├── hello1.js
├── RunBySmartscreen_5100.exe
├── License.txt
├── What_Is_New.txt
└── README.md


/hello1.js:
--------------------------------------------------------------------------------
1 | WSH.Echo("Hello world");
2 | WSH.Quit();


--------------------------------------------------------------------------------
/RunBySmartscreen_5100.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AndyFul/Run-By-Smartscreen/HEAD/RunBySmartscreen_5100.exe


--------------------------------------------------------------------------------
/License.txt:
--------------------------------------------------------------------------------
 1 | RunBySmartscreen Disclaimer of Warranty
 2 | THIS SOFTWARE IS DISTRIBUTED "AS IS". NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE IT AT YOUR OWN RISK. 
 3 | THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS, DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING  THIS SOFTWARE.
 4 | 
 5 | Distribution
 6 | RunBySmartscreen application may be freely distributed (but not sell) as long as no modification is made to it.
 7 | This application uses Nullsoft Scriptable Install System which has additional Software License Terms.
 8 | 
 9 | I would like to thank the members of https://www.autoitscript.com/forum/ , especially: Ascend4nt, Erik Pilsits, FredAI, Melba23, 
10 | trancexx, Valuater, and many others, for sharing their insightful code.
11 | 
12 | Andrzej Pluta (@Andy Ful)
13 | 


--------------------------------------------------------------------------------
/What_Is_New.txt:
--------------------------------------------------------------------------------
 1 | Version 5.1.0.0
 2 | Added new digital certificate (November 2025).
 3 | Improved anti-tampering.
 4 | 
 5 | Version 5.0.1.1
 6 | Added new digital certificate (July 2024).
 7 | Some code was adjusted to work with WindowsHybridHardening Light.
 8 | 
 9 | Version 5.0.0.0
10 | Added new digital certificate (July 2023).
11 | Some code was adjusted to the upcoming version of Windows Hybrid Hardening.
12 | 
13 | Version 4.1.1.1
14 | Added ONE (OneNote) file extension.
15 | 
16 | Version 4.0.1.1
17 | Added a new digital certificate.
18 | 
19 | Version 4.0.1.0
20 | Added several new extensions (archives, disk images).
21 | 
22 | Version 4.0.0.1
23 | Added APPX, APPXBUNDLE, MSIX, and MSIXBUNDLE extensions (Universal Windows Platform installation packages).
24 | Such packages are used to install UWP apps from the web browser or via downloaded packages outside the Microsoft Store.
25 | The safe method is installing UWP apps directly from Microsoft Store.
26 | 
27 | Version 4.0.0.0
28 | Added ELF file extension.
29 | 
30 | Version 3.1.0.1
31 | 1. Added prevention for SmartScreen DLL hijacking.
32 | 2. Both 64-bit and 32-bit executables are wrapped in one NSISS executable.
33 | 
34 | Version 3.1.0.0
35 | 1. Corrected the procedure of checking if SmartScreen is enabled.
36 | 2. The executables were first unsigned but replaced (in August 2019) by digitally signed binaries (Certum Code Signing certificate).
37 | 
38 | Version 3.0.1.0
39 | 1. Corrected Help information.
40 | 2. Corrected some issues related to shortcuts.
41 | 3. Added icons for RunBySmartScreen executables.
42 | 
43 | Version 3.0.0.0
44 | 1. Only EXE, MSI, COM, and SCR files are checked by SmartScreen. The files (scripts and binary libraries) with extensions: BAT, CMD,
45 | CPL, DLL, JSE, OCX, and VBE are not checked by SmartScreen, but instead, they were added to the list of unsafe extensions.
46 | 2. During the installation, 'Run By SmartScreen' changes Adobe Acrobat Reader 10+/DC 'Protected View' setting, similarly to the default
47 | 'Protected View' setting in MS Office 2010+.
48 | 3. 'Protected View' is applied when MS Office and Adobe Acrobat Reader 10+/DC are used for opening popular documents (DOC, DOCX,
49 | XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) and those documents are opened via Run By SmartScreen. Other MS Office document extensions are
50 | added to the list of unsafe extensions.
51 | 4. The list of unsafe extensions was extended (over 250 extensions): ACCDA, ACCDE, ACCDR, ACCDT, ACM, AD, ADE, ADN, ADP, AIR, APP,
52 | APPLICATION, APPREF-MS, ARC, ASA, ASP, ASPX, ASX, AX, BAS, BAT, BZ, BZ2, CAB, CDB, CER, CFG, CHI, CHM, CLA, CLASS, CLB, CMD, CNT, CNV,
53 | COM, COMMAND, CPL, CPX, CRAZY, CRT, CRX, CSH, CSV, DB, DCR, DER, DESKLINK, DESKTOP, DIAGCAB, DIF, DIR, DLL, DMG, DOCB, DOCM, DOT,
54 | DOTM, DOTX, DQY, DRV, EXE, FON, FXP, GADGET, GLK, GRP, GZ, HEX, HLP, HPJ, HQX, HTA, HTC, HTM, HTT, IE, IME, INF, INI, INS, IQY, ISP,
55 | ITS, JAR, JNLP, JOB, JS, JSE, KSH, LACCDB, LDB, LIBRARY-MS, LOCAL, LZH, MAD, MAF, MAG, MAM, MANIFEST, MAPIMAIL, MAQ, MAR, MAS, MAT,
56 | MAU, MAV, MAW, MAY, MCF, MDA, MDB, MDE, MDF, MDN, MDT, MDW, MDZ, MHT, MHTML, MMC, MOF, MSC, MSH, MSH1, MSH1XML, MSH2, MSH2XML, MSHXML,
57 | MSI, MSP, MST, MSU, MUI, MYDOCS, NLS, NSH, OCX, ODS, OPS, OQY, OSD, PCD, PERL, PI, PIF, PKG, PL, PLG, POT, POTM, POTX, PPAM, PPS,
58 | PPSM, PPSX, PPTM, PRF, PRG, PRINTEREXPORT, PRN, PS1, PS1XML, PS2, PS2XML, PSC1, PSC2, PSD1, PSDM1, PST, PSTREG, PXD, PY, PY3, PYC,
59 | PYD, PYDE, PYI, PYO, PYP, PYT, PYW, PYWZ, PYX, PYZ, PYZW, RB, REG, RPY, RQY, RTF, SCT, SEA, SEARCH-MS, SEARCHCONNECTOR-MS,
60 | SETTINGCONTENT-MS, SHB, SHS, SIT, SLDM, SLDX, SLK, SPL, STM, SWF, SYS, TAR, TAZ, TERM, TERMINAL, TGZ, THEME, TLB, TMP, TOOL, TSP, URL,
61 | VB, VBE, VBP, VBS, VSMACROS, VSS, VST, VSW, VXD, WAS, WBK, WEBLOC, WEBPNP, WEBSITE, WS, WSC, WSF, WSH, XBAP, XLA, XLAM, XLB, XLC, XLD,
62 | XLL, XLM, XLSB, XLSM, XLT, XLTM, XLTX, XLW, XML, XNK, XPI, XPS, Z, ZFSENDTOTARGET, ZLO, ZOO.
63 | 
64 | Version 2.0.1.0
65 | 1. The bug with the SCR extension check was corrected.
66 | 2. The PIF extension was removed (not supported in Windows 8+).
67 | 3. The URL extension was removed (not supported by the Explorer context menu).
68 | 4. Explorer context menu option for WSH extension was added.
69 | 5. Alerts for DLL and OCX files were added - those files cannot be run directly, so only  'Mark of Web' is added. If some program is
70 | going to open them, then a SmartScreen check will be triggered. 
71 | 6. Shortcuts with the CommandLine in the 'Target' area are always blocked, and the program shows an alert.
72 | 7. The installation process was simplified.
73 | 
74 | Version 1.0.3.0
75 | From version 1.0.3.0 the program is prepared to help inexperienced users to open all new files. If the user tries to open the file with
76 | "Run By SmartScreen" the program works as enumerated below:
77 | 1. Files located in the System Space (= inside C:\Windows, C:\Program Files, C:\Program Files (x86)) are opened normally, without
78 | SmartScreen check.
79 | 2. Files located in the User Space with somewhat dangerous extensions (not supported by SmartScreen), are not allowed to open, and the
80 | program shows an alert (similar to Software Restriction Policies). 
81 | 3. The executables located in the User Space are checked by SmartScreen before the run.
82 | 4. Other files (media, photos, documents, etc.) are opened normally, without SmartScreen check.
83 | 
84 | The program has a hard-coded list of dangerous extensions (not supported by SmartScreen App Reputation on run):
85 | WSH, WSF, WSC, WS, VBS, VB, URL, SHS, SCT, REG, PS1, PIF, PCD, MST, MSP, MSC, MDE, MDB, JS, JAR, ISP, INS, INF, HTA, HLP, CRT, CHM,
86 | BAS, ADP, ADE.
87 | 
88 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # RunBySmartScreen ver. 5.1.0.0 (December 2025)
  2 | https://github.com/AndyFul/Run-By-Smartscreen/raw/refs/heads/master/RunBySmartscreen_5100.exe
  3 | 
  4 | ## PROGRAM INFO
  5 | 
  6 | 'Run By SmartScreen' works only with Windows 8 and higher versions.
  7 | It is based on a very simple idea to open/run the new files safely when using the right-click Explorer context menu. It covers in a smart 
  8 | way file opening in the User Space ( = everything outside %WinDir%, %ProgramFiles%, and %ProgramFiles(x86)% ). 
  9 | This program can manage files in the User Space, as follows:
 10 | 1. Run/check executables with SmartScreen.
 11 | 2. Block files with potentially dangerous extensions.
 12 | 3. Open vulnerable files with the warning instructions.
 13 | 4. Prevent DLL hijacking of EXE files.
 14 | 5. Safe files are run/opened without warnings.
 15 | 
 16 | Advanced users can apply 'Run By SmartScreen' for EXE and MSI installers (from sources not supported by SmartScreen) to force the 
 17 | SmartScreen check. Not Advanced users should consistently use 'Run By SmartScreen' for all new files.
 18 | 
 19 | 
 20 | ## Why the SmartScreen?
 21 | 
 22 | The SmartScreen technology is one of the best for fighting 0-day malware files.
 23 | 
 24 | ## Why 'Run By SmartScreen'?
 25 | 
 26 | This technology is only halfway adopted in Windows. SmartScreen for Explorer can check executables with the "Mark of the Web", which is 
 27 | attached to files after downloading from the Internet by popular Web Browsers, Windows Store, or Windows OneDrive. There are many cases 
 28 | when files do not have a "Mark of the Web", and then SmartScreen Filter simply ignores them on the run (see REMARKS).
 29 | 
 30 | 
 31 | ## INSTALLATION
 32 | 
 33 | Run the executable  RunBySmartScreen_????.exe . The message: *Do you want to add the 'Run By SmartScreen' option in the Explorer 
 34 | context menu?* will be shown. Choose the 'YES' button. After that, the 'Run By SmartScreen' option should appear in the right-click 
 35 | Explorer context menu.
 36 | 
 37 | 
 38 | ## UNINSTALLATION
 39 | 
 40 | Run the executable  RunBySmartScreen_????.exe . The message: *Do you want to add the 'Run By SmartScreen' option in the Explorer 
 41 | context menu?* will be shown. Choose the 'NO' button.
