Windows Script Host

I heard from a sysadmin friend of mine that they have disabled windows script host on all their workstations to protect them from malware that exploits local scrips. This sounded interesting to me so I wanted to check it out.

The Windows script host is responsible for running local scrips on your computer including JScript (.js files) and VBScript (.vb files). If you are not aware JScript and VBscript are two major tools used when infecting a computer. So if you do not use these kinds of scripts then it may be a good idea to turn them off.

Turn Off Windows Script Host

To disable windows script host you just need to change or add one key in the registry.

Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

Then set the DWORD “Enabled” to 0. If there is no “Enabled” option you can add one.

Disable Windows Script Host

After that you can make a blank .js file with notepad to test to see if it is working. If all is well you should get this.

Windows Script Host Error

Now you know some random script will not run on your computer and you will get this message is something attempts to run.

Block Fileless Malware

Based on my understanding of how the new fileless malware works this fix should help block them. Or at least block some variants. A lot of them seem to involves the running of a Jscript or VBscript at some point in the attack process.

But do not get too comfortable and think this makes you 100% safe. Malware changes daily so it is always good to be vigilant and informed!

Side Effects

I have been testing this for a while and have not run into any real issues. Batch and PowerShell still work fine. So disabling this as not hurt me any but if you run any kind of scripts in your environment this may not be an option for you. For example, my company runs a VB script on login to map printers. So disabling this is not an option for us as long as we keep that printer script in place.

It is also worth noting that this has no effect on browsers are web pages. Scripts running on a website will still work fine. Windows script host only gets involved when something crosses over into local space.

Leave a Reply

Your email address will not be published. Required fields are marked *