Windows script host

Nevi

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 7, 2016
500
Hi MT..
I have disabled the Windows Script Host for security reasons. Can I still use the restore points I have enabled?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hi MT..
I have disabled the Windows Script Host for security reasons. Can I still use the restore points I have enabled?
If you will use one of the restore points made before disabling Windows Script Host, then everything should be OK, except that Windows Script Host will be enabled.
By the way how did you disabled Windows Script Host?
 

Nevi

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 7, 2016
500
Thank you all. I have some restore points from before I disabled the WSH. Just in case.
@andy
Open your regedit, and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

Create a new DWORD value named “Enabled” and set the value data to “0”.(hexadecimal).
Your script host will now be disabled.

How-To Disable Windows Script Host
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thank you all. I have some restore points from before I disabled the WSH. Just in case.
@andy
Open your regedit, and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

Create a new DWORD value named “Enabled” and set the value data to “0”.(hexadecimal).
Your script host will now be disabled.

How-To Disable Windows Script Host
There is an incomplete information in the article. The reg tweak will block only Windows Script Host on the 32-bit system. If you have 64-bit Windows then the same value must be changed/added in the key:
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'

Other ways to disable execution of script files

Disable execution of script files
It is worth mentioning, that most of the methods explained in the article do not disable Windows Script Host, but only change file extension associations, so the user cannot run the script files (.js, .jse, .vbs, .vbe, .wsf, .wsh). But, the malware can still run those scripts.
The right way of blocking Windows Script Host is available via activating the right Windows policy, or using the reg tweaks in the below keys (which is also explained in the article):
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings'
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The below reg tweak:
Code:
reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
seems to work for both 32-bit and 64-bit Windows (not system wide), and why the same does not work in the HKLM key (system wide) is a sweet Microsoft mystery.:giggle:
The below policy reg tweaks will work only on Administrator type of account (not on Standard User Account):
Code:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f
They should block running scripts from Windows Explorer for the particular user (not system wide), but will not block scripts run from the command prompt:
Code:
cmd /c wscript.exe c:\z\hello.wsf
On Standard User Account the similar reg tweaks must be done in the proper HKU hive. Generally Windows policies on SUA cannot be applied via reg tweaks in the HKCU hive.

The Symantec tool (http://www.symantec.com/avcenter/noscript.exe) changes only file associations (has to be run as administrator).
 
Last edited:

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
So this registry tweak location is not right for 64 bit?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
"Create a new DWORD value named “Enabled” and set the value data to “0”.
How-To Disable Windows Script Host

@Andy Ful
When you said the location for 64 bit is
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'

Where can I find this? I don't understand the " HKLM " mean HKey Local Machine?
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
I wouldn't advise to apply tweaks if you don't have certain understanding of Windows and unaware of the repercussions...
So what happens if I disabled WSH? Does it affects my installation/uninstallation of software or any other side effects?
 
Last edited:
  • Like
Reactions: oldschool

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
@Andy Ful

So what registry tweaks should apply for system-wide and command prompt protection for 64-bit Windows?

I'm not finding it as a feature in VS etc. Not sure about OSArmor though
 
Last edited:
D

Deleted member 178

So what happens if I disabled WSH? Does it affects my installation/uninstallation of software or any other side effects?
Tweaks are user-context dependant, on my static/non-networked/slim systems, i have disabled many LOLbins without having much issues. What works for me may not for others.
 
  • Like
Reactions: HarborFront

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful
When you said the location for 64 bit is
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'
...
I did not say that.
For 32-bit Windows the changes must be done in the key:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings

For 64-bit Windows the changes must be done in the keys:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
The first key is related to blocking (system wide) Windows Script Host for 64-bit processes.
The interpreters are:
c:\windows\system32\wscript.exe
c:\windows\system32\cscript.exe

The second key is related to blocking (system wide) Windows Script Host for 32-bit processes on 64-bit Windows. The interpreters are:
c:\windows\SysWOW64\wscript.exe
c:\windows\SysWOW64\cscript.exe


On Windows 32-bit there are not registry keys with WOW6432Node and there are not c:\windows\SysWOW64 folder.

The registry tweaks are only for the advanced users who understand well what they are doing.
HKLM is the shortcut for HKEY_LOCAL_MACHINE registry hive.

Edit
For compatibility reasons, Microsoft keeps c:\Windows\System32 folder for the executables which are native to the Windows bitness (32-bit executables on 32-bit Windows, but also 64-bit executables on 64-bit Windows).
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?
 
  • Like
Reactions: oldschool
D

Deleted member 178

One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?
True fileless malware can even use powershell without it being on the target system, the malware is embedded with powershell.

There is many ways like ADS for example.
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
I did not say that.
For 32-bit Windows the changes must be done in the key:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings

For 64-bit Windows the changes must be done in the keys:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
The first key is related to blocking (system wide) Windows Script Host for 64-bit processes.
The interpreters are:
c:\windows\system32\wscript.exe
c:\windows\system32\cscript.exe

The second key is related to blocking (system wide) Windows Script Host for 32-bit processes on 64-bit Windows. The interpreters are:
c:\windows\SysWOW64\wscript.exe
c:\windows\SysWOW64\cscript.exe


On Windows 32-bit there are not registry keys with WOW6432Node and there are not c:\windows\SysWOW64 folder.

The registry tweaks are only for the advanced users who understand well what they are doing.
HKLM is the shortcut for HKEY_LOCAL_MACHINE registry hive.

Edit
For compatibility reasons, Microsoft keeps c:\Windows\System32 folder for the executables which are native to the Windows bitness (32-bit executables on 32-bit Windows, but also 64-bit executables on 64-bit Windows).

So all I need is to create Enabled DWord key with 0 decimal in these two location for 64 bit OS?

regards.

HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top