Unknown process calling Windows 11 wscript.exe


orestgogosha

New member
Local time
1:21 AM
Posts
13
OS
Windows 11
Some process calls wscript.exe (Windows Script Host) every 2 minutes. I disabled Script host but still have a dialog pop up every 2 minutes saying it is disabled. How can I find what this process is so I can delete it?
 
Windows Build/Version
Windows 11 OS Build 22631.3155

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
Well I would want to understand if it's a legitimate process or not, there is a possibility it is. Regardless of that fact, procmon should be able to help you determine the calling process
 

My Computer

System One

  • OS
    Windows 11
Some process calls wscript.exe (Windows Script Host) every 2 minutes. I disabled Script host but still have a dialog pop up every 2 minutes saying it is disabled. How can I find what this process is so I can delete it?
HI!
wscript is part of Windows but, it can also be part of a replicating trojan so, run scans
with either of these online scanners or both and if you don't have Malwarebytes, you
can download their free scanner. If you can, manually create a new Restore Point before
running these scans.Hopefully, someone from this forum will assist:
 

My Computers

System One System Two

  • OS
    windows 11 22631.3447
    Computer type
    Laptop
    Manufacturer/Model
    MSI Raider GE76
    CPU
    Core i9 12th gen 12900HK 2.9 MHz
    Motherboard
    MSI
    Memory
    32 Gigs DDR5-4800
    Graphics Card(s)
    nVidia RTX 3070 Ti / 8 Gigs DDR6
    Sound Card
    DYNAUDIO - Klipsch 2.1 THX - Sound Effects by Nahimic 3
    Monitor(s) Displays
    17.3" 1920 x 1080 360 Hz 3 ms, IPS / Connected to MSI 32 inch curved @ 165 Hz
    Screen Resolution
    1920 x 1080 / Both
    Hard Drives
    Samsung 990 Pro 2TB (OS) - Solidigm P41 2TB (Storage)
    PSU
    280 watts
    Case
    MSI GE series
    Cooling
    internal
    Keyboard
    Steelseries
    Mouse
    G903 Lightspeed
    Internet Speed
    1000 Mbps
    Browser
    Firefox / Opera GX- Do not like Edge
    Antivirus
    Malwarebytes'
    Other Info
    just ask.
  • Operating System
    Windows 10 22H2
    Computer type
    Laptop
    Manufacturer/Model
    MSI GT73 7RE VR Titan
    CPU
    Intel Core i7 7820HK 2.9 Ghz
    Motherboard
    MSI
    Memory
    16 Gigs DDR4 2400 Mhz
    Graphics card(s)
    nVidia 1070 8GB RAM
    Sound Card
    DYNAUDIO / Nahimic 2
    Monitor(s) Displays
    IPS / 120HZ
    Screen Resolution
    1920x1080P
    Hard Drives
    Samsung NVME EVO 970 1TB / Samsung SSD (SATA) 1TB
    PSU
    240 watts
    Case
    MSI
    Cooling
    Internal
    Mouse
    Logitech G903 Lightspeed
    Keyboard
    Steelseries
    Internet Speed
    1 Gb/s
    Browser
    Firefox / Vivaldi
    Antivirus
    MalwareBytes'
    Other Info
    none.

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
I downloaded WinSpy++ and followed your instructions. The process tab does not show the command line and I couldn't find any way to do it.WinSpy.png
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
I have downloaded ProcessMonitor and run it but have no idea what to look for in the output.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
I downloaded WinSpy++
I know nothing about WinSpy++
WinSpy, however, successfully identified the vbs command line for me as shown in my example.

You haven't posted a diagram yet.


Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
I have scanned my computer with 3 anti-virus tools (TotalAV, Avast, and Malwarebytes) with negative results.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
It's no use investigated the msg that WScript has been disabled. You'll need to re-enable it so that you can investigate the source of the popup you first reported.
You haven't posted a diagram yet.


Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
I have downloaded ProcessMonitor and run it but have no idea what to look for in the output.
You can add a filter for 'Command Line' that includes wscript and add the column for Parent PID. The parent PID will be your calling process.
 

My Computer

System One

  • OS
    Windows 11
Dialog_Disabled.pngDialog_Enabled.png
app.js could be anything. It's not on my PC (the problem child) nor on my laptop. I assume it was malware that was deleted during the numerous scans I performed.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
View attachment 88019View attachment 88020
app.js could be anything. It's not on my PC (the problem child) nor on my laptop. I assume it was malware that was deleted during the numerous scans I performed.
The extension .js is a java file which, if you were building a web page would be used to this effect.
This is from a web designer:

So basically the app.js is where the logic of the app is written,
index.html is the content page.

app.js is taking the inputs from index.html, and processing the information in app.js, and providing an output to show in the index.html.
if you check the index.html you can see there's a script:
<script src="/app.js"></script>

Have you surfed to a web site that you don't normally would?
This might be from an infected site or could just be benign, I don't
know. Did you verify the logs of the scans you took?
 

