Windows Script Host: Difference between revisions

The Microsoft Windows Script Host (originally called Windows Scripting Host, but renamed for the second release) is distributed and installed by default on Windows 98 and later versions of Microsoft Windows. It is also installed if Internet Explorer 5 (or a later version) is installed. It provides scripting capabilities comparable to batch files, but with a greater range of supported features. Beginning with Windows 2000, the Windows Script Host became available for use with user login scripts.

It is language-independent in the sense that it can make use of different Active Scripting language engines. By default it interprets and runs plain-text JScript (.JS and .JSE files) and VBScript (.VBS and .VBE files). Users can install different scripting engines to enable them to script in other languages, for instance Perl. The language independent filename extension WSF can also be used. The advantage of the Windows Script File (.WSF) is that it allows the user to use a combination of scripting languages within a single file.

Security concerns

Windows applications and processes may be automated using a script in Windows Script Host. Viruses and malware may attempt to use this ability as an exploit. Consequently, some suggest disabling it for security reasons. ^[1] Alternatively antivirus programs may offer features to control .vbs and other scripts which run in the WSH environment.

One way to address security concerns about Windows Script Host is to change the default handler for the .vbs, .vbe, .js, .jse, .wsf, .wsh file types to edit rather than run.^[2]

Since version 5.6 of WSH, scripts can be digitally signed programmatically using the Scripting.Signer object in a script itself, provided a valid certificate is present on the system. Alternatively, the signcode tool from the Platform SDK, which has been extended to support WSH filetypes, may be used at the command line.

By using Software Restriction Policies introduced with Windows XP, a system may be configured to execute only those scripts which have been digitally signed, thus preventing the execution of untrusted scripts. ^[3]

Version history

Windows 98 and Windows 2000 shipped with WSH version 5.1. Windows XP and Windows Server 2003 shipped with WSH version 5.6. Windows Vista was distributed with version 5.7. Downloads are available to install WSH on Windows 95 and Windows NT. Windows 2000, XP and 2003 can be upgraded to use the latest version (5.7) for free by downloading the appropriate files from Microsoft (see the external links section below). In determining if an upgrade is necessary, Windows users can execute the command Cscript /? at the Windows Command Prompt (cmd.exe).

See also

• Active Scripting
• Shell script
• Windows PowerShell
• Microsoft Script Debugger

References

1. http://www.norman.com/Virus/Articles/Articles_previous_years/25780/en Windows Script Host - disabling]
2. In-depth discussion regarding securing WSH
3. Windows Script Host 5.6 Boasts Windows XP Integration, Security, New Object Model

External links

• WSH Primer on Microsoft TechNet - Get started with WSH
• WSH home at MSDN
• WSH Reference
• Microsoft Windows Script Downloads
• Release notes for Windows Script 5.7