Windows script host

[Deleted member 178]

What do you mean? I assume that the registry tweaks are already done.

He thought your test command line was a tweak.

 

[Deleted Member 3a5v73x]

I assume that the registry tweaks are already done.

Your spoon-feed'ing is harmful.

 

[HarborFront]

What do you mean? I assume that the registry tweaks are already done.
It is not the commandline to introduce the new tweak, but only the commandline for checking if the already applied reg tweaks (for blocking WSH) are working well.

Ok, tested and is working fine. Thanks

 

[SumTingWong]

When you execute the script by a mouse-click, then on 64-bit Windows the 64-bit interpreter wscript.exe is used by default to run the script. So, you did not test if the 32-bit interpreter was blocked.
The commandline from my post, executes the script like malware can do, by using 32-bit interpreter wscript.exe on 64-bit Windows. So, if you have the script helloworld.vbs in "c:\scripts" folder, then you have to execute the commandline:
c:\Windows\SysWOW64\wscript.exe "c:\scripts\helloworld.vbs"
If you will see the alert that Windows Script Host is blocked, then you can be sure that also 32-bit interpreter wscript.exe is blocked, for sure.

Simply copy & paste & execute the commandline in the 'Quick access' area in Windows File Explorer, or in the Command Prompt console.

So I just copy and paste this code to CMD? Yes?
c:\Windows\SysWOW64\wscript.exe "path2yourscript"

If I get an error than I am good?

 

[HarborFront]

So I just copy and paste this code to CMD? Yes?
c:\Windows\SysWOW64\wscript.exe "path2yourscript"

If I get an error than I am good?

Yes, Yes and Yes

 

[Andy Ful]

So I just copy and paste this code to CMD? Yes?
c:\Windows\SysWOW64\wscript.exe "path2yourscript"

If I get an error than I am good?

If you have pasted literally the above, that you are not good.

 

[DeepWeb]

One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?

Which is why people should be using SUA. In Windows 10 at least under my configuration even if I elevate as an admin I cannot execute a script unless I'm fully logged into my admin account. Something about the execution policy of the user vs machine.

 

[Andy Ful]

...
Besides WSH (or Powershell if it does) what other routes can scripts execute?

The most common are via mshta.exe (can run .hta files by default) and hh.exe (can run .chm files). Both mshta.exe and hh.exe can run JavaScript code. Like wscript.exe, the interpreter mshta.exe can run the script embedded in almost any file, even in the plain .txt file.
The scripts embedded in the compiled .chm files are very dangerous and usually very effective as a spam attachments.

The JScript and VBScript scripts can be also run via WMI without using the standard Windows Script Host interpreters, but abusing scrcons.exe . Yet, this method is usually a way of hiding script execution to obtain malware persistence, because the system has to be already compromised.

 

[SumTingWong]

Yes, Yes and Yes

Okay

If you have pasted literally the above, that you are not good.

Dang, you roasted me good.