Enforcing the Use of Signed Scripts

Microsoft® Windows® 2000 Scripting Guide

To configure security settings for signed and unsigned scripts, you need to modify the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy. Valid values for this key are:

  • 0. All scripts run without any sort of warning. This is the default setting.

  • 1. Before a script is run, a Security Warning dialog box is displayed showing the security status of the script (signed and verified, signed but not verified, unsigned). The user has the option of running any of these scripts, regardless of their security status. The user can also click a button to view the details of the certificate used to sign the script.

  • 2. Before a script is run, the signature is verified, and a check is made to ensure that the script is coming from a trusted author (someone known to the certification authority). After this verification, the script runs automatically, without giving the user the option to view that signature. If the script is unsigned or the signature cannot be verified, the script will not run, and the user will not be given the option of running the script at their own risk. Instead, the user will receive the following message:

    Execution of the Windows Script Host Failed. (No signature was present in the subject.)