; ************************************************************************************** ; REMVBS.KIX ; v1.1 ; rpuckett@cisco.com ; ; Replaces the command interpreter values for jsefile, jsfile, ; vbefile, vbsfile, wsffile, wshfile types under HKCR with the ; one from txtfile (NOTEPAD). In this way the file extensions ; are opened in NOTEPAD and not with the WSCRIPT or CSCRIPT .EXEs ; The script also creates a .INI that stores the previous values ; before overwriting them (for restore purposes) ; ; ************************************************************************************** ; WARNING: Disabling these extensions appear to break some functionality in Kix32. ; In testing with Windows 2000, disabling these extensions causes Kix32 ; to no longer display Messageboxes (this testing has not gone beyond my ; box, so I am only giving you information on a single test run and this ; should not be taken as gospel). ; ; ************************************************************************************** ; THIS VALUE DETERMINES WHETHER OR NOT THE USER IS QUERIED ; FOR EACH CHANGE VIA A MESSAGE BOX. CAN BE USED WITH AN ; INGROUP CALL OR OTHER COMPARISON CALLS $QUERYUSR = 1 ; 0 - DISABLE ; 1 - RE-ENABLE (NOTE: IF NO BACKUP FILE EXISTS, DEFAULT VALUES ; ARE ASSUMED (SEE BELOW) $SWITCH = 1 ; LOCATION TO STORE BACKUP FILE $LOGPATH = @LANROOT + "\VBSBACK.INI" IF $SWITCH = 1 ; OPERATING SYSTEM TYPES AND DEFAULT REG VALUES IF THEY ARE ; NOT FOUND IN THE BACKUP .INI FILE (OR A FILE DOES NOT EXIST) SELECT ; WINDOWS 95 CASE((@INWIN = 2) AND (@DOS = 4.0)) $WSCRIPT = 'C:\WINDOWS\WScript.exe \"%1\" %*' $CSCRIPT = 'C:\WINDOWS\COMMAND\CScript.exe \"%1\" %*' ; WINDOWS 98 CASE((@INWIN = 2) AND (@DOS >= 4.10)) $WSCRIPT = 'C:\WINDOWS\WScript.exe \"%1\" %*' $CSCRIPT = 'C:\WINDOWS\COMMAND\CScript.exe \"%1\" %*' ; WINDOWS 2000 CASE((@INWIN = 1) AND (@DOS = 5.0)) $WSCRIPT = '%SystemRoot%\System32\WScript.exe "%1" %*' $CSCRIPT = '%SystemRoot%\System32\CScript.exe "%1" %*' ; WINDOWS NT 4.0 CASE((@INWIN = 1) AND (@DOS = 4.0)) $WSCRIPT = '%SystemRoot%\System32\WScript.exe "%1" %*' $CSCRIPT = '%SystemRoot%\System32\CScript.exe "%1" %*' CASE 1 ? "Unable to determine the OS type installed on @WKSTA" CLS EXIT ENDSELECT ENDIF $REGKEY = "HKEY_CLASSES_ROOT\TXTFile\shell\open\command" $CHKKEY = EXISTKEY($REGKEY) IF $CHKKEY = 0 $TXTREG = READVALUE($REGKEY, "") IF @ERROR = 0 $WRITE = WRITEPROFILESTRING($LOGPATH, "TEXT", "TXT(1)", $TXTREG) GOTO CHKREG1 ELSE GOTO END ENDIF ENDIF :CHKREG1 $DSCRIPTN = ".JSE (OPEN)" $STORE = "JSE(1)" $REGKEY = "HKEY_CLASSES_ROOT\JSEFile\shell\open\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "WSCRIPT" $NEXT = CHKREG2 GOTO CHECKKEY :CHKREG2 $DSCRIPTN = ".JSE (OPEN2)" $STORE = "JSE(2)" $REGKEY = "HKEY_CLASSES_ROOT\JSEFile\shell\open2\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "CSCRIPT" $NEXT = CHKREG3 GOTO CHECKKEY :CHKREG3 $DSCRIPTN = ".JS (OPEN)" $STORE = "JSF(1)" $REGKEY = "HKEY_CLASSES_ROOT\JSFile\shell\open\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "WSCRIPT" $NEXT = CHKREG4 GOTO CHECKKEY :CHKREG4 $DSCRIPTN = ".JS (OPEN2)" $STORE = "JSF(2)" $REGKEY = "HKEY_CLASSES_ROOT\JSFile\shell\open2\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "CSCRIPT" $NEXT = CHKREG5 GOTO CHECKKEY :CHKREG5 $DSCRIPTN = ".VBE (OPEN)" $STORE = "VBE(1)" $REGKEY = "HKEY_CLASSES_ROOT\VBEFile\shell\open\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "WSCRIPT" $NEXT = CHKREG6 GOTO CHECKKEY :CHKREG6 $DSCRIPTN = ".VBE (OPEN2)" $STORE = "VBE(2)" $REGKEY = "HKEY_CLASSES_ROOT\VBEFile\shell\open2\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "CSCRIPT" $NEXT = CHKREG7 GOTO CHECKKEY :CHKREG7 $DSCRIPTN = ".VBS (OPEN)" $STORE = "VBS(1)" $REGKEY = "HKEY_CLASSES_ROOT\VBSFile\shell\open\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "WSCRIPT" $NEXT = CHKREG8 GOTO CHECKKEY :CHKREG8 $DSCRIPTN = ".VBS (OPEN2)" $STORE = "VBS(2)" $REGKEY = "HKEY_CLASSES_ROOT\VBSFile\shell\open2\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "CSCRIPT" $NEXT = CHKREG9 GOTO CHECKKEY :CHKREG9 $DSCRIPTN = ".WSF (OPEN)" $STORE = "WSF(1)" $REGKEY = "HKEY_CLASSES_ROOT\WSFFile\shell\open\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "WSCRIPT" $NEXT = CHKREG10 GOTO CHECKKEY :CHKREG10 $DSCRIPTN = ".WSF (OPEN2)" $STORE = "WSF(2)" $REGKEY = "HKEY_CLASSES_ROOT\WSFFile\shell\open2\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "CSCRIPT" $NEXT = CHKREG11 GOTO CHECKKEY :CHKREG11 $DSCRIPTN = ".WSH (OPEN)" $STORE = "WSH(1)" $REGKEY = "HKEY_CLASSES_ROOT\WSHFile\shell\open\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "WSCRIPT" $NEXT = CHKREG12 GOTO CHECKKEY :CHKREG12 $DSCRIPTN = ".WSH (OPEN2)" $STORE = "WSH(2)" $REGKEY = "HKEY_CLASSES_ROOT\WSHFile\shell\open2\command" $REGVALUE = "" $REGTYPE = "REG_EXPAND_SZ" $DISABLE = "NOTEPAD" $ENABLE = "CSCRIPT" $NEXT = END GOTO CHECKKEY :CHECKKEY ; RESET VALUE TO NOTHING AS IT IS REUSED $RESTORE = "" IF $SWITCH = 0 $GOOD = $DISABLE $BAD = $ENABLE ELSE $GOOD = $ENABLE $BAD = $DISABLE $RESTORE = READPROFILESTRING($LOGPATH, "DISABLED", $STORE) ; NO VALUE EXISTS, USE THE DEFAULT VALUE ASSIGNED BASED ON ; THE VALUE TYPE \OPEN\ OR \OPEN2\ IF @ERROR <> 0 IF INSTR($REGKEY, "\OPEN\") = 0 $RESTORE = $WSCRIPT ELSE $RESTORE = $CSCRIPT ENDIF ENDIF ENDIF $CHKKEY = EXISTKEY($REGKEY) IF $CHKKEY = 0 $READREG = READVALUE($REGKEY, $REGVALUE) IF @ERROR = 0 IF INSTR($READREG, $GOOD) <> 0 IF $SWITCH = 0 ? $DSCRIPTN + " File Associations are already disabled" ELSE ? $DSCRIPTN + " File Associations are already enabled" ENDIF GOTO $NEXT ENDIF IF INSTR($READREG, $BAD) <> 0 IF $QUERYUSR = 1 IF $SWITCH = 0 $DISPLAYBOX = MESSAGEBOX("REGCHK had found that you currently have " + $DSCRIPTN + " File Extensions enabled on this system." + CHR(10) + CHR(13) + "These associations are exploitable by viruses and trojans such as the ILOVEYOU virus," + CHR(10) + CHR(13) + "altering these registry values will remove the ability for viruses that use the VB scripting" + CHR(10) + CHR(13) + " engine to run and will instead expose them in NOTEPAD." + CHR(10) + CHR(13) + CHR(10) + CHR(13) + " Do you wish to disable " + $DSCRIPTN + " File Extensions?", $DSCRIPTN + " File Extensions detected!", 4116) ELSE $DISPLAYBOX = MESSAGEBOX("REGCHK had found that you currently have " + $DSCRIPTN + " File Extensions disabled on this system." + CHR(10) + CHR(13) + "These associations are exploitable by viruses and trojans such as the ILOVEYOU virus," + CHR(10) + CHR(13) + "altering these registry values will re-enable the ability for viruses that use the VB scripting" + CHR(10) + CHR(13) + " engine to run." + CHR(10) + CHR(13) + CHR(10) + CHR(13) + " Do you wish to re-enable " + $DSCRIPTN + " File Extensions?", $DSCRIPTN + " File Extensions detected!", 4116) ENDIF IF $DISPLAYBOX = 6 IF $SWITCH = 0 $WRITE = WRITEPROFILESTRING($LOGPATH, "DISABLED", $STORE, $READREG) ENDIF GOTO CHANGEIT ENDIF IF $DISPLAYBOX = 7 GOTO $NEXT ENDIF ELSE IF $SWITCH = 0 $WRITE = WRITEPROFILESTRING($LOGPATH, "DISABLED", $STORE, $READREG) ENDIF GOTO CHANGEIT ENDIF :CHANGEIT IF $SWITCH = 0 $ADDREG = WRITEVALUE($REGKEY, $REGVALUE, $TXTREG, $REGTYPE) ELSE $ADDREG = WRITEVALUE($REGKEY, $REGVALUE, $RESTORE, $REGTYPE) ENDIF IF $ADDREG = 0 ? "Successfully changed the value for " + $REGKEY GOTO $NEXT ENDIF IF $ADDREG <> 0 ? "Unable to change the value for " + $REGKEY + ", Error: " + @ERROR GOTO $NEXT ENDIF ENDIF ENDIF ELSE ? $DSCRIPTN + " File Extensions do not appear to be installed on this system" GOTO $NEXT ENDIF :END ;GET $R CLS EXIT