HarborFront

Level 45
Content Creator
Verified
What do you mean? I assume that the registry tweaks are already done.:unsure:
It is not the commandline to introduce the new tweak, but only the commandline for checking if the already applied reg tweaks (for blocking WSH) are working well.(y)
Ok, tested and is working fine. Thanks
 
  • Like
Reactions: Andy Ful

SumTingWong

Level 21
Verified
When you execute the script by a mouse-click, then on 64-bit Windows the 64-bit interpreter wscript.exe is used by default to run the script. So, you did not test if the 32-bit interpreter was blocked.
The commandline from my post, executes the script like malware can do, by using 32-bit interpreter wscript.exe on 64-bit Windows. So, if you have the script helloworld.vbs in "c:\scripts" folder, then you have to execute the commandline:
c:\Windows\SysWOW64\wscript.exe "c:\scripts\helloworld.vbs"
If you will see the alert that Windows Script Host is blocked, then you can be sure that also 32-bit interpreter wscript.exe is blocked, for sure.

Simply copy & paste & execute the commandline in the 'Quick access' area in Windows File Explorer, or in the Command Prompt console.(y)
So I just copy and paste this code to CMD? Yes?
c:\Windows\SysWOW64\wscript.exe "path2yourscript"

If I get an error than I am good?
 
  • Like
Reactions: Sunshine-boy

DeepWeb

Level 22
Verified
One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?
Which is why people should be using SUA. In Windows 10 at least under my configuration even if I elevate as an admin I cannot execute a script unless I'm fully logged into my admin account. Something about the execution policy of the user vs machine.
 

Andy Ful

Level 39
Content Creator
Trusted
Verified
...
Besides WSH (or Powershell if it does) what other routes can scripts execute?
The most common are via mshta.exe (can run .hta files by default) and hh.exe (can run .chm files). Both mshta.exe and hh.exe can run JavaScript code. Like wscript.exe, the interpreter mshta.exe can run the script embedded in almost any file, even in the plain .txt file.
The scripts embedded in the compiled .chm files are very dangerous and usually very effective as a spam attachments.

The JScript and VBScript scripts can be also run via WMI without using the standard Windows Script Host interpreters, but abusing scrcons.exe . Yet, this method is usually a way of hiding script execution to obtain malware persistence, because the system has to be already compromised.
 
Last edited: