HarborFront

Level 44
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,318
#43
What do you mean? I assume that the registry tweaks are already done.:unsure:
It is not the commandline to introduce the new tweak, but only the commandline for checking if the already applied reg tweaks (for blocking WSH) are working well.(y)
Ok, tested and is working fine. Thanks
 
Likes: Andy Ful

SumTingWong

Level 20
Verified
Joined
Apr 2, 2018
Messages
952
Operating System
Windows 10
Antivirus
Emsisoft
#44
When you execute the script by a mouse-click, then on 64-bit Windows the 64-bit interpreter wscript.exe is used by default to run the script. So, you did not test if the 32-bit interpreter was blocked.
The commandline from my post, executes the script like malware can do, by using 32-bit interpreter wscript.exe on 64-bit Windows. So, if you have the script helloworld.vbs in "c:\scripts" folder, then you have to execute the commandline:
c:\Windows\SysWOW64\wscript.exe "c:\scripts\helloworld.vbs"
If you will see the alert that Windows Script Host is blocked, then you can be sure that also 32-bit interpreter wscript.exe is blocked, for sure.

Simply copy & paste & execute the commandline in the 'Quick access' area in Windows File Explorer, or in the Command Prompt console.(y)
So I just copy and paste this code to CMD? Yes?
c:\Windows\SysWOW64\wscript.exe "path2yourscript"

If I get an error than I am good?
 
Likes: Sunshine-boy

DeepWeb

Level 21
Verified
Joined
Jul 1, 2017
Messages
1,057
Operating System
Windows 10
Antivirus
Kaspersky
#47
One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?
Which is why people should be using SUA. In Windows 10 at least under my configuration even if I elevate as an admin I cannot execute a script unless I'm fully logged into my admin account. Something about the execution policy of the user vs machine.
 

Andy Ful

Level 34
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,382
Operating System
Windows 10
Antivirus
Windows Defender
#48
...
Besides WSH (or Powershell if it does) what other routes can scripts execute?
The most common are via mshta.exe (can run .hta files by default) and hh.exe (can run .chm files). Both mshta.exe and hh.exe can run JavaScript code. Like wscript.exe, the interpreter mshta.exe can run the script embedded in almost any file, even in the plain .txt file.
The scripts embedded in the compiled .chm files are very dangerous and usually very effective as a spam attachments.

The JScript and VBScript scripts can be also run via WMI without using the standard Windows Script Host interpreters, but abusing scrcons.exe . Yet, this method is usually a way of hiding script execution to obtain malware persistence, because the system has to be already compromised.
 
Last edited: