Securing Scripts with Script Signing
Updated: December 2, 2007
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
Two alternatives exist for creating signed scripts. If you want to develop your own script host, the .NET Framework Software Development Kit (SDK) contains a set of tools for signing scripts: the File Signing Tool (Signcode.exe) and the Certificate Verification Tool (Chktrust.exe). When writing your own script host, call the Win32 API WinVerifyTrust. This API verifies the trust on a .vbs or .js file.
Alternatively, Windows Script Host version 5.6, which ships with Windows Server 2003, includes a signer object for creating and verifying signed scripts. The following JScript® code creates a signed file:
var Signer = new ActiveXObject("Scripting.Signer"); var File = "c:\\myfile.vbs"; var Cert = "Jane Q. Programmer"; var Store = "my"; Signer.SignFile(File, Cert, Store);
The following sample, in this case as Microsoft® Visual Basic®, Scripting Edition (VBScript) code, verifies the signing on a file:
Dim Signer, File, ShowUI, FileOK Set Signer = CreateObject("Scripting.Signer") File = "c:\newfile.wsf" ShowUI = True FileOK = Signer.VerifyFile(File, ShowUI) If FileOK Then WScript.Echo File & " is trusted." Else WScript.Echo File & " is NOT trusted." End If
For more information about new code-signing features to protect against malicious scripts, see Windows Script Host: New Code-Signing Features Protect Against Malicious Scripts (http://go.microsoft.com/fwlink/?LinkId=140091).
For more information about using Windows Script Host, see Help and Support Center for Windows Server 2003.