3

All the computers in our company are configured with a custom protocol that runs a vbs script, so when you click on a link with that user protocol, the vbs script starts and performs operations that interact with the file system and applications otherwise inaccessible to the browser.

This is the .reg file used to register the protocol:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\<name>]
"URL Protocol"=""
@="Url:<Description>"
"UseOriginalUrlEncoding"=dword:00000001

[HKEY_CLASSES_ROOT\<name>\DefaultIcon]
@="C:\\Windows\\System32\\WScript.exe"

[HKEY_CLASSES_ROOT\<name>\shell]

[HKEY_CLASSES_ROOT\<name>\shell\open]

[HKEY_CLASSES_ROOT\<name>\shell\open\command]
@="C:\\Windows\\System32\\WScript.exe \"C:\\Program Files\\<name>.vbs\" \"%1\""

The script has worked beautifully since 2014 without problems on ~50 computers.

Last week one user complained that it stopped working. I found out that WScript.exe doesn't work anymore, so I copied it creating WScript2.exe, modified the custom protocol to run WScript2.exe and it restarted working.

This morning also my computer didn't listen to the clicks on my custom protocol. I made a copy of WScript.exe to WScript2.exe and it restarted working.

I am expecting my phone to start ringing soon.

Why did WScript.exe stop listening to the custom protocol?

Why its identical copy still works?

EDIT (answers to comments)

Perhaps if I knew how to better describe "it stopped working" then I would know how to fix it :)

I don't know if it stopped working because of a Microsoft update, an anti-virus update or a change on the IT infrastructure/configuration. Here is a quick summary of what led me to the workaround:

  • I compared my custom protocol to a working one, I picked mailto as a reference
  • I noticed that changing the last line of the .reg file (see above) it would work with any other executable, but it wouldn't work with wscript.exe
  • I compared the execution of wscript.exe on the affected computers to its execution on computers (not yet) affected and there is no difference
    • A double click shows the same Windows Script Host Settings dialog
    • The execution from a command prompt with the same arguments used by the custom protocol works as expected
  • The custom protocol passes the correct arguments when executing another executable
  • At this point I thought that Windows blacklisted wscript.exe and I started searching for an alternative
  • I tried to rename wscript.exe to wscript2.exe but I couldn't because I don't have TrustedInstaller permission
  • I made a copy instead of renaming it
  • I tested the copy from the command prompt and it was working like the original
  • I tested the copy from the custom protocol and it was working like the original once did

EDIT 2 (more answers to comments)

All the computers have Windows 10 Pro.

Clicking on Settings - Updates & Security - View update history it says Feature update to Windows 10, version 1803 Succesfully installed on 5/22/2018. Clicking on Show what's new in this update shows nothing useful.

EDIT 3

Doesn't work = no symptoms, nothing happens, nothing is executed, nothing is logged (as far as I know).

I tried with a simple vbscript with a single line MsgBox "Hello". It works running it from the command line, but it doesn't work from the custom protocol. The task manager doesn't show anything popping up, but I don't know if it doesn't show it because the lifespan is too short to show or because it doesn't execute. The same script works with wscript2.exe.

My feeling is that something (Windows, anti-virus, ...) is blacklisting the custom protocol + wscript.exe thing, but not the custom protocol + any other executable or any other environment + wscript.exe. That's why I tried to copy wscript.exe to wscript2.exe. And I was pleasantly surprised to find out that it works.

stenci
  • 8,290
  • 14
  • 64
  • 104
  • 2
    " it stopped working. I found out that WScript.exe doesn't work anymore". What does "doesn't work" mean? Do you get an error? What made you think that a copy of the file would work instead of the original? Are there any error messages? What happens when you type `wscript /?` at a command prompt? It would appear that _something_ has changed here. Maybe it's not in the anti virus whitellist anymore. – Nick.Mc May 28 '18 at 02:01
  • From the code point of view, renaming `wscript` to `wscript2` shouldn't change anything. So, there's some extenal reason why it "stopped working" (whatever than means, you didn't explain), that you didn't tell us. As such, it's impossible to answer the question as it is because the answer is something unrelated to what you have written. – ivan_pozdeev May 28 '18 at 02:12
  • You should OS details and what updates got installed on those OSes recently when it stopped working – Tarun Lalwani May 29 '18 at 16:30
  • _Perhaps if I knew how to better describe "it stopped working" then I would know how to fix it :)_ Yes that is completely the key to solving any problem. But.....after that huge edit, you again did not explain "not working"!!. When you click the link and it "doesn't work", what happens? Nothing? Usually something happens. Have you checked the windows event log? Are there any wscript processes in task manager? – Nick.Mc May 30 '18 at 09:40
  • Sounds to me as if you (or Microsoft) have installed another program called wscript.exe which is being picked up by mistake. – MandyShaw Jun 03 '18 at 16:43
  • That would not explain why its copy works. The same exe works if I call it `wscript2.exe`, doesn't with the original `wscript.exe`. Since I posted this the problem spread to 3 more computers. – stenci Jun 03 '18 at 16:50
  • @stenci - I have the same feeling as you that possibly the anti-virus product used in your company is blocking wscript.exe. It sounds to me this wscript.exe is still working on some of the computers? I would check the following: 1. check the anti-virus software deployed if wscript.exe is blocked/quarantined on the non-working stations. 2. compare the registry of all wscript.exe related entries on working and non-working stations. – runwuf Jun 03 '18 at 21:13

0 Answers0