How to Disable Windows Script Host to Stop Script-Based Malware

What Causes This?

Windows Script Host (WSH) runs .vbs, .js, and other script files outside the browser. Attackers often abuse it to launch script-based malware from email attachments, downloads, ZIP files, or startup tasks. If you do not use legacy admin scripts or logon scripts, leaving WSH enabled gives malware one more built-in tool it can use.

Common Symptoms

• Double-clicking a .vbs or .js file opens a script or error window
• Suspicious script files appear in Downloads, Temp, Startup, or email attachment folders
• Antivirus alerts mention wscript.exe, cscript.exe, VBS, or JavaScript malware
• Pop-ups, fake error messages, or unwanted programs start after opening an attachment
• Scheduled tasks or startup entries keep relaunching script files

How to Fix It Manually

1. Confirm you do not need Windows Script Host

   • WSH is mainly used for older admin scripts, logon scripts, and some legacy business apps.
   • If your PC is managed by work or school, check with IT before disabling it.

2. Disable WSH in Registry Editor

   • Press Win + R, type regedit, and press Enter.
   • If User Account Control appears, click Yes.
   • Go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
   • If the Settings key does not exist:
     • Right-click Windows Script Host
     • Select New > Key
     • Name it Settings
   • In the right pane, right-click an empty area and choose New > DWORD (32-bit) Value.
   • Name it Enabled
   • Double-click Enabled and set Value data to 0.
   • Click OK.

3. Also disable it for the current user

   • In Registry Editor, go to: HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
   • If Settings is missing, create it the same way.
   • Create a DWORD (32-bit) Value named Enabled.
   • Set its value to 0.
   • This helps block scripts even if only the current user profile is affected.

4. Restart the PC

   • Save your work and restart Windows.
   • This makes sure any running script host processes are closed and the setting is applied cleanly.

5. Test that WSH is disabled

   • Press Win + R, type cmd, and press Enter.
   • In Command Prompt, run: wscript
   • If WSH is disabled, Windows should show a message that access is disabled on this machine.

6. Remove suspicious script files and startup triggers

   • Open Task Manager with Ctrl + Shift + Esc, then check the Startup apps tab for unknown entries.
   • Press Win + R, type shell:startup, and press Enter. Delete suspicious shortcuts or script files you do not recognize.
   • Open Task Scheduler by searching for it in Start, then review Task Scheduler Library for tasks launching wscript.exe, cscript.exe, .vbs, or .js files.
   • Run a full scan with Microsoft Defender: open Windows Security > Virus & threat protection > Scan options > Full scan.

7. Re-enable WSH only if needed

   • If a legitimate app breaks, go back to the same registry locations and change Enabled to 1, or delete the Enabled value.
   • Restart the PC again after making the change.

Fix It Automatically with Kudu

Kudu can review Windows hardening settings, flag risky script-related startup items, and help apply safe fixes without digging through the registry yourself. It is a faster way to lock down common abuse points while also checking for other performance and security problems that often come with malware.

Download Kudu Free →