标题: 将.js、.vbs等脚本文件的双击执行变成用记事本打开(针对某些勒索软件的预防措施) https://scz.617.cn/windows/201603241150.txt 某些勒索软件不直接使用.exe,而是发一个.zip之类的压缩过的邮件附件,压缩包中 有.js文件。受害者双击.js后就会中招。我做个好人好事,下面是预防措施。 将.js、.vbs等脚本文件的双击执行变成用记事本打开,预防某些出现在压缩包里的 此类文件被误执行。此类文件可以认为等同于.exe可执行程序。 在高权限的cmd里copy/paste执行下列6条命令,执行一次即可: ftype JSFile=C:\Windows\System32\Notepad.exe %1 ftype JSEFile=C:\Windows\System32\Notepad.exe %1 ftype VBSFile=C:\Windows\System32\Notepad.exe %1 ftype VBEFile=C:\Windows\System32\Notepad.exe %1 ftype WSFFile=C:\Windows\System32\Notepad.exe %1 ftype WSHFile=C:\Windows\System32\Notepad.exe %1 恢复默认设置: ftype JSFile=C:\Windows\System32\WScript.exe "%1" %* ftype JSEFile=C:\Windows\System32\WScript.exe "%1" %* ftype VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %* ftype VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %* ftype WSFFile="%SystemRoot%\System32\WScript.exe" "%1" %* ftype WSHFile="%SystemRoot%\System32\WScript.exe" "%1" %* Q: 如何禁止wscript.exe被执行? A: scz icacls.exe wscript.exe /reset icacls.exe wscript.exe /deny Everyone:(RX) icacls.exe wscript.exe 另有注册表项可以彻底禁用wscript。 DisableWscript.inf -------------------------------------------------------------------------- [Version] Signature = "$Windows NT$" [DefaultInstall] AddReg = DefaultInstall.AddReg [DefaultInstall.AddReg] HKCU,"Software\Microsoft\Windows Script Host\Settings","Enabled",%FLG_ADDREG_TYPE_SZ%,"0" HKLM,"SOFTWARE\Microsoft\Windows Script Host\Settings","Enabled",%FLG_ADDREG_TYPE_SZ%,"0" [Strings] FLG_ADDREG_TYPE_SZ = 0x00000000 -------------------------------------------------------------------------- EnableWscript.inf -------------------------------------------------------------------------- [Version] Signature = "$Windows NT$" [DefaultInstall] DelReg = DefaultInstall.DelReg [DefaultInstall.DelReg] HKCU,"Software\Microsoft\Windows Script Host\Settings","Enabled" HKLM,"SOFTWARE\Microsoft\Windows Script Host\Settings","Enabled" -------------------------------------------------------------------------- 鼠标右键选中.inf文件,点击"安装"即可。可以在cmd.exe中执行: rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 .\DisableWscript.inf rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 .\EnableWscript.inf DisableWscript.reg -------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings] "Enabled"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="0" -------------------------------------------------------------------------- 可以在cmd.exe中执行: reg.exe add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 0 /f reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 0 /f EnableWscript.reg -------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings] "Enabled"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"=- -------------------------------------------------------------------------- 可以在cmd.exe中执行: reg.exe delete "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /f reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /f