• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1263
  • Last Modified:

What is causing CScript to run and hog memory??

Dear Experts,

We have a number of virtual servers running Windows 2008R2 Standard which have recently starting running slowly. On closer inspection, Task Manager shows a CScript running and using loads of memory.

We've identified what the script is and we're happy that its legitimate and not a virus. However, we've checked Scheduled Tasks and nothing is scheduled to run and we don't know how this is starting.

Is there anyway that we can identify what is calling this script?

  • 2
  • 2
1 Solution
What does this script actually do ? Is it part of another software program ?
Usually, if it's not scheduled, it's probably part of a service (since the service is firing this command, it could be that you cannot find any reference to this script, that's why I asked if you can tell me if it's part of something else).
For instance, if you find database references in it, it could be a job in your MS SQL server. If there are web references in it, it could be fired from an ASP script.
andymellorAuthor Commented:

Thanks for your reply. The script that is running is below:

On Error Resume Next
Set WSHShell = WScript.CreateObject("WScript.Shell")
OSName = WSHShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName")
If InStr(OSName, "Windows 7") or InStr(OSName, "Windows 8") or InStr(OSName, "2008 R2") Then
cif = "" 
Set s = CreateObject("WScript.Shell")
Set e = s.Exec("manage-bde -status")
Set status = e.StdOut
Do While status.AtEndOfStream <> True
line = status.ReadLine
If InStr(line, "Volume ") Then
cif = cif & Mid(line, 8, 2)
ElseIf InStr(line, "Percentage Encrypted:") Then
cif = cif & Mid(line, 26) & "; " 
End If
If InStr(cif, "100") then
PasswordFailedAttempts = WSHShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts")
If PasswordFailedAttempts > 10 or PasswordFailedAttempts = "" Then
WScript.echo "Interactive logon: Machine account lockout threshold is set to " & PasswordFailedAttempts & " invalid logon attempts."
End If
End IF
End If

We think that this is a script that somebody has created to test out the Intrusion Detection System we use (Tripwire). Nobody seems to be taking ownership of the script but we do work in a fairly large and complicated company.

Is there an way that you know of that we can prevent this from running (or kill it off automatically) whilst we find the origin of the problem?

Thanks again.
Seems like a custom made script. First of all, you can disable it by putting


on top of the script. Nothing of the code will run.

Next you can try to track it by searching for the script name in your registry. But as I said, if this is a slave command from another program or service, you won't find anything.
Maybe it's probably part of a larger management software tool. If you still can't trace it, then the solution I provided will prevent the large memory consumption.
Also, if you know the schedule of this script, maybe you can run ProcMon (process monitor from MS Technet) just before it starts, look for the script name, and see who fired it. But this tool will provide thousands if not millions of lines, so it's quite laborous to go through all the lines (use the search after you're sure the event has been captured).
andymellorAuthor Commented:
Perfect - Thanks :-)
Pramod UbheCommented:
Check if this is getting deployed through GPOs.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now