Microsoft console based script host


Recommended Posts

Ok,

So I know what this Microsoft console based script host is, but my question is why does it think it has to connect to the intenet every once in a while?

 

Only very recently started getting it to trigger an alert via my firewall. I have even gone so far as to add the registry edit to disable it, but still get the alert.

 

Thank you

 

Microsoft ® Console Based Script Host (part of Microsoft ? Windows Script Host) ? Microsoft Corporation     Information about Microsoft ® Console Based Script Host

Microsoft ® Console Based Script Host is usually found in following folders:

  • %SystemRoot%\system32\cscript.exe
  • %SystemRoot%\SysWOW64\cscript.exe
Microsoft ® Console Based Script Host is reported to open following extensions:

 

Link to comment
https://www.neowin.net/forum/topic/1205023-microsoft-console-based-script-host/
Share on other sites

  On 15/03/2014 at 11:32, cork1958 said:

why does it think it has to connect to the intenet every once in a while?

It does when it's told to.. got a script running somewhere that's calling out? Scheduled tasks, etc?

No scripts running that I'm aware of and no scheduled tasks either.

 

Have thoroughly scanned computer with Malwarebytes and Superantispyware also. Nothing found.

 

As stated, only recently started getting this. Thought it seemed to  have started after last months windows updates.

  On 15/03/2014 at 11:38, cork1958 said:

No scripts running that I'm aware of and no scheduled tasks either.

There is one running if the script engine is active. It's just like any other interpreter.. doesn't do anything (or even load into memory) unless it's told to. If you use a better task manager (Process Hacker, etc) you should see the engine along with whatever script it's running.. the built in one only shows the engine itself if I recall.

Example:

Script.png

So, the next question is, how do I find the where, when and how a script is running and why only recently?

 

Thanks

 

Oops!

You must've added that last past after original posting!

 

Edit:

Just installed Process Hacker and I see nothing different than what the Windows task manager shows. Same 31 processes.

  On 15/03/2014 at 11:45, cork1958 said:

So, the next question is, how do I find the where, when and how a script is running and why only recently?

You must've added that last past after original posting!

Yep, figured I'd toss an example so you get an idea what I was talking about. May give you a clue if you catch it running.

 

Well, something like AutoRuns from SysInternals is a good start, shows you everything that'll start up automatically, be it startups, scheduled, shell hooks, toolbars, extensions, etc etc.  If it's not in there, another program could be starting it too, in which case this sort of utility wouldn't do you any good.. really hard to say with no information.

 

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

Last resort, you can temporarily disable the script host, just until you can figure out what's calling it.. will typically throw an error on screen if a script tries to execute.  HKLM\Software\Microsoft\Windows Script Host\Settings, add a DWord called Enabled and set it to 0.  (1 will enable it again.)  May be a group policy setting for it too, not positive but wouldn't surprise me if there was.

  On 15/03/2014 at 11:53, Max Norris said:
Last resort, you can temporarily disable the script host, just until you can figure out what's calling it.. will typically throw an error on screen if a script tries to execute.  HKLM\Software\Microsoft\Windows Script Host\Settings, add a DWord called Enabled and set it to 0.  (1 will enable it again.)  May be a group policy setting for it too, not positive but wouldn't surprise me if there was.

 

As I stated, I have already edited the registry to disable it and put that edit under both HKLM and HKCU. Still get the alert from firewall!

 

Edit:

Actually, I've put it under both keys only after seeing the firewall alert pop up after adding to one key or the other.

 

Edit 2:

Already have autoruns installed and it's not showing me what I want to see either!

  On 15/03/2014 at 11:58, cork1958 said:

As I stated, I have already edited the registry to disable it and put that edit under both HKLM and HKCU. Still get the alert from firewall!

 

Edit:

Actually, I've put it under both keys only after seeing the firewall alert pop up after adding to one key or the other.

If that key is set properly, the script engine will not run, regardless if it's called from the desktop, a console, etc.  You should see something along the lines of this below if you try.  (Depends if using cscript or wscript, that setting affects both.. one's GUI oriented, one's for the console.)

 

Error1.png

 

Error2.png

 

Are you sure you have it set properly?  If it's under HKLM that'll disable it for every account, not just yours. Also, just tossing it out there, are you sure you're dealing with the actual Windows script host and not some program that just happens to be called the same thing located elsewhere?

 

You could always use ProcMon to keep an eye on what's running and what they're doing.  It's going to fill up fast with information, it's very detailed. So, add a new filter to only show processes with "script" in the name.  If it starts, you'll know, and it'll tell you what script it's running, what process started it, where it's located (just in case), etc etc.  Let it run and do what you usually do.. you'll know if it starts.

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

 

ScriptTrap.png

I am absolutely positive I have the registry edit set correctly

 

Ok,

I'm dumb on this one.

 

How did you run that command from the desktop?

 

Edit:

I think I've found part of the issue as to why I've never seen that alert for script host being disabled. The 2 or 3 places I read about doing that reg edit DID NOT have the new DWord as enabled. It was enable, WITHOUT the "d" at the end!

  On 15/03/2014 at 12:35, cork1958 said:

I am absolutely positive I have the registry edit set correctly

How did you run that command from the desktop?

Just create a blank text file and rename it to whatever.vbs and double click it, that'll launch via wscript, doesn't need to have any actual script code in it, blank is fine.  (Or do "wscript whatever.vbs" in a console, same thing.)  If you want to get cute, you can put a MsgBox("I'm still active") in it, just to prove to yourself it's running or not. But yea, if it's still somehow starting, trap the sucker with ProcMon and see where it's coming from.  If it's not starting automatically from any number of sources, AutoRuns won't help you, like I said any program can start a script if it wanted to, pretty easy to integrate scripting into an application.  Disabling the script engine is just a bandaid (never mind potentially breaking other applications that may need it), you'll want to find out what's running it in the first place, hence ProcMon.

  On 15/03/2014 at 12:45, cork1958 said:

That was to easy and yes, changing that reg edit to "Enabled" and not just Enable, displayed the alert.

 

Now, To try and track down the culprit!

 

Thank you, Max!!

The spelling matters ;) No problem, good hunting.

Yes,

I know the spelling matters a WHOLE lot, but every place I saw on how to do that edit only had Enable, not Enabled!

 

I even copy and pasted the how to from 2 sites and e-mailed it to myself to make sure I did it like those articles said how to!

 

Thanks again!! :)

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Clear Linux is open source, indeed, so its source code is available for anyone. They're just shutting down its support from them, they're not forbidding anyone else from taking over.
    • Linux Mint is also my favorite distro, but I fear what will happen with it if Clem were to disappear tomorrow, to be honest.
    • Yeah, I totally get your point, which is possible it could happen. I just hope there is a few people around him who are similar to where if they took over things would run pretty much the same. if not, then yeah, it could start to decline rapidly etc. but I figure something that's been around for a longer period of time with a decent backing, and probably more users than most Linux distro's (which I would 'imagine' Mint is one of the more used Linux desktop distro's by volume of people who use it), is less likely to just disappear. but like you said, nothing is guaranteed. but I do think you are probably right in that Clem is probably the core of what keeps Mint, Mint. I like how it tends to stay pretty much the same with some slight tweaks here and there (but is largely the same) instead of that crap some people go for with change for the sake of change trying to create a overly fancy interface and other unnecessary stuff etc. I also feel Mint keeps a nice balance of things out-of-the-box where it's not too bloated, nor too striped down. p.s. but I see Mint as a better Ubuntu basically. but I get your point like if it was more of a really serious choice of needing a 'safe bet' to use long term, then yeah something like official Ubuntu would be one of the better choices for sure given what you said with it being backed by an actual company which makes it a safer bet than Mint which is smaller and 'could' potentially be more fragile.
    • It’s in development so hopefully it’s improved upon before release.
    • For the 10th iteration they could have bothered with some design changes rather than just carrying over the 9's
  • Recent Achievements

    • First Post
      leoniDAM earned a badge
      First Post
    • Reacting Well
      Ian_ earned a badge
      Reacting Well
    • One Month Later
      Ian_ earned a badge
      One Month Later
    • Dedicated
      MacDaddyAz earned a badge
      Dedicated
    • Explorer
      cekicen went up a rank
      Explorer
  • Popular Contributors

    1. 1
      +primortal
      506
    2. 2
      ATLien_0
      209
    3. 3
      Michael Scrip
      202
    4. 4
      Xenon
      146
    5. 5
      +FloatingFatMan
      121
  • Tell a friend

    Love Neowin? Tell a friend!