 42 | 
 43 | 
 44 | --------------------------------------------------------------------------------------------------------------------------------------
 45 | 
 46 | ## How it works
 47 | 
 48 | This program is intended to help inexperienced users to open all new files. If the user tries to open the file with 'Run By SmartScreen' it works as follows:
 49 | 1. Executables (COM, EXE, MSI, and SCR files) located in the System Space (= inside %WinDir%, %ProgramFiles%, and %ProgramFiles(x86)%) are opened normally, without SmartScreen check.
 50 | 2. The above executables located in the User Space (= outside %WinDir%, %ProgramFiles%, and %ProgramFiles(x86)%) are checked by
 51 |    SmartScreen before running.
 52 | 3. Files from the User Space, with potentially dangerous extensions (scripts, most MS Office files, etc.), are not allowed to open 
 53 |    (similarly to Software Restriction Policies), and the program shows an alert.
 54 | 4. Shortcuts with a command line in the 'Target' area are always blocked, and the program shows an alert.
 55 | 5. Compressed archives not supported by the Windows built-in unpacker  (.7z, .arj, .bz, .bzip, .bz2, .bzip2, .fat, .lha, .lzh, .rar, 
 56 |    .r00-09, .rev, .xz, .zipx) are not opened - only the short instruction is displayed.
 57 | 6. Popular formats related to MS Office and Adobe Acrobat Reader (DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ONE, ACCDB, PDF) are opened 
 58 |    with the warning instruction, and the MOTW is added to the file. When the standalone version is used, these documents are always 
 59 |    opened via 'Run By SmartScreen' in 'Protected View'. 
 60 | 7. The disk image files (.img, .iso, .ntfs, .vhd, .vhdx) are not opened - only the short instruction is displayed.
 61 | 8. Other files (ZIP archives, media, photos, etc.) are opened normally without warnings.
 62 | 
 63 | The program has a hardcoded list of unsafe (potentially dangerous) file extensions:
 64 | ACCDA, ACCDE, ACCDR, ACCDT, ACCDU, ACM, AD, ADE, ADN, ADP, AIR, APP, APPLICATION, APPREF-MS, APPX, APPXBUNDLE, ARC, ASA, ASP, ASPX, 
 65 | ASX, AX, BAS, BAT, BGI, CAB, CDB, CER, CFG, CHI, CHM, CLA, CLASS, CLB, CMD, CNT, CNV, COMMAND, CPL, CPX, CRAZY, CRT, CRX, CSH, CSV, 
 66 | DB, DCR, DER, DESKLINK, DESKTOP, DIAGCAB, DIF, DIR, DLL, DMG, DOCB, DOCM, DOT, DOTM, DOTX, DQY, DRV, ECF, ELF, FON, FXP, GADGET, GLK, 
 67 | GRP, GZ, HEX, HLP, HPJ, HQX, HTA, HTC, HTM, HTT, IE, IME, INF, INI, INS, IQY, ISP, ITS, JAR, JNLP, JOB, JS, JSE, KSH, LACCDB, LDB, 
 68 | LIBRARY-MS, LOCAL, MAD, MAF, MAG, MAM, MANIFEST, MAPIMAIL, MAQ, MAR, MAS, MAT, MAU, MAV, MAW, MAY, MCF, MDA, MDB, MDE, MDF, MDN, MDT, 
 69 | MDW, MDZ, MHT, MHTML, MMC, MOF, MSC, MSH, MSH1, MSH1XML, MSH2, MSH2XML, MSHXML, MSIX, MSIXBUNDLE, MSP, MST, MSU, MUI, MYDOCS, NLS, 
