Windows Script Host: disable or enable?

Does a home user need to disable Windows Script Host?

  • Total voters
    16
Zorro

Zorro

Level 9
Thread author
Verified
Well-known
Jun 11, 2019
408
I read that for security you need to disable Windows Script Host, since many malicious programs use this mechanism. However, people also write that after disabling Windows Script Host there will be problems with system updates and the system recovery mechanism. So is it worth disabling Windows Script Host or not?
 
  • Like
Reactions: roger_m, plat, Protomartyr and 3 others
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,639
SFox said:
However, people also write that after disabling Windows Script Host there will be problems with system updates and the system recovery mechanism.
Click to expand...
Some software still uses it, but new ones use powershell, NET Framework and such. Windows updates work fine, but not not sure about store apps, they should use UWP. Windows upgrade also performs normally without WSH, but when I tested 3rd party backup software, it used it for tasks.

blog.avast.com

A closer look at the Locky ransomware

A deep and technical look into the latest ransomware called Locky.
blog.avast.com blog.avast.com
camp_02.jpg

WSH is usually the way malware enters the system, without user's interaction.
I rarely need it, mostly for some user generated stuff/scripts, like for games.
When it is needed a user should be notified, either via an error or directly.
 

Attachments

  • capture_02122020_131533.jpg
    capture_02122020_131533.jpg
    14.9 KB · Views: 277
  • Like
Reactions: roger_m, plat, Protomartyr and 5 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
The question as presented in the poll is black and white: disable it or not. I voted to disable. But there is a middle position: restrict Windows Script Host. That is the best option, in my opinion.
 
  • Like
  • Thanks
  • Applause
Reactions: plat, Outpost, blackice and 6 others
Zorro

Zorro

Level 9
Thread author
Verified
Well-known
Jun 11, 2019
408
There is a point in Syshardener - turn off the Windows Script Host. There is an orange mark as a warning that scripts will not work. If you activate this item, will the Windows Script Host completely shut down or will it work in restrict mode?
 
  • Like
Reactions: plat, Protomartyr, DDE_Server and 2 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
SFox said:
There is a point in Syshardener - turn off the Windows Script Host. There is an orange mark as a warning that scripts will not work. If you activate this item, will the Windows Script Host completely shut down or will it work in restrict mode?
Click to expand...
It will shut it down completely. SysHardener doesn't allow you to restrict or monitor it, although OSArmor and a number of other security softs do give you such a functionality.
It's the kind of thing that you never know when you might need it. Just a little example: let's say you installed Comodo Firewall, decided it's not for you, and uninstall it. When you reboot, a little cleanup script will run, and remove the Comodo leftovers pretty effectively. If you disabled Windows Script Host, you are left with all the garbage.
 
  • Like
  • +Reputation
Reactions: roger_m, plat, catjc and 5 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
SFox said:
OK. What other items in OSArmor, other than those noted by Samprei Nihira, are responsible for limiting the Windows Script Host?
Click to expand...
IDK. Haven't looked at it in a long time. Others following this thread can tell you if there are any other items like that.
 
Last edited:
  • Like
Reactions: DDE_Server and Zorro
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,639
upnorth said:
At least try avoid fiddle with this on your grandparents pc. :coffee:
Click to expand...
I disable it on every computer I get my hands on, especially on my grandparents. :D

Symantec offered the tool to enable/disable it with one click, but it was removed recently.
Some mention it, but they do not want users to disable it . Who would need theirs AV then?!
blog.f-secure.com

How-To Disable Windows Script Host - F-Secure Blog

Numerous spam campaigns are pushing various crypto-ransomware families (and backdoors) via .zip file attachments. And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host. Do yourself a favor and edit your Windows Registry to disable...
blog.f-secure.com blog.f-secure.com
www.ryadel.com

Disable Windows Script Host (WSH) to block .VBS malware

Windows Script Host (or WSH) (also known as Windows Scripting Host) is a scripting language shipped with all major Windows and Windows Server distributions sinc
www.ryadel.com www.ryadel.com
2019 - That’s it for now: given the widespread distribution of VBS viruses and malwares attached to e-mails throughout the whole Europe, we can only recommend to preventively disable WSH to all system administrators, unless explicitly required by specific scenarios.
Click to expand...
 
  • Like
  • Wow
Reactions: roger_m, Andy Ful, SunMan09 and 6 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Hard_Configurator offers two ways of controlling Windows Script Host. It can be blocked completely, similar to SysHardener, or it can be restricted. When it is restricted, that means it can be run only with elevated privileges.
 
  • Like
Reactions: roger_m, oldschool, Andy Ful and 4 others
Sampei Nihira

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
If any MT user is interested in my old vbs test with I.E.8 and MBAE intervention.
MBAE intervention for a VBS exploit has a different layout than other exploits:


sendvid.com

I E 8 VB Script

Upload and share videos instantly. It's free and simple. No signup required.
sendvid.com sendvid.com

Good night to you all .:)
 
  • Like
Reactions: catjc and Outpost
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
shmu26 said:
Hard_Configurator offers two ways of controlling Windows Script Host. It can be blocked completely, similar to SysHardener, or it can be restricted. When it is restricted, that means it can be run only with elevated privileges.
Click to expand...
In H_C Windows Script Host can be disabled by Windows policy or restricted by SRP.
The SRP in H_C settings can restrict it as follows:
  1. Block script Interpreter with standard privileges and allow it with higher privileges. No whitelisting available.
  2. Allow script Interpreter, but block script files with standard privileges and allow script files with higher privileges. Blocked scripts can be whitelisted by the user.
The blocked events can be seen in H_C, so the user can see the paths of scripts that he/she would like to whitelist (they will not be blocked).
 
  • Like
  • +Reputation
Reactions: harlan4096, [correlate], shmu26 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
TairikuOkami said:
I disable it on every computer I get my hands on, especially on my grandparents. :D

Symantec offered the tool to enable/disable it with one click, but it was removed recently.
Click to expand...
This tool did not disable Windows Script Host, but only script files by file extensions (similarly to SysHardener). The scripts could be still run from the command-line, for example:
wscript /e:vbscript ....

TairikuOkami said:
blog.f-secure.com

How-To Disable Windows Script Host - F-Secure Blog

Numerous spam campaigns are pushing various crypto-ransomware families (and backdoors) via .zip file attachments. And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host. Do yourself a favor and edit your Windows Registry to disable...
blog.f-secure.com blog.f-secure.com
www.ryadel.com

Disable Windows Script Host (WSH) to block .VBS malware

Windows Script Host (or WSH) (also known as Windows Scripting Host) is a scripting language shipped with all major Windows and Windows Server distributions sinc
www.ryadel.com www.ryadel.com
Click to expand...
The reg tweaks proposed in both articles are incomplete for Windows 64-bit. The block can be bypassed by using a command-line with 32-bit versions of script Interpreters from the "c:\Windows\SysWOW64" folder. (y)
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: TairikuOkami, harlan4096, Nevi and 5 others

Similar threads

F
    • Like
Question What programs do you use to disable telemetry and bloat in Windows 11?
Replies
14
Views
1,287
Other software
n8chavez
n8chavez
vtqhtr413
    • Like
Technology Virtual Escape; Real Reward: Introducing Google’s kvmCTF
Replies
1
Views
310
Technology News
Vitali Ortzi
Vitali Ortzi
lokamoka820
    • Like
    • Wow
    • HaHa
New Update Microsoft Will Charge You $30 To Stay on Windows 10
Replies
6
Views
352
Windows 10
7Oz-64
7Oz-64

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top