Microsoft console based script host

[cork1958]

Ok,

So I know what this Microsoft console based script host is, but my question is why does it think it has to connect to the intenet every once in a while?

 

Only very recently started getting it to trigger an alert via my firewall. I have even gone so far as to add the registry edit to disable it, but still get the alert.

 

Thank you

 

Microsoft ® Console Based Script Host (part of Microsoft ? Windows Script Host) ? Microsoft Corporation     Information about Microsoft ® Console Based Script Host

Microsoft ® Console Based Script Host is usually found in following folders:

• %SystemRoot%\system32\cscript.exe
• %SystemRoot%\SysWOW64\cscript.exe

Microsoft ® Console Based Script Host is reported to open following extensions:

Programming files

.js.vbe.vbs.wsf.wsh

 

[Max Norris]

  On 15/03/2014 at 11:32, cork1958 said:

why does it think it has to connect to the intenet every once in a while?

It does when it's told to.. got a script running somewhere that's calling out? Scheduled tasks, etc?

[cork1958]

No scripts running that I'm aware of and no scheduled tasks either.

 

Have thoroughly scanned computer with Malwarebytes and Superantispyware also. Nothing found.

 

As stated, only recently started getting this. Thought it seemed to  have started after last months windows updates.

[Max Norris]

  On 15/03/2014 at 11:38, cork1958 said:

No scripts running that I'm aware of and no scheduled tasks either.

There is one running if the script engine is active. It's just like any other interpreter.. doesn't do anything (or even load into memory) unless it's told to. If you use a better task manager (Process Hacker, etc) you should see the engine along with whatever script it's running.. the built in one only shows the engine itself if I recall.

Example:

[cork1958]

So, the next question is, how do I find the where, when and how a script is running and why only recently?

 

Thanks

 

Oops!

You must've added that last past after original posting!

 

Edit:

Just installed Process Hacker and I see nothing different than what the Windows task manager shows. Same 31 processes.

[Max Norris]

  On 15/03/2014 at 11:45, cork1958 said:

So, the next question is, how do I find the where, when and how a script is running and why only recently?

You must've added that last past after original posting!

Yep, figured I'd toss an example so you get an idea what I was talking about. May give you a clue if you catch it running.

 

Well, something like AutoRuns from SysInternals is a good start, shows you everything that'll start up automatically, be it startups, scheduled, shell hooks, toolbars, extensions, etc etc.  If it's not in there, another program could be starting it too, in which case this sort of utility wouldn't do you any good.. really hard to say with no information.

 

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

Last resort, you can temporarily disable the script host, just until you can figure out what's calling it.. will typically throw an error on screen if a script tries to execute.  HKLM\Software\Microsoft\Windows Script Host\Settings, add a DWord called Enabled and set it to 0.  (1 will enable it again.)  May be a group policy setting for it too, not positive but wouldn't surprise me if there was.

[cork1958]

  On 15/03/2014 at 11:53, Max Norris said:

Last resort, you can temporarily disable the script host, just until you can figure out what's calling it.. will typically throw an error on screen if a script tries to execute.  HKLM\Software\Microsoft\Windows Script Host\Settings, add a DWord called Enabled and set it to 0.  (1 will enable it again.)  May be a group policy setting for it too, not positive but wouldn't surprise me if there was.

 

As I stated, I have already edited the registry to disable it and put that edit under both HKLM and HKCU. Still get the alert from firewall!

 

Edit:

Actually, I've put it under both keys only after seeing the firewall alert pop up after adding to one key or the other.

 

Edit 2:

Already have autoruns installed and it's not showing me what I want to see either!

[Max Norris]

  On 15/03/2014 at 11:58, cork1958 said:

As I stated, I have already edited the registry to disable it and put that edit under both HKLM and HKCU. Still get the alert from firewall!

 

Edit:

Actually, I've put it under both keys only after seeing the firewall alert pop up after adding to one key or the other.

If that key is set properly, the script engine will not run, regardless if it's called from the desktop, a console, etc.  You should see something along the lines of this below if you try.  (Depends if using cscript or wscript, that setting affects both.. one's GUI oriented, one's for the console.)

 

 

 

Are you sure you have it set properly?  If it's under HKLM that'll disable it for every account, not just yours. Also, just tossing it out there, are you sure you're dealing with the actual Windows script host and not some program that just happens to be called the same thing located elsewhere?

 

You could always use ProcMon to keep an eye on what's running and what they're doing.  It's going to fill up fast with information, it's very detailed. So, add a new filter to only show processes with "script" in the name.  If it starts, you'll know, and it'll tell you what script it's running, what process started it, where it's located (just in case), etc etc.  Let it run and do what you usually do.. you'll know if it starts.

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

 

[cork1958]

I am absolutely positive I have the registry edit set correctly

 

Ok,

I'm dumb on this one.

 

How did you run that command from the desktop?

 

Edit:

I think I've found part of the issue as to why I've never seen that alert for script host being disabled. The 2 or 3 places I read about doing that reg edit DID NOT have the new DWord as enabled. It was enable, WITHOUT the "d" at the end!

[Max Norris]

  On 15/03/2014 at 12:35, cork1958 said:

I am absolutely positive I have the registry edit set correctly

How did you run that command from the desktop?

Just create a blank text file and rename it to whatever.vbs and double click it, that'll launch via wscript, doesn't need to have any actual script code in it, blank is fine.  (Or do "wscript whatever.vbs" in a console, same thing.)  If you want to get cute, you can put a MsgBox("I'm still active") in it, just to prove to yourself it's running or not. But yea, if it's still somehow starting, trap the sucker with ProcMon and see where it's coming from.  If it's not starting automatically from any number of sources, AutoRuns won't help you, like I said any program can start a script if it wanted to, pretty easy to integrate scripting into an application.  Disabling the script engine is just a bandaid (never mind potentially breaking other applications that may need it), you'll want to find out what's running it in the first place, hence ProcMon.

[cork1958]

Sheesh!

 

That was to easy and yes, changing that reg edit to "Enabled" and not just Enable, displayed the alert.

 

Now,

To try and track down the culprit!

 

Thank you, Max!!

Going to mark this as solved, for now.

[Max Norris]

  On 15/03/2014 at 12:45, cork1958 said:

That was to easy and yes, changing that reg edit to "Enabled" and not just Enable, displayed the alert.

 

Now, To try and track down the culprit!

 

Thank you, Max!!

The spelling matters ;) No problem, good hunting.

[cork1958]

Yes,

I know the spelling matters a WHOLE lot, but every place I saw on how to do that edit only had Enable, not Enabled!

 

I even copy and pasted the how to from 2 sites and e-mailed it to myself to make sure I did it like those articles said how to!

 

Thanks again!! :)