Windows Script Host: disable or enable?

Does a home user need to disable Windows Script Host?


  • Total voters
    16

Zorro

Level 9
Thread author
Verified
Well-known
Jun 11, 2019
404
I read that for security you need to disable Windows Script Host, since many malicious programs use this mechanism. However, people also write that after disabling Windows Script Host there will be problems with system updates and the system recovery mechanism. So is it worth disabling Windows Script Host or not?
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
However, people also write that after disabling Windows Script Host there will be problems with system updates and the system recovery mechanism.
Some software still uses it, but new ones use powershell, NET Framework and such. Windows updates work fine, but not not sure about store apps, they should use UWP. Windows upgrade also performs normally without WSH, but when I tested 3rd party backup software, it used it for tasks.

camp_02.jpg

WSH is usually the way malware enters the system, without user's interaction.
I rarely need it, mostly for some user generated stuff/scripts, like for games.
When it is needed a user should be notified, either via an error or directly.
 

Attachments

  • capture_02122020_131533.jpg
    capture_02122020_131533.jpg
    14.9 KB · Views: 239

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
The question as presented in the poll is black and white: disable it or not. I voted to disable. But there is a middle position: restrict Windows Script Host. That is the best option, in my opinion.
 

Zorro

Level 9
Thread author
Verified
Well-known
Jun 11, 2019
404
There is a point in Syshardener - turn off the Windows Script Host. There is an orange mark as a warning that scripts will not work. If you activate this item, will the Windows Script Host completely shut down or will it work in restrict mode?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
There is a point in Syshardener - turn off the Windows Script Host. There is an orange mark as a warning that scripts will not work. If you activate this item, will the Windows Script Host completely shut down or will it work in restrict mode?
It will shut it down completely. SysHardener doesn't allow you to restrict or monitor it, although OSArmor and a number of other security softs do give you such a functionality.
It's the kind of thing that you never know when you might need it. Just a little example: let's say you installed Comodo Firewall, decided it's not for you, and uninstall it. When you reboot, a little cleanup script will run, and remove the Comodo leftovers pretty effectively. If you disabled Windows Script Host, you are left with all the garbage.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
OK. What other items in OSArmor, other than those noted by Samprei Nihira, are responsible for limiting the Windows Script Host?
IDK. Haven't looked at it in a long time. Others following this thread can tell you if there are any other items like that.
 
Last edited:

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
At least try avoid fiddle with this on your grandparents pc. :coffee:
I disable it on every computer I get my hands on, especially on my grandparents. :D

Symantec offered the tool to enable/disable it with one click, but it was removed recently.
Some mention it, but they do not want users to disable it . Who would need theirs AV then?!
2019 - That’s it for now: given the widespread distribution of VBS viruses and malwares attached to e-mails throughout the whole Europe, we can only recommend to preventively disable WSH to all system administrators, unless explicitly required by specific scenarios.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Hard_Configurator offers two ways of controlling Windows Script Host. It can be blocked completely, similar to SysHardener, or it can be restricted. When it is restricted, that means it can be run only with elevated privileges.
 

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
If any MT user is interested in my old vbs test with I.E.8 and MBAE intervention.
MBAE intervention for a VBS exploit has a different layout than other exploits:



Good night to you all .:)
 
  • Like
Reactions: catjc and Outpost

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hard_Configurator offers two ways of controlling Windows Script Host. It can be blocked completely, similar to SysHardener, or it can be restricted. When it is restricted, that means it can be run only with elevated privileges.
In H_C Windows Script Host can be disabled by Windows policy or restricted by SRP.
The SRP in H_C settings can restrict it as follows:
  1. Block script Interpreter with standard privileges and allow it with higher privileges. No whitelisting available.
  2. Allow script Interpreter, but block script files with standard privileges and allow script files with higher privileges. Blocked scripts can be whitelisted by the user.
The blocked events can be seen in H_C, so the user can see the paths of scripts that he/she would like to whitelist (they will not be blocked).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I disable it on every computer I get my hands on, especially on my grandparents. :D

Symantec offered the tool to enable/disable it with one click, but it was removed recently.
This tool did not disable Windows Script Host, but only script files by file extensions (similarly to SysHardener). The scripts could be still run from the command-line, for example:
wscript /e:vbscript ....

The reg tweaks proposed in both articles are incomplete for Windows 64-bit. The block can be bypassed by using a command-line with 32-bit versions of script Interpreters from the "c:\Windows\SysWOW64" folder. (y)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top