How-To Disable Windows Script Host

Threats & Research

ws_blurred_light_from_windows
Reading time: 1 min min
  • Blog post
  • Noora Hyvärinen
  • 2019
  • Protect and prevent threats
Noora Hyvärinen

19.04.16 1 min. read

 

 

 

Numerous spam campaigns are pushing various crypto-ransomware families (and backdoors) via .zip file attachments. And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host.

Do yourself a favor and edit your Windows Registry to disable WSH.

Here’s the key (folder).

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

Create a new DWORD value named “Enabled” and set the value data to “0”.

 

And then, if you click on a .js file, you’ll see this.

Which is way better than seeing an extortion note.

Updated 2016-04-20: HKEY_CURRENT_USER can be used as an alternative.

Related posts

August 25, 2023 Read more
meet-threat-hunters_1940x970-1024x512
August 25, 2023

Of Cameras & Compromise: How IoT Could Dull Your Competitive Edge

The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.

Read more
ws_woman_looking_at_computer_screen_with_pen
August 25, 2023

How to decompile any Python binary

At WithSecure we often encounter binary payloads that are generated from compiled Python. These are usually generated with tools such as py2exe or PyInstaller to create a Windows executable.

Read more
ws_cold_boot_attack_demo
August 25, 2023

The Chilling Reality of Cold Boot Attacks

What do you do when you finish working with your laptop? Do you turn it off? Put it to sleep? Just close the lid and walk away?

Read more