标题: 将.js、.vbs等脚本文件的双击执行变成用记事本打开(针对某些勒索软件的预防措施)

http://scz.617.cn/windows/201603241150.txt

某些勒索软件不直接使用.exe，而是发一个.zip之类的压缩过的邮件附件，压缩包中有.js文件。受害者双击.js后就会中招。我做个好人好事，下面是预防措施。

将.js、.vbs等脚本文件的双击执行变成用记事本打开，预防某些出现在压缩包里的此类文件被误执行。此类文件可以认为等同于.exe可执行程序。

在高权限的cmd里copy/paste执行下列6条命令，执行一次即可:

ftype JSFile=C:\Windows\System32\Notepad.exe %1 ftype JSEFile=C:\Windows\System32\Notepad.exe %1 ftype VBSFile=C:\Windows\System32\Notepad.exe %1 ftype VBEFile=C:\Windows\System32\Notepad.exe %1 ftype WSFFile=C:\Windows\System32\Notepad.exe %1 ftype WSHFile=C:\Windows\System32\Notepad.exe %1

恢复默认设置:

ftype JSFile=C:\Windows\System32\WScript.exe "%1" %* ftype JSEFile=C:\Windows\System32\WScript.exe "%1" %* ftype VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %* ftype VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %* ftype WSFFile="%SystemRoot%\System32\WScript.exe" "%1" %* ftype WSHFile="%SystemRoot%\System32\WScript.exe" "%1" %*

Q:

如何禁止wscript.exe被执行？

A: scz

icacls.exe wscript.exe /reset icacls.exe wscript.exe /deny Everyone:(RX) icacls.exe wscript.exe

另有注册表项可以彻底禁用wscript。

DisableWscript.inf

[Version] Signature = "$Windows NT$"

[DefaultInstall] AddReg = DefaultInstall.AddReg

[DefaultInstall.AddReg] HKCU,"Software\Microsoft\Windows Script Host\Settings","Enabled",%FLG_ADDREG_TYPE_SZ%,"0" HKLM,"SOFTWARE\Microsoft\Windows Script Host\Settings","Enabled",%FLG_ADDREG_TYPE_SZ%,"0"

[Strings] FLG_ADDREG_TYPE_SZ = 0x00000000

EnableWscript.inf

[Version] Signature = "$Windows NT$"

[DefaultInstall] DelReg = DefaultInstall.DelReg

[DefaultInstall.DelReg] HKCU,"Software\Microsoft\Windows Script Host\Settings","Enabled" HKLM,"SOFTWARE\Microsoft\Windows Script Host\Settings","Enabled"

鼠标右键选中.inf文件，点击"安装"即可。可以在cmd.exe中执行:

rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 .\DisableWscript.inf rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 .\EnableWscript.inf

DisableWscript.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings] "Enabled"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="0"

可以在cmd.exe中执行:

reg.exe add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 0 /f reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 0 /f

EnableWscript.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings] "Enabled"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"=-

可以在cmd.exe中执行:

reg.exe delete "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /f reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

201603241150.txt.md

201603241150.txt.md

[Strings] FLG_ADDREG_TYPE_SZ = 0x00000000

[DefaultInstall.DelReg] HKCU,"Software\Microsoft\Windows Script Host\Settings","Enabled" HKLM,"SOFTWARE\Microsoft\Windows Script Host\Settings","Enabled"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"=-

Files

201603241150.txt.md

Latest commit

History

201603241150.txt.md

File metadata and controls

[Strings] FLG_ADDREG_TYPE_SZ = 0x00000000

[DefaultInstall.DelReg] HKCU,"Software\Microsoft\Windows Script Host\Settings","Enabled" HKLM,"SOFTWARE\Microsoft\Windows Script Host\Settings","Enabled"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"=-