 70 | NSH, OCX, ODS, ONE, OPS, OQY, OSD, PCD, PERL, PA, PI, PIF, PKG, PL, PLG, POT, POTM, POTX, PPA, PPAM, PPS, PPSM, PPSX, PPTM, PRF, PRG, 
 71 | PRINTEREXPORT, PRN, PS1, PS1XML, PS2, PS2XML, PSC1, PSC2, PSD1, PSDM1, PST, PSTREG, PXD, PY, PY3, PYC, PYD, PYDE, PYI, PYO, PYP, PYT, 
 72 | PYW, PYWZ, PYX, PYZ, PYZW, RB, REG, RPY, RQY, RTF, SCF, SCT, SEA, SEARCH-MS, SEARCHCONNECTOR-MS, SETTINGCONTENT-MS, SHB, SHS, SIT, 
 73 | SLDM, SLDX, SLK, SPL, STM, SWF, SYS, TAR, TAZ, TBZ, TERM, TERMINAL, TGZ, THEME, TLB, TMP, TOOL, TPZ, TSP, TXZ, TZ, URL, VB, VBE, VBP, 
 74 | VBS, VSMACROS, VSS, VST, VSW, VXD, WAS, WBK, WEBLOC, WEBPNP, WEBSITE, WIZ, WLL, WS, WSC, WSF, WSH, WWL, XBAP, XLA, XLAM, XLB, XLC, 
 75 | XLD, XLL, XLM, XLSB, XLSM, XLT, XLTM, XLTX, XLW, XML, XNK, XPI, XPS, XSL, Z, ZFSENDTOTARGET, ZLO, ZOO
 76 | 
 77 | The above list is based on SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader file extension blacklists.
 78 | 
 79 | 
 80 | ## REMARKS
 81 | 
 82 | The SmartScreen Filter in Windows 8+ allows some vectors of infection listed below:
 83 | 
 84 | A) You have got the executable file by using:
 85 | * the downloader or torrent application (EagleGet, torrent, etc.);
 86 | * container format file (ZIP, 7Z, ARJ, RAR, etc.), except for some unpackers like Windows built-in unpacker.
 87 | * CD/DVD/Blue-ray disc;
 88 | * CD/DVD/Blue-ray disc image (iso, bin, etc.);
 89 | * non NTFS USB storage device (FAT32 pendrive, FAT32 USB disk);
 90 | * Memory Card;
 91 | so the file does not have the proper Alternate Data Stream attached ('Mark of the Web').
 92 | 
 93 | B) You have run the executable file with runas.exe (Microsoft), AdvancedRun (Nirsoft), RunAsSystem.exe (AprelTech.com), etc.
 94 | 
 95 | 'Run By SmartScreen' covers all vectors of infection listed in point A).
 96 | 
 97 | 
 98 | 
 99 | ## REGISTRY CHANGES:
100 | 
101 | HKCR\\*\shell\Run By SmartScreen\
102 | 
103 | HKCR\Application.Reference!IsShortcut
104 | 
105 | HKCR\Application.Reference!NoIsShortcut
106 | 
107 | HKCR\IE.AssocFile.URL!IsShortcut
108 | 
109 | HKCR\IE.AssocFile.URL!NoIsShortcut
110 | 
111 | HKCR\IE.AssocFile.WEBSITE!IsShortcut
112 | 
113 | HKCR\IE.AssocFile.WEBSITE!NoIsShortcut
114 | 
115 | HKCR\InternetShortcut!IsShortcut
116 | 
117 | HKCR\InternetShortcut!NoIsShortcut
118 | 
119 | HKCR\Microsoft.Website!IsShortcut
120 | 
121 | HKCR\Microsoft.Website!NoIsShortcut
122 | 
123 | HKCR\piffile!IsShortcut
124 | 
125 | HKCR\piffile!NoIsShortcut
126 | 
127 | HKCR\WSHFile!IsShortcut
128 | 
129 | HKCR\WSHFile!NoIsShortcut
130 | 
131 | 
132 | The standalone installation changes the policies in the HKLM Registry Hive to set Protected View in Adobe Acrobat Reader.
133 | 
134 | 


--------------------------------------------------------------------------------