Windows script host

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
What do you mean? I assume that the registry tweaks are already done.:unsure:
It is not the commandline to introduce the new tweak, but only the commandline for checking if the already applied reg tweaks (for blocking WSH) are working well.(y)
Ok, tested and is working fine. Thanks
 
  • Like
Reactions: Andy Ful

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
When you execute the script by a mouse-click, then on 64-bit Windows the 64-bit interpreter wscript.exe is used by default to run the script. So, you did not test if the 32-bit interpreter was blocked.
The commandline from my post, executes the script like malware can do, by using 32-bit interpreter wscript.exe on 64-bit Windows. So, if you have the script helloworld.vbs in "c:\scripts" folder, then you have to execute the commandline:
c:\Windows\SysWOW64\wscript.exe "c:\scripts\helloworld.vbs"
If you will see the alert that Windows Script Host is blocked, then you can be sure that also 32-bit interpreter wscript.exe is blocked, for sure.

Simply copy & paste & execute the commandline in the 'Quick access' area in Windows File Explorer, or in the Command Prompt console.(y)

So I just copy and paste this code to CMD? Yes?
c:\Windows\SysWOW64\wscript.exe "path2yourscript"

If I get an error than I am good?
 
  • Like
Reactions: Sunshine-boy

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
One side question

Can scripts execute via Powershell besides WSH? If yes, then shouldn't we disable/block Powershell as well?

Besides WSH (or Powershell if it does) what other routes can scripts execute?
Which is why people should be using SUA. In Windows 10 at least under my configuration even if I elevate as an admin I cannot execute a script unless I'm fully logged into my admin account. Something about the execution policy of the user vs machine.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Besides WSH (or Powershell if it does) what other routes can scripts execute?
The most common are via mshta.exe (can run .hta files by default) and hh.exe (can run .chm files). Both mshta.exe and hh.exe can run JavaScript code. Like wscript.exe, the interpreter mshta.exe can run the script embedded in almost any file, even in the plain .txt file.
The scripts embedded in the compiled .chm files are very dangerous and usually very effective as a spam attachments.

The JScript and VBScript scripts can be also run via WMI without using the standard Windows Script Host interpreters, but abusing scrcons.exe . Yet, this method is usually a way of hiding script execution to obtain malware persistence, because the system has to be already compromised.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top