Securing Scripts with Script Signing

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Two alternatives exist for creating signed scripts. If you want to develop your own script host, the .NET Framework Software Development Kit (SDK) contains a set of tools for signing scripts: the File Signing Tool (Signcode.exe) and the Certificate Verification Tool (Chktrust.exe). When writing your own script host, call the Win32 API WinVerifyTrust. This API verifies the trust on a .vbs or .js file.

Alternatively, Windows Script Host version 5.6, which ships with Windows Server 2003, includes a signer object for creating and verifying signed scripts. The following JScript® code creates a signed file:

var Signer = new ActiveXObject("Scripting.Signer");
var File  = "c:\\myfile.vbs";
var Cert  = "Jane Q. Programmer";
var Store = "my";
Signer.SignFile(File, Cert, Store);

The following sample, in this case as Microsoft® Visual Basic®, Scripting Edition (VBScript) code, verifies the signing on a file:

Dim Signer, File, ShowUI, FileOK
Set Signer = CreateObject("Scripting.Signer")
File = "c:\newfile.wsf"
ShowUI = True
FileOK = Signer.VerifyFile(File, ShowUI)
If FileOK Then
    WScript.Echo File & " is trusted."
Else
    WScript.Echo File & " is NOT trusted."
End If

For more information about new code-signing features to protect against malicious scripts, see Windows Script Host: New Code-Signing Features Protect Against Malicious Scripts (https://go.microsoft.com/fwlink/?LinkId=140091).

For more information about using Windows Script Host, see Help and Support Center for Windows Server 2003.