Windows Script Host “Can Not Find Script File” at Startup: Fix

Brendan Smith
Brendan Smith - Cybersecurity Analyst
14 Min Read
A Windows startup launcher pointing to a missing script file and triggering an error window.
A missing script warning usually remains because an autostart entry still calls a file that is gone.

A Windows Script Host “Can Not Find Script File” popup usually means Windows is still launching a command that points to a .vbs, .js, or .wsf file that no longer exists. The missing file may belong to an incompletely removed app, but random paths under AppData, Temp, or C:\Users\Public often appear after an antivirus removed a malicious script and left its startup entry or scheduled task behind. Record the complete path, find and disable the launcher, reboot to confirm the popup stops, and only then remove the confirmed orphan. Do not download or recreate an unknown script.

The dialog does not prove that wscript.exe is infected. Windows Script Host is a legitimate Windows component. The important evidence is the script path and what keeps asking Windows Script Host to open it.

What the Windows Script Host error means

Windows includes two script hosts: wscript.exe runs scripts with a graphical interface, while cscript.exe runs them in a console. Microsoft documents common Windows script extensions such as .vbs, .js, and .wsf.[1] A normal command might look like this:

wscript.exe "C:\Program Files\Example App\startup.vbs"

If the application or an antivirus deletes startup.vbs but leaves the command in a Run key, Startup shortcut, or scheduled task, Windows still starts wscript.exe. The host then reports that it cannot find the requested file. Removing or disabling Windows Script Host itself treats the messenger, not the launcher.

Save the exact missing path first

Before closing the popup, take a screenshot or copy the full path exactly. Preserve the filename, extension, folders, and whether the warning appears only at sign-in or repeats while the PC is running. A path such as C:\Program Files\Vendor\App\helper.vbs suggests a different investigation from %APPDATA%\xkqz\run.js.

Missing path or context Likely cause and safest next step
A known vendor folder under C:\Program Files Often an incomplete update or uninstall. Verify the app and publisher, then repair, reinstall, or uninstall it through the vendor’s normal process.
A shortcut or script under the Startup folder for an app you removed Likely an orphan. Disable the entry, reboot, and remove the shortcut only after confirming the app is gone.
A random folder under %APPDATA%, %LOCALAPPDATA%\Temp, C:\Users\Public, or C:\ProgramData Higher risk, especially after an antivirus alert, fake update, crack, or pasted command. Preserve the launcher details and scan before deleting related evidence.
A USB drive letter or a file that appears only when a removable drive is absent It may be an old portable-app shortcut or script malware from the drive. Do not reconnect and run the file; inspect the startup entry and scan the removable drive safely.

A suspicious location is a reason to investigate, not proof by itself. Legitimate utilities can store per-user files in AppData, while malware can imitate a vendor name. Use the complete command, publisher, digital signature, creation time, and the event that preceded the popup.

Use this safe removal order

  1. Record the error. Save the missing path and the time or trigger.
  2. Do not recreate the file. An empty file can hide the popup without removing the launcher. A downloaded replacement may restore malicious code.
  3. Find the launcher. Check Startup Apps, Startup folders, Autoruns, Task Scheduler, and Run/RunOnce entries.
  4. Disable before deleting. Disable or uncheck the exact launcher, restart Windows, and verify the warning stops.
  5. Identify the owner. Repair a legitimate app or remove a confirmed orphan and its source program.
  6. Scan when the context is suspicious. An antivirus may have removed the visible script while leaving another payload, task, or startup entry.
  7. Recheck after reboot. If the same entry returns, another process is recreating it.

Check Startup Apps and Startup folders

Open Task Manager > Startup apps or Settings > Apps > Startup. Look for an item that appeared with the popup, has no publisher, uses a blank icon, or matches part of the missing path. Do not delete wscript.exe, cscript.exe, or every item with “Windows” in its name.

The simple Startup Apps list does not show every command. The suspicious startup app checklist explains how to reveal a full command line and distinguish a broken app entry from a wrong-path executable.

Press Win+R and check these folders:

shell:startup
shell:common startup

The corresponding locations normally resolve under the current user profile and %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Inspect shortcuts and scripts for the exact filename. Disable or move only the confirmed orphan while you test; do not empty both folders.

Find the hidden launcher with Microsoft Autoruns

Microsoft Sysinternals Autoruns is the most useful single view because it covers logon entries, Run and RunOnce keys, scheduled tasks, services, Winlogon entries, and other autostart locations. It can jump directly to the file or registry entry behind a command.[2]

  1. Download Autoruns only from Microsoft Sysinternals and run it as administrator.
  2. Let the initial scan finish. Enable signature verification and use Hide Signed Microsoft Entries to reduce system noise.
  3. Search for the exact missing filename, a distinctive folder from the path, wscript.exe, and cscript.exe.
  4. Open Properties or use Jump to Entry to see the full command and its autostart location.
  5. Uncheck the exact entry first. Restart and confirm the popup no longer appears.
  6. Delete the entry only after you have identified it as an orphan or malicious launcher and know it is not required by a legitimate app.

“Not Microsoft-signed” does not mean “malware.” Most third-party software is not signed by Microsoft. The filter helps focus the list; the path, publisher, signature, source program, and repeat behavior determine the decision.

