Restricting the Ability to Run Scripts

  • Article

Microsoft® Windows® 2000 Scripting Guide

By default, double-clicking a .VBS file will immediately run the script. If you modify the registry, however, you can prevent the script from running immediately; instead, a warning box (complete with a customized message) will be displayed.

This does not prevent the user from running the script; he or she can click Open With, locate Wscript.exe or Cscript.exe, and then run the script. Alternatively, the script can be started from the command line by specifying the script host:

wscript.exe DeleteFiles.vbs
cscript.exe DeleteFiles.vbs

However, this approach does provide an extra layer of protection by giving users the option to cancel a script before it runs. Without this option, a script that is double-clicked will run without warning.

The following batch file can be used to modify the registry and force a warning box to appear whenever a user double-clicks a .VBS file. This batch file:

  1. Uses Reg.exe (found in the Windows 2000 Support Tools) to copy the registry tree HKEY_CLASSES_ROOT\VBSFile\Shell to HKEY_CLASSES_ROOT\VBSFile\bkupShell. Backing up this key rather than deleting it enables you to easily restore standard functionality if necessary.

  2. Deletes HKEY_CLASSES_ROOT\VBSFile\Shell.

  3. Adds a new entry (NoOpen) to HKEY_CLASSES_ROOT\VBSFile, and sets the value of the entry to the desired warning message. In this sample script, the message - which is limited to 140 characters - is "Do not run this file unless it has been approved by Information Services."

reg copy HKCR\VBSFile\Shell HKCR\VBSFile\bkupShell /s /f
reg delete HKCR\VBSFile\Shell /f
reg add HKCR\VBSfile\ /v NoOpen /t REG_SZ /d "Do not run this file unless it has  
      been approved by Information Services."
reg copy HKCR\VBSFile\Shell HKCR\VBSFile\bkupShell /s /f
reg delete HKCR\VBSFile\Shell /f
reg add HKCR\VBSfile\ /v NoOpen /t REG_SZ /d "Do not run this file unless it has 
      been approved by Information Services."

To restore standard functionality, use this batch file:

reg copy HKCR\VBSFile\bkupShell HKCR\VBSFile\Shell /s /f
reg delete HKCR\VBSFile\bkupShell /f
reg delete HKCR\VBSFile /v NoOpen /f
reg copy HKCR\VBSFile\bkupShell HKCR\VBSFile\Shell /s /f
reg delete HKCR\VBSFile\bkupShell /f
reg delete HKCR\VBSFile /v NoOpen /f

Similar steps can be undertaken to restrict the use of other scripting file types, including .VBE, .JS, .JSE, and .WSF files.

Important

  • Configuring scripts to display a message box when started could create problems with logon or logoff scripts. Instead of running each time a user logs on, your logon script will display the message box instead. To work around this problem, call the logon script from a batch file instead.