That's what I just did
Windows script host
- Thread starter Nevi
- Start date
Sorry if I made havoc . I just fell over the disabling of the script host, and thought that looked like a good idea.Still do. But of course it has to be done the right way. I am no PC wizard, I just try to make it all play without too much fuzz.
Create the new file, change the extension to .vbs and try to run it, if you get the message, that is it blocked, that you have done it properly.
Why did you have to say that?! I was so sure of myself, now I will not be able to sleep anymore, until I solve it.
No, for the standard applications.
Windows Script Host scripts are used sometimes (very rarely), for example by 'Intel(r) Energy Checker SDK'. Blocking WSH in the home environment do not break anything important.
Block Windows Script Host script execution on Windows 64-bit:
Code:
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /fThe Command Prompt cannot be blocked system wide, because it is used as an alternative shell in Windows (Safe Boot can start system in Command Prompt). It can be blocked per user. The below is the way to block it on the default Administrator type of account (not SUA):
Code:
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /fThe above reg tweak will not work on SUA (Standard User Account). On SUA one should use the similar key in the proper HKU registry hive.
Yet, OneDrive uses Command Prompt to clean the leftovers after updates, Sandboxie uses it to clean the sandbox, Intel software can use it for launching igfxEM.exe or igfxHK.exe, or igfxTray.exe, etc. So, disabling Command Prompt is more tricky than disabling Windows Script Host.
Last edited:
I guess that only applies, when run as user is specified? I can not run .bat as admin, when disablecmd is in effect.
PowerShell is the most dangerous Windows scripting language, so it should be restricted in the first place.
Tutorial - How do you secure PowerShell?
PowerShell interpreters can be blocked, but this does not mean that PowerShell functionality can be totally blocked by this. The PowerShell functions are contained in the System.Management.Automation.dll and System.Management.Automation.ni.dll. It is not recommended to block those DLLs.
Thanks. 'Run as administrator' can be used to bypass blocked Command Prompt only if you would block Command Prompt on SUA. But, blocking Command Prompt by policy on SUA cannot be done via HKCU reg tweak. One has to do it via the proper HKU registry key. My post was not precise, so I edited it.
Yes, 3rd party apps are the easiest way to do this and other important security tweaks. Appguard needs to be specifically configured to block Windows Script Host, but some other apps will do it out of the box.
A question. H_C blocks Windows Script Host?
D
Deleted member 178
HC is SRP, so if configured properly it should do it.
Create the new file, change the extension to .vbs and try to run it, if you get the message, that is it blocked, that you have done it properly.
View attachment 205337
Why did you have to say that?! I was so sure of myself, now I will not be able to sleep anymore, until I solve it.
Mine is work!
On 64-bit Windows the above checks only 64-bit Windows Script Host.
For checking 32-bit Windows Script Host on 64-bit Windows you should also execute from the Explorer the below command line:
c:\Windows\SysWOW64\wscript.exe "path2yourscript"
Indeed if H_C block without mercy Windows Script Host.
F
ForgottenSeer 69673
You can block Windows Script Host via H_C settings in 2 different ways:
- Windows policy - blocks it also for administrative tasks.
- SRP - blocks it for the user and malware which run without admin rigths (not elevated), but allows it for administrative tasks.
Last edited:
When you execute the script by a mouse-click, then on 64-bit Windows the 64-bit interpreter wscript.exe is used by default to run the script. So, you did not test if the 32-bit interpreter was blocked.
The commandline from my post, executes the script like malware can do, by using 32-bit interpreter wscript.exe on 64-bit Windows. So, if you have the script helloworld.vbs in "c:\scripts" folder, then you have to execute the commandline:
c:\Windows\SysWOW64\wscript.exe "c:\scripts\helloworld.vbs"
If you will see the alert that Windows Script Host is blocked, then you can be sure that also 32-bit interpreter wscript.exe is blocked, for sure.
Simply copy & paste & execute the commandline in the 'Quick access' area in Windows File Explorer, or in the Command Prompt console.
Last edited:
What do you mean? I assume that the registry tweaks are already done.
It is not the commandline to introduce the new tweak, but only the commandline for checking if the already applied reg tweaks (for blocking WSH) are working well.
Last edited:
You may also like...
-
Potenial method for locking script files down!- Started by Parkinsond
- Replies: 16
-
Windows PowerShell now warns when running Invoke-WebRequest scripts
- Started by Parkinsond
- Replies: 1
-
Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware
- Started by Parkinsond
- Replies: 22
-
Orion Malware Cleaner (OMC) - By Trident- Started by Trident
- Replies: 23
