wscript.exe.....What Is It? Should I Allow it?

[Guest]

[lordpuffer]

I am running Vista Home Premium, SP1, 64 bit.  I have been getting Comodo telling me that wscript.exe wants to modify a Registry Key.  Because Comodo tells me that this is an unsafe application, I kept blocking it ,and checking "remember my answer," however, it still pops up anyway about 5 more times.  I don't have any infection whatsoever (I am sure of that), however, because Comodo tells me it is an unsafe application, I keep denying it.  I Googled it and found that it is a process relating to Microsoft Windows operating system which allows additional functions to scripting.  It also says that you should not disable it.  Did I do something wrong by continuously blocking it?  I cannot find in the Task Manager where it is running.  What should I do?  By blocking it, did I turn the process off?  Could I have harmed my system?  Please advise.  Thanks.

[Matty_R]

Hi lordpuffer,welcome to the forums,

These sound like D+ alerts alerting you to a script modifying the registry,the reason they are being flagged is the potential is there for wscript.exe to be used for malicious purposes allthough in this case it looks like there safe.

Have a look under Defence+/Advanced/Computer Security Policy------>Look down the list until you find wsript.exe then highlight it and select "Remove"/ APPLY
If like you know your computer is clean next time you get the alert you can select allow.

Matty

[lordpuffer]

Hi Matty_R...Thank you very much for the welcome note.....I found wscript.exe and highlighted it and clicked on "Remove" and then on "Apply."  Will that mean that it will try to again in Comodo at some point to modify a Registry Key?  I know that my system is clean, so I would like to to come up in Comodo so that I can allow it.  Thanks so much for the help. (L)

[Ronny]

I would be cautious with wscript.exe though, it's a script engine than can run good or bad script, so if you apply trust to it and later there is a piece of malware abusing a script using wscript.exe CIS won't alert you that wscript is trying to change you registry. I use vista also and i can't remember that there are any alerts related to wscript.

Only the CIS configuration script from the forum here, it's a cfpv3-config.hta file which uses wscript, have you been running something like this ?

[lordpuffer]

I would be cautious with wscript.exe though, it's a script engine than can run good or bad script, so if you apply trust to it and later there is a piece of malware abusing a script using wscript.exe CIS won't alert you that wscript is trying to change you registry. I use vista also and i can't remember that there are any alerts related to wscript.

Only the CIS configuration script from the forum here, it's a cfpv3-config.hta file which uses wscript, have you been running something like this ?

I have not been running that (CIS configuration script)....But as I said, I did Google wscript.exe and it did say that it is a legitimate , although not important part of the OS.....But it did say not to disable it.  I just felt that not allowing it to do what is supposed to do, which seems to be to modify a Registry Key, may cause some problems with the OS.  I don't know why Comodo is showing it as an unsafe application, but I ran 4 different spyware/adware/malware scans (SuperAntiSpyware, Ad-Aware, Spybot and Windows Defender) and found nothing, and Avira Antivir found nothing, so I'm pretty sure that I'm clean.  What do you suggest?  By doing what Matty_R told me above, did I just give it free reign to do whatever it wants to do?  If so, how do I reverse what I did?  Or should I block it again?  To be honest, I'm not sure what the best thing is to do.

[Ronny]

It's not that wscript.exe is the problem, it's the kind of script it executes.
Something like a batch file running a batch file with dir *.* in it won't hurt as one with a del *.* /q /s will.
You can't blame the batch processor for that, it's the one who build the script!

Me personal i have this one always alerting and then if i know i executed something that could have something to do with wscript i'll allow it only then without using the remember option.

[lordpuffer]

Thanks....I'll follow your suggestion and do that....Can you please explain how, after I already followed the above and did what Matty_R posted (no disrespect intended to Matty_R)?

[Ronny]

No prob, open the GUI goto Defense+, Advanced, Computer Security Policy, if you click on that you get a new window with all you "learned" applications in it, look for c:\windows\system32\wscript.exe, select it and press the remove button on the right, now press apply and it should alert you the next time it's trying to run/access files/registry etc.

As i said before, i don't have it prompting on my vista box, so if it comes back we should try to find out why it's running...

[lordpuffer]

No prob, open the GUI goto Defense+, Advanced, Computer Security Policy, if you click on that you get a new window with all you "learned" applications in it, look for c:\windows\system32\wscript.exe, select it and press the remove button on the right, now press apply and it should alert you the next time it's trying to run/access files/registry etc.

As i said before, i don't have it prompting on my vista box, so if it comes back we should try to find out why it's running...

That's what Matty_R instructed me above what to do.....So I guess I did remove it already and it will alert me the next time it tried to run...Thanks

[Matty_R]

Hi lordpuffer,

In this case it may be an idea to have a pen and paper handy for next time the alert pops-up,as the last few times you had it you denied it with no adverse effects it doesn`t seem to effect anything serious so just write down the wording of the alert "wscript.exe is trying to modify the protected registry key ........." then block it but don`t have "remember my answer" ticked,
This will help in finding out why you are getting this alert,

Cheers,
Matty

[lordpuffer]

Hi lordpuffer,

In this case it may be an idea to have a pen and paper handy for next time the alert pops-up,as the last few times you had it you denied it with no adverse effects it doesn`t seem to effect anything serious so just write down the wording of the alert "wscript.exe is trying to modify the protected registry key ........." then block it but don`t have "remember my answer" ticked,
This will help in finding out why you are getting this alert,

Cheers,
Matty

Thanks...I will.  I appreciate the help.

[Tags:]