Check Task Scheduler when the popup repeats

A warning that appears every few minutes, at a fixed time, on workstation unlock, or after the browser opens is more likely to come from Task Scheduler than from a one-time Startup shortcut. Open Task Scheduler > Task Scheduler Library and inspect tasks whose last-run time matches the popup.

Open each candidate’s Actions tab. Look for wscript.exe, cscript.exe, the missing path, or a wrapper such as cmd.exe, powershell.exe, or mshta.exe that launches the script. A blank mshta window or a remote HTA command belongs to the mshta launcher cleanup guide; a recurring PowerShell window or outbound block belongs to the PowerShell startup investigation.

Disable the suspicious task before deleting it. Export or record its name, trigger, action, author, and creation date. If it returns after reboot, find the program that recreates it rather than repeatedly removing the copy.

Inspect Run and RunOnce without deleting broad registry branches

Windows supports four common logon-launch locations:[3]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Autoruns is safer for most readers because it shows the command and lets you disable it reversibly. If you inspect Registry Editor manually, export the specific value before changing it. Remove only the value whose data contains the exact missing script or confirmed unwanted launcher. Do not delete the Run or RunOnce key itself.

If a black Command Prompt briefly flashes and opens a website rather than a missing-script dialog, use the CMD website startup-hijack guide; that is a sibling intent with different browser cleanup steps.

If the path belongs to legitimate software

A missing vendor script can result from a failed update, a manual folder deletion, or an uninstaller that left an autostart entry. Verify that the folder, application, and publisher are real. Open Installed apps and use Repair when available, or uninstall and reinstall the program from its official source. Do not download the individual `.vbs` or `.js` file from a file-replacement site.

If the error began immediately after you removed the app and disabling its exact launcher fixes the warning, the entry was probably an orphan. Keep the change narrow. A registry cleaner is unnecessary and can remove unrelated application settings.

If the missing script looks suspicious

Treat the incident as higher risk when the path is random or user-writable, an antivirus removed the file, the error began after a crack, fake update, email attachment, browser verification command, or unknown installer, or the launcher returns after you disable it. The broad script-based malware guide explains how scripts can download payloads, change settings, and establish persistence. For a named file such as sdaCollector.vbs, use the path and source-specific VBS check rather than assuming every VBS file has the same purpose.

Do not restore the missing script. Preserve the launcher details, disable it, and run a full scan. Gridinsoft Anti-Malware can check for detections, hidden files, scheduled tasks, startup entries, bundled apps, and browser changes that may remain after the visible script was deleted. It cannot prove that no information was exposed.

Check for the source behind the missing script

If the process path is wrong, the name imitates a Windows component, or high CPU started after an unknown installer, scan for hidden miners, services, startup entries, and bundled components.

Scan for script malware leftovers

If the original script ran and account symptoms followed—unexpected logins, sent messages, changed recovery details, or stolen browser sessions—change important passwords from a clean device and revoke active sessions after containing the PC. After cleanup, use the post-malware Windows audit to verify startup, tasks, services, browser, proxy, remote-access, and account settings.

What not to do

  • Do not create an empty file with the missing name merely to silence the popup.
  • Do not download run.vbs, update.js, or another replacement from an unknown site.
  • Do not delete C:\Windows\System32\wscript.exe or C:\Windows\System32\cscript.exe.
  • Do not globally disable Windows Script Host as the first fix; legitimate administration and application workflows can depend on it.
  • Do not delete every unsigned Autoruns entry or the entire Run registry key.
  • Do not clear evidence before recording the path, launcher, task trigger, and relevant antivirus alert.

FAQ

Is wscript.exe a virus?

The Microsoft-signed wscript.exe in its normal Windows system location is a legitimate script host. Malware can misuse it or copy its name elsewhere, so check the executable path and the script it was asked to run.

Why did the popup appear after my antivirus removed a threat?

The antivirus may have deleted or quarantined the script while leaving a Run entry, Startup shortcut, or scheduled task that calls it. Remove the confirmed launcher and scan for related persistence instead of restoring the missing file.

Can I download the missing run.vbs file?

No. A generic filename does not identify the original content. Downloading a replacement can introduce malware, while creating an empty file only hides the warning. Find what launches the file and repair the owning app or remove the orphan.

Why does Windows Script Host appear every few minutes?

A repeating interval commonly points to a scheduled task or a background program recreating the launcher. Match the popup time with Task Scheduler’s last-run time and inspect the task’s Actions and Triggers.

Should I disable Windows Script Host?

Not as a general fix. Disabling the host can break legitimate scripts and leaves the unwanted startup or task entry in place. Disable the exact launcher, verify the source, and remove only the confirmed orphan or malware.

References

  1. Microsoft. “wscript.” Microsoft Learn, accessed July 17, 2026. learn.microsoft.com.
  2. Russinovich, Mark. “Autoruns v14.3.” Microsoft Sysinternals, updated June 17, 2026; accessed July 17, 2026. learn.microsoft.com.
  3. Microsoft. “Run and RunOnce Registry Keys.” Microsoft Learn, updated February 21, 2026; accessed July 17, 2026. learn.microsoft.com.
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?