If you will use one of the restore points made before disabling Windows Script Host, then everything should be OK, except that Windows Script Host will be enabled.Hi MT..
I have disabled the Windows Script Host for security reasons. Can I still use the restore points I have enabled?
There is an incomplete information in the article. The reg tweak will block only Windows Script Host on the 32-bit system. If you have 64-bit Windows then the same value must be changed/added in the key:Thank you all. I have some restore points from before I disabled the WSH. Just in case.
@andy
Open your regedit, and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Create a new DWORD value named “Enabled” and set the value data to “0”.(hexadecimal).
Your script host will now be disabled.
How-To Disable Windows Script Host
It is worth mentioning, that most of the methods explained in the article do not disable Windows Script Host, but only change file extension associations, so the user cannot run the script files (.js, .jse, .vbs, .vbe, .wsf, .wsh). But, the malware can still run those scripts.
The below reg tweak:
reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f
cmd /c wscript.exe c:\z\hello.wsf
So what happens if I disabled WSH? Does it affects my installation/uninstallation of software or any other side effects?I wouldn't advise to apply tweaks if you don't have certain understanding of Windows and unaware of the repercussions...
Tweaks are user-context dependant, on my static/non-networked/slim systems, i have disabled many LOLbins without having much issues. What works for me may not for others.So what happens if I disabled WSH? Does it affects my installation/uninstallation of software or any other side effects?
I did not say that.@Andy Ful
When you said the location for 64 bit is
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings'
...
True fileless malware can even use powershell without it being on the target system, the malware is embedded with powershell.One side question
Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?
Besides WSH (or Powershell if it does) what other routes can scripts execute?
OK, found something by @Andy Ful from belowTrue fileless malware can even use powershell without it being on the target system, the malware is embedded with powershell.
There is many ways like ADS for example.
I did not say that.
For 32-bit Windows the changes must be done in the key:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
For 64-bit Windows the changes must be done in the keys:
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
The first key is related to blocking (system wide) Windows Script Host for 64-bit processes.
The interpreters are:
c:\windows\system32\wscript.exe
c:\windows\system32\cscript.exe
The second key is related to blocking (system wide) Windows Script Host for 32-bit processes on 64-bit Windows. The interpreters are:
c:\windows\SysWOW64\wscript.exe
c:\windows\SysWOW64\cscript.exe
On Windows 32-bit there are not registry keys with WOW6432Node and there are not c:\windows\SysWOW64 folder.
The registry tweaks are only for the advanced users who understand well what they are doing.
HKLM is the shortcut for HKEY_LOCAL_MACHINE registry hive.
Edit
For compatibility reasons, Microsoft keeps c:\Windows\System32 folder for the executables which are native to the Windows bitness (32-bit executables on 32-bit Windows, but also 64-bit executables on 64-bit Windows).