Windows Script Host: disable or enable?

Does a home user need to disable Windows Script Host?

  • Total voters
    16
Zorro

Zorro

Level 9
Thread author
Verified
Well-known
Jun 11, 2019
401
1,943
768
Russia
I read that for security you need to disable Windows Script Host, since many malicious programs use this mechanism. However, people also write that after disabling Windows Script Host there will be problems with system updates and the system recovery mechanism. So is it worth disabling Windows Script Host or not?
 
  • Like
Reactions: roger_m, plat, Protomartyr and 3 others
SFox said:
However, people also write that after disabling Windows Script Host there will be problems with system updates and the system recovery mechanism.
Click to expand...
Some software still uses it, but new ones use powershell, NET Framework and such. Windows updates work fine, but not not sure about store apps, they should use UWP. Windows upgrade also performs normally without WSH, but when I tested 3rd party backup software, it used it for tasks.

blog.avast.com

A closer look at the Locky ransomware

A deep and technical look into the latest ransomware called Locky.
blog.avast.com blog.avast.com
camp_02.jpg

WSH is usually the way malware enters the system, without user's interaction.
I rarely need it, mostly for some user generated stuff/scripts, like for games.
When it is needed a user should be notified, either via an error or directly.
 

Attachments

  • capture_02122020_131533.jpg
    capture_02122020_131533.jpg
    14.9 KB · Views: 333
  • Like
Reactions: roger_m, plat, Protomartyr and 5 others
The question as presented in the poll is black and white: disable it or not. I voted to disable. But there is a middle position: restrict Windows Script Host. That is the best option, in my opinion.
 
  • Like
  • Thanks
  • Applause
Reactions: plat, Outpost, blackice and 6 others
There is a point in Syshardener - turn off the Windows Script Host. There is an orange mark as a warning that scripts will not work. If you activate this item, will the Windows Script Host completely shut down or will it work in restrict mode?
 
  • Like
Reactions: plat, Protomartyr, DDE_Server and 2 others
SFox said:
There is a point in Syshardener - turn off the Windows Script Host. There is an orange mark as a warning that scripts will not work. If you activate this item, will the Windows Script Host completely shut down or will it work in restrict mode?
Click to expand...
It will shut it down completely. SysHardener doesn't allow you to restrict or monitor it, although OSArmor and a number of other security softs do give you such a functionality.
It's the kind of thing that you never know when you might need it. Just a little example: let's say you installed Comodo Firewall, decided it's not for you, and uninstall it. When you reboot, a little cleanup script will run, and remove the Comodo leftovers pretty effectively. If you disabled Windows Script Host, you are left with all the garbage.
 
  • Like
  • +Reputation
Reactions: roger_m, plat, catjc and 5 others
SFox said:
OK. What other items in OSArmor, other than those noted by Samprei Nihira, are responsible for limiting the Windows Script Host?
Click to expand...
IDK. Haven't looked at it in a long time. Others following this thread can tell you if there are any other items like that.
 
Last edited:
  • Like
Reactions: DDE_Server and Zorro
upnorth said:
At least try avoid fiddle with this on your grandparents pc. :coffee:
Click to expand...
I disable it on every computer I get my hands on, especially on my grandparents. :D

Symantec offered the tool to enable/disable it with one click, but it was removed recently.
Some mention it, but they do not want users to disable it . Who would need theirs AV then?!

How to disable Windows Script Host | F‑Secure

Learn how to disable Windows Script Host to protect your PC from malware and unauthorized scripts. Step-by-step guide included.
blog.f-secure.com blog.f-secure.com
www.ryadel.com

Disable Windows Script Host (WSH) to block .VBS malware

Windows Script Host (or WSH) (also known as Windows Scripting Host) is a scripting language shipped with all major Windows and Windows Server distributions sinc
www.ryadel.com www.ryadel.com
2019 - That’s it for now: given the widespread distribution of VBS viruses and malwares attached to e-mails throughout the whole Europe, we can only recommend to preventively disable WSH to all system administrators, unless explicitly required by specific scenarios.
Click to expand...
 
  • Like
  • Wow
Reactions: roger_m, Andy Ful, SunMan09 and 6 others
Hard_Configurator offers two ways of controlling Windows Script Host. It can be blocked completely, similar to SysHardener, or it can be restricted. When it is restricted, that means it can be run only with elevated privileges.
 
  • Like
Reactions: roger_m, oldschool, Andy Ful and 4 others
If any MT user is interested in my old vbs test with I.E.8 and MBAE intervention.
MBAE intervention for a VBS exploit has a different layout than other exploits:


sendvid.com

I E 8 VB Script

Upload and share videos instantly. It's free and simple. No signup required.
sendvid.com sendvid.com

Good night to you all .:)
 
  • Like
Reactions: catjc and Outpost
shmu26 said:
Hard_Configurator offers two ways of controlling Windows Script Host. It can be blocked completely, similar to SysHardener, or it can be restricted. When it is restricted, that means it can be run only with elevated privileges.
Click to expand...
In H_C Windows Script Host can be disabled by Windows policy or restricted by SRP.
The SRP in H_C settings can restrict it as follows:
  1. Block script Interpreter with standard privileges and allow it with higher privileges. No whitelisting available.
  2. Allow script Interpreter, but block script files with standard privileges and allow script files with higher privileges. Blocked scripts can be whitelisted by the user.
The blocked events can be seen in H_C, so the user can see the paths of scripts that he/she would like to whitelist (they will not be blocked).
 
  • Like
  • +Reputation
Reactions: harlan4096, [correlate], shmu26 and 2 others
TairikuOkami said:
I disable it on every computer I get my hands on, especially on my grandparents. :D

Symantec offered the tool to enable/disable it with one click, but it was removed recently.
Click to expand...
This tool did not disable Windows Script Host, but only script files by file extensions (similarly to SysHardener). The scripts could be still run from the command-line, for example:
wscript /e:vbscript ....

TairikuOkami said:

How to disable Windows Script Host | F‑Secure

Learn how to disable Windows Script Host to protect your PC from malware and unauthorized scripts. Step-by-step guide included.
blog.f-secure.com blog.f-secure.com
www.ryadel.com

Disable Windows Script Host (WSH) to block .VBS malware

Windows Script Host (or WSH) (also known as Windows Scripting Host) is a scripting language shipped with all major Windows and Windows Server distributions sinc
www.ryadel.com www.ryadel.com
Click to expand...
The reg tweaks proposed in both articles are incomplete for Windows 64-bit. The block can be bypassed by using a command-line with 32-bit versions of script Interpreters from the "c:\Windows\SysWOW64" folder. (y)
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: TairikuOkami, harlan4096, Nevi and 5 others

You may also like...