Nevi

Level 4
Verified
Hi MT..
I have disabled the Windows Script Host for security reasons. Can I still use the restore points I have enabled?
 

Andy Ful

Level 47
Verified
Trusted
Content Creator
Hi MT..
I have disabled the Windows Script Host for security reasons. Can I still use the restore points I have enabled?
If you will use one of the restore points made before disabling Windows Script Host, then everything should be OK, except that Windows Script Host will be enabled.
By the way how did you disabled Windows Script Host?
 

Andy Ful

Level 47
Verified
Trusted
Content Creator
Thank you all. I have some restore points from before I disabled the WSH. Just in case.
@andy
Open your regedit, and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

Create a new DWORD value named “Enabled” and set the value data to “0”.(hexadecimal).
Your script host will now be disabled.

How-To Disable Windows Script Host
There is an incomplete information in the article. The reg tweak will block only Windows Script Host on the 32-bit system. If you have 64-bit Windows then the same value must be changed/added in the key:
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'

Other ways to disable execution of script files

Disable execution of script files
It is worth mentioning, that most of the methods explained in the article do not disable Windows Script Host, but only change file extension associations, so the user cannot run the script files (.js, .jse, .vbs, .vbe, .wsf, .wsh). But, the malware can still run those scripts.
The right way of blocking Windows Script Host is available via activating the right Windows policy, or using the reg tweaks in the below keys (which is also explained in the article):
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings'
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'
 
Last edited:

Andy Ful

Level 47
Verified
Trusted
Content Creator
The below reg tweak:
Code:
reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
seems to work for both 32-bit and 64-bit Windows (not system wide), and why the same does not work in the HKLM key (system wide) is a sweet Microsoft mystery.:giggle:
The below policy reg tweaks will work only on Administrator type of account (not on Standard User Account):
Code:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f
They should block running scripts from Windows Explorer for the particular user (not system wide), but will not block scripts run from the command prompt:
Code:
cmd /c wscript.exe c:\z\hello.wsf
On Standard User Account the similar reg tweaks must be done in the proper HKU hive. Generally Windows policies on SUA cannot be applied via reg tweaks in the HKCU hive.

The Symantec tool (http://www.symantec.com/avcenter/noscript.exe) changes only file associations (has to be run as administrator).
 
Last edited:

SumTingWong

Level 22
Verified
So this registry tweak location is not right for 64 bit?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
"Create a new DWORD value named “Enabled” and set the value data to “0”.
How-To Disable Windows Script Host

@Andy Ful
When you said the location for 64 bit is
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'

Where can I find this? I don't understand the " HKLM " mean HKey Local Machine?
 
Last edited:

HarborFront

Level 46
Verified
Content Creator
I wouldn't advise to apply tweaks if you don't have certain understanding of Windows and unaware of the repercussions...
So what happens if I disabled WSH? Does it affects my installation/uninstallation of software or any other side effects?
 
Last edited:
  • Like
Reactions: oldschool
D

Deleted member 178

So what happens if I disabled WSH? Does it affects my installation/uninstallation of software or any other side effects?
Tweaks are user-context dependant, on my static/non-networked/slim systems, i have disabled many LOLbins without having much issues. What works for me may not for others.
 
  • Like
Reactions: HarborFront

Andy Ful

Level 47
Verified
Trusted
Content Creator
@Andy Ful
When you said the location for 64 bit is
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'
...
I did not say that.
For 32-bit Windows the changes must be done in the key:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings

For 64-bit Windows the changes must be done in the keys:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
The first key is related to blocking (system wide) Windows Script Host for 64-bit processes.
The interpreters are:
c:\windows\system32\wscript.exe
c:\windows\system32\cscript.exe

The second key is related to blocking (system wide) Windows Script Host for 32-bit processes on 64-bit Windows. The interpreters are:
c:\windows\SysWOW64\wscript.exe
c:\windows\SysWOW64\cscript.exe


On Windows 32-bit there are not registry keys with WOW6432Node and there are not c:\windows\SysWOW64 folder.

The registry tweaks are only for the advanced users who understand well what they are doing.
HKLM is the shortcut for HKEY_LOCAL_MACHINE registry hive.

Edit
For compatibility reasons, Microsoft keeps c:\Windows\System32 folder for the executables which are native to the Windows bitness (32-bit executables on 32-bit Windows, but also 64-bit executables on 64-bit Windows).
 
Last edited:

HarborFront

Level 46
Verified
Content Creator
One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?
 
  • Like
Reactions: oldschool
D

Deleted member 178

One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?
True fileless malware can even use powershell without it being on the target system, the malware is embedded with powershell.

There is many ways like ADS for example.
 

SumTingWong

Level 22
Verified
I did not say that.
For 32-bit Windows the changes must be done in the key:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings

For 64-bit Windows the changes must be done in the keys:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
The first key is related to blocking (system wide) Windows Script Host for 64-bit processes.
The interpreters are:
c:\windows\system32\wscript.exe
c:\windows\system32\cscript.exe

The second key is related to blocking (system wide) Windows Script Host for 32-bit processes on 64-bit Windows. The interpreters are:
c:\windows\SysWOW64\wscript.exe
c:\windows\SysWOW64\cscript.exe


On Windows 32-bit there are not registry keys with WOW6432Node and there are not c:\windows\SysWOW64 folder.

The registry tweaks are only for the advanced users who understand well what they are doing.
HKLM is the shortcut for HKEY_LOCAL_MACHINE registry hive.

Edit
For compatibility reasons, Microsoft keeps c:\Windows\System32 folder for the executables which are native to the Windows bitness (32-bit executables on 32-bit Windows, but also 64-bit executables on 64-bit Windows).
So all I need is to create Enabled DWord key with 0 decimal in these two location for 64 bit OS?

regards.

HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
 
Last edited: