RE: Can I delete Wscript.exe?

Date: 10/14/02

Date: Mon, 14 Oct 2002 13:25:25 -0700

WFP will pop up an alert if you try to delete/rename a dllcache'd file on
Windows 2000 Professional.

A workaround (my favorite) that I found posted somewhere was to do something
like this:

copy c:\winnt\system32\dllcache\notepad.exe
copy c:\winnt\system32\dllcache\notepad.exe
copy c:\winnt\system32\dllcache\notepad.exe c:\winnt\system32\wscript.exe
copy c:\winnt\system32\dllcache\notepad.exe c:\winnt\system32\cscript.exe

WFP is not intelligent enough to know when one protected file is overwritten
with a copy of another.

This way, even with the file associations still intact, your users are safe.
In fact, better than safe - now clicking on those .vbs attachments will pop
a lot of ugly-looking code up in a notepad window! That will give them a
scare, and they'll give you a call - which gives you a chance to find out
how and where .vbs files are getting in in the first place.

Notice that this sequence of commands should be rerun after every
application of a Windows service pack, or a patch that affects wscript.exe
or cscript.exe, etc.

I don't believe any legitimate uses for either wscript.exe or cscript.exe
exist other than an Administrator calling it directly from the command line.
I've had it disabled for months on about 60 user machines with no problems
(although I just found out about the notepad.exe trick today.)

> -----Original Message-----
> From: Dominick Baier []
> Sent: Monday, October 07, 2002 14:12
> To: 'Andreas Huber';;
> Subject: AW: Can I delete Wscript.exe?
> Wscript gets replaced by windows file protection when you
> rename/delete
> it ... at least on server versions...
> you have to delete \winnt\system32\dllcache\wscript, too
> greetings
> dominick
> -----Ursprüngliche Nachricht-----
> Von: Andreas Huber []
> Gesendet: Montag, 7. Oktober 2002 19:52
> An:;
> Betreff: AW: Can I delete Wscript.exe?
> you could try to rename wscript.exe into wscript.exe.old
> If you loose any features, you know that wscript.exe is important for
> win2k. if not, your problem is solve.
> greets
> andreas
> -----Ursprüngliche Nachricht-----
> Von: []
> Gesendet: Montag, 7. Oktober 2002 08:36
> An:
> Betreff: Can I delete Wscript.exe?
> One way to guard against script viruses and worms is
> obviously to delete
> Wscript.exe entirely. What I'd like to know is how does this
> affect the
> system (W2k)? Do I loose features that I might need? Also, I'm not
> exactly sure whether IE and Outlook Express use Wscript.exe to run
> scripts, so any info on that would be appreciated. Good links will do!
> Thanks!
> -- Rubio

Relevant Pages

  • Re: [Full-Disclosure] Silencing Windows File Protection
    ... Silencing Windows File Protection ... > shutting down, WFP. ... This allows for the replacement ... The second is the dllcache ...
  • Re: Word pad
    ... MS09-010: Description of the update for Windows WordPad Converter: April ... If wordpad.exe is deleted and not replaced, WFP is broken. ... File replacement was attempted on the protected system file c:\program ... I don't count on sfc /scannow and never even suggest it, ...
  • Re: Seem to have lost Calc.exe in Win XP
    ... As far as Windows is concerned, the one in dllcache doesn't match what ... You probably won't solve the WFP rejection of the dllcache copy problem by ... partition on the hard drive that can be accessed by pressing an F key, ... Sometimes the setup packages for application installations mess things up. ...
  • Re: Windows File Protection - turning off
    ... The cache used for SFP is here: ... > I'm trying to exempt a file from Windows File Protection. ... > replacing the supplied sound file gm.dls with one of my own. ... I'm told this is WFP but I've never encountered it before. ...
  • [Full-Disclosure] Silencing Windows File Protection
    ... the best way to bypass Windows File Protection (WFP) was ... The second is the dllcache ...