eventcreate /id 1 /l SYSTEM /so "Data Execution Prevention" /t WARNING /d "OS not supported. Data Execution Prevention cannot be enabled." exit /b 1 :boot.ini_not_found echo boot.ini file not found. Aborting script. eventcreate /id 2 /l SYSTEM /so "Data Execution Prevention" /t ERROR /d "Boot.ini file not found. Data Execution Prevention policy cannot be set." exit /b 2 :DEP_on echo DEP already enabled. eventcreate /id 10 /l SYSTEM /so "Data Execution Prevention" /t INFORMATION /d "Data Execution Prevention policy already set to OptOut or AlwaysOn." exit /b 0 :admin_rights echo Command failed. Verify that script was executed with admin rights. echo Aborting script. eventcreate /id 4 /l SYSTEM /so "Data Execution Prevention" /t ERROR /d "A general failure occured while attempting to change Data Execution Prevention policy. Make sure that the script was run with admin credentials." exit /b 4