My Computers

System One System Two

  • OS
    windows 11 22631.3447
    Computer type
    Laptop
    Manufacturer/Model
    MSI Raider GE76
    CPU
    Core i9 12th gen 12900HK 2.9 MHz
    Motherboard
    MSI
    Memory
    32 Gigs DDR5-4800
    Graphics Card(s)
    nVidia RTX 3070 Ti / 8 Gigs DDR6
    Sound Card
    DYNAUDIO - Klipsch 2.1 THX - Sound Effects by Nahimic 3
    Monitor(s) Displays
    17.3" 1920 x 1080 360 Hz 3 ms, IPS / Connected to MSI 32 inch curved @ 165 Hz
    Screen Resolution
    1920 x 1080 / Both
    Hard Drives
    Samsung 990 Pro 2TB (OS) - Solidigm P41 2TB (Storage)
    PSU
    280 watts
    Case
    MSI GE series
    Cooling
    internal
    Keyboard
    Steelseries
    Mouse
    G903 Lightspeed
    Internet Speed
    1000 Mbps
    Browser
    Firefox / Opera GX- Do not like Edge
    Antivirus
    Malwarebytes'
    Other Info
    just ask.
  • Operating System
    Windows 10 22H2
    Computer type
    Laptop
    Manufacturer/Model
    MSI GT73 7RE VR Titan
    CPU
    Intel Core i7 7820HK 2.9 Ghz
    Motherboard
    MSI
    Memory
    16 Gigs DDR4 2400 Mhz
    Graphics card(s)
    nVidia 1070 8GB RAM
    Sound Card
    DYNAUDIO / Nahimic 2
    Monitor(s) Displays
    IPS / 120HZ
    Screen Resolution
    1920x1080P
    Hard Drives
    Samsung NVME EVO 970 1TB / Samsung SSD (SATA) 1TB
    PSU
    240 watts
    Case
    MSI
    Cooling
    Internal
    Mouse
    Logitech G903 Lightspeed
    Keyboard
    Steelseries
    Internet Speed
    1 Gb/s
    Browser
    Firefox / Vivaldi
    Antivirus
    MalwareBytes'
    Other Info
    none.
.js files can also be node js and is more likely. Seeing the contents of the file would indicate if it's strictly javascript or nodejs
 

My Computer

System One

  • OS
    Windows 11
I have a home web site that I created so I am somewhat familiar with Javascript. There is no file called app.js anywhere on my computer or my website. I review quarantined items before deleting them. I don't recall if app.js was among them. The good part of this is that I am learning to use WinSpy and ProcMon.
As a matter of interest, the frequency of the dialog popping up has decreased to about once every 10 minutes. I don't know if this is good news or bad news.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
Use autoruns with the virus total scan option, that should help determine whats there and if anything is suspicious.


You can also use process explorer to find more info on the process and whats being called:


View attachment 88019View attachment 88020
app.js could be anything. It's not on my PC (the problem child) nor on my laptop. I assume it was malware that was deleted during the numerous scans I performed.
You were previously infected? That's good to know. What was the threats removed? And using what removed them?



  1. Change the Default Value of the VBS File:
      1. Press Win + R to open the Run command.
      2. Type regedit and hit OK to open the Registry Editor.
      3. Navigate to Computer > HKEY_CLASSES_ROOT > .vbs.
      4. Double-click the (Default) value and set it to VBSfile.
      5. Restart your PC

        OR

        Use this REG fix.
        Code:
        Windows Registry Editor Version 5.00
        [HKEY_CLASSES_ROOT\.vbs]
        @="VBSFile"
        
        [HKEY_CLASSES_ROOT\VBSFile\Shell]
        @="Open"
        
        [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\UserChoice]
        Copy the above lines to Notepad, and save it with .reg extension. Double-click the file to apply the settings.

  2. Fix Corrupted System Files:
    • Use the SFC (System File Checker) and DISM (Deployment Image Servicing and Management)tools:
      • Open Command Prompt as an administrator.
      • Run:
        sfc /scannow
        to scan and repair system files.
      • Then run:
        DISM /Online /Cleanup-Image /RestoreHealth
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 4GB Vram
    Screen Resolution
    1920 x 1080
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Windows 11
    Computer type
    Tablet
    Manufacturer/Model
    Lenovo ideapad flex 14API 2 in 1
    CPU
    Ryzen 5 3500u
    Motherboard
    LENOVO LNVNB161216 (FP5)
    Memory
    12GB DDR4
    Graphics card(s)
    AMD Radeon Vega 8 Graphics
    Hard Drives
    256 GB Samsung ssd nvme
Thank you. I've done these things and the problem with the dialog has stopped. Please consider this closed.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
Well it's back as the standard windows dialog asking you to select run the nonexistent app.js file. I cannot capture it this time because taking any a action with the mouse makes it disappear. Pain in the butt.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
Well it's back as the standard windows dialog asking you to select run the nonexistent app.js file. I cannot capture it this time because taking any a action with the mouse makes it disappear. Pain in the butt.
Hi orestgogosha,

Can you do Alt+PrintScreen combo on the keyboard to capture it?

Kind regards,

tecknot
 

My Computer

System One

  • OS
    Dual boot Windows 10 Pro 22H2 (b 19045.4529) & Windows 11 Pro 23H2 (b 22631.3737)
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkPad Workstation P72
    CPU
    Intel i7 8750H @ 2.2 GHz
    Motherboard
    Lenovo 01YU291
    Memory
    16 GB (all Samsung) DDR4-3200 SODIMM (non-ECC) PCIe 3
    Graphics Card(s)
    Intel UHD Graphics 630 & NVIDIA Quadro P600
    Sound Card
    Realtek ALC3286
    Monitor(s) Displays
    17.3"
    Screen Resolution
    3840x2160
    Hard Drives
    1TB SSD Samsung 860 EVO SATA 3
    1TB SSD Samsung 970 EVO M.2 NVMe PCIe 3 x 4
    1TB SSD Samsung 980 M.2 NVMe PCIe 3 x 4
    PSU
    230W
    Keyboard
    UltraNav
    Mouse
    Kensington wireless Orbit
    Internet Speed
    640Mbps
    Browser
    Firefox
    Antivirus
    Defender
    Other Info
    CM246 Chipset
I tried but the screenshot disappeared. Will try again.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built

Latest Support Threads

Back
Top Bottom