Why did you have to say that?! I was so sure of myself, now I will not be able to sleep anymore, until I solve it.True fileless malware can even use powershell without it being on the target system, the malware is embedded with powershell.
No, for the standard applications.So what happens if I disabled WSH? Does it affects my installation/uninstallation of software or any other side effects?
Block Windows Script Host script execution on Windows 64-bit:
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
PowerShell is the most dangerous Windows scripting language, so it should be restricted in the first place.One side question
Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?
Besides WSH (or Powershell if it does) what other routes can scripts execute?
Thanks. 'Run as administrator' can be used to bypass blocked Command Prompt only if you would block Command Prompt on SUA. But, blocking Command Prompt by policy on SUA cannot be done via HKCU reg tweak. One has to do it via the proper HKU registry key. My post was not precise, so I edited it.I guess that only applies, when run as user is specified? I can not run .bat as admin, when disablecmd is in effect.
Mine is work!Create the new file, change the extension to .vbs and try to run it, if you get the message, that is it blocked, that you have done it properly.
View attachment 205337
Why did you have to say that?! I was so sure of myself, now I will not be able to sleep anymore, until I solve it.
On 64-bit Windows the above checks only 64-bit Windows Script Host.
You can block Windows Script Host via H_C settings in 2 different ways:
Can use a registry tweak to set it?On 64-bit Windows the above checks only 64-bit Windows Script Host.
For checking 32-bit Windows Script Host on 64-bit Windows you should also execute from the Explorer the below command line:
When you execute the script by a mouse-click, then on 64-bit Windows the 64-bit interpreter wscript.exe is used by default to run the script. So, you did not test if the 32-bit interpreter was blocked.What is that do?
What do you mean? I assume that the registry tweaks are already done.Can use a registry tweak to set it?