Windows default settings for WSH allow execution of a WSH script file from the shell—that is, the Open command is set to activate the script when the script's file is double-clicked. Another way to prevent the accidental infection of your systems by WSH script viruses is to disable the default Open command. You change the Open action so that the command loads the source code into Notepad instead of executing the script using WSH. If the user accidentally chooses Open to view the attachment in an e-mail reader or in Internet Explorer after clicking a download entry, the script virus isn't executed. Instead, the source code is loaded into Notepad.
If a user saves a virus-infected attachment and launches it manually, this strategy won't help. But this solution still greatly reduces the risk of accidental infection.
You implement this "redirection" by changing the Registry settings for .vbs, .vbe, .js, .jse, and .wsf file types. You can change these settings in two ways:
Now let's take a look at how the file-type associations are kept in the Registry. All settings for file-type associations are kept in the Registry branch HKEY_CLASSES_ROOT. Each file type owns a key (for example, .vbs) that describes the file extension and a second key (for example, VBSFile) that hosts the association. We need to alter the values located in the keys VBSFile, JSFile, JSEFile, VBEFile, and WSFFile.
WSH 1 supports only .vbs and .js file types, which have VBSFile and JSFile entries in the Registry.
The following content of a REG file makes the necessary changes for the .vbs file type (subkey VBSFile) in Windows 95 and Windows 98:
REGEDIT4 [HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command] @="Notepad.exe \"%1\"" [HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command] @="Notepad.exe \"%1\"" [HKEY_CLASSES_ROOT\VBSFile\Shell\Execute] @="&Execute" [HKEY_CLASSES_ROOT\VBSFile\Shell\Execute\Command] @="C:\\Windows\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\VBSFile\Shell\ExecuteDOS\Command] @="C:\\Windows\\COMMAND\\CScript.exe \"%1\" %*"
After you import the REG file (double-click on the REG file, and click Yes in the dialog box that asks whether to import the file), the Open command is changed so that a double-click on a VBScript file opens the file in Notepad. To execute the file, right-click on the file and choose Execute from the context menu. The menu command ExecuteDOS executes the script using CScript.exe.
For .js files, you can use a similar REG file. The association is made in the subkey JSFile. You use the same code as just shown, but you change the VBSFile pattern to JSFile and save the result in a second REG file. You can deal with .wsf files in the same way. That file type uses the key WSFFile in the Registry, so you must change the VBSFile pattern to WSFFile.
You can also use REG files to block associations for encoded versions of script files, which use the filename extensions .vbe and .jse. These file types use the entries VBEFile and JSEFile, respectively.
To restore the old settings, you can also use a REG file. The following code from a REG file restores the default settings for .vbs and removes the Execute and ExecuteDOS verbs from the VBSFile subkey:
REGEDIT4 [HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command] @="C:\\WINDOWS\\WScript.exe \"%1\" %*" [HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command] @="C:\\WINDOWS\\COMMAND\\CScript.exe \"%1\" %*" [-HKEY_CLASSES_ROOT\VBSFile\Shell\Execute] [-HKEY_CLASSES_ROOT\VBSFile\Shell\ExecuteDOS]
You can create similar REG files for .vbe, .js, .jse, and .wsf files in order to change the default WSH settings for Windows 95 and Windows 98.
The same REG file won't work on all platforms. For example, Windows NT 4 and Windows 2000 keep the WSH executables in the system folder \System32, whereas Windows 95 and Windows 98 store the executables in the Windows folder. Also, Windows NT 4 and Windows 2000 store strings in Unicode format; Windows 95 and Windows 98 store strings in ASCII format. Therefore, you must customize the REG files according to what platform is being used. I recommend using the technique I'll describe next for creating the REG files for Windows NT 4 and Windows 2000. Alternatively, you can write a script program that detects the Windows version and the WSH version and alters the necessary Registry settings. For more details about registering file types, see my book Inside the Microsoft Windows 98 Registry (Microsoft Press, 1998). The information in that book about registering file types applies to all 32-bit versions of Windows.
If you'd rather not use the REG files just described (or if you want to experiment a bit before you change your system settings or to customize the settings to export into REG files), choose the Folder Options command from the View menu or the Tools menu in a folder window. On the File Types property page, select an entry, such as VBScript Encoded Script File or VBScript Script File, and view the settings by clicking the Edit button (or the Advanced button in Windows 2000). The Edit File Type dialog box will show all the defined verbs for the file type. You can change the settings for the Open and Open2 commands manually and add the old settings for Open and Open2 as Execute and ExecuteDOS. (Chapter 2 discusses how to add an Edit command for a script file. Repeat the steps described there for other types of script files.)
After changing the settings for script file-type associations, you can fire up the Windows Registry editor Regedit.exe, search for a key (such as HKEY_CLASSES_ROOT/JSFile), and export the key into a REG file by using the Export Registry File command in the Registry menu. Repeat this step for the other file types (such as VBSFile, VBEFile, JSEFile, and WSFFile). Then use Notepad to remove unused entries (according to the example shown earlier) and merge the final result of all REG files into one REG file. You can use that final file on other machines to import the Registry settings.
Some computer magazines and Web sites advocate removing WSH as a way to protect your system against infection from WSH script viruses. Although this technique is still possible in Windows 95, Windows 98, and Windows NT 4, such an extreme precaution isn't necessary. Furthermore, because WSH is an integral part of the operating system in Windows 2000 and Windows Millennium Edition (Me), stripping out WSH just isn't feasible. Neither do I recommend deleting files such as WScript.exe and CScript.exe in these environments—these are essential system files. Windows 2000 tries to repair the operating system if system files are corrupted or missing (as Windows Me does). Therefore, I recommend that you use one of the strategies described in this appendix.