Windows Defender and handling downloaded PowerShell scripts - powershell

I use Set-ExecutionPolicy RemoteSigned and download some scripts and modules. These are my scripts so they are not signed. I could use Bypass or RemoteSigned or Unrestricted. I feel that Unrestricted feels a bit over the top so I got with RemoteSigned and indeed, even though my scripts are not signed, I can download them and run them... for a while. Then, "Windows Defender" catches up and completely deletes my scripts. My questions are:
After I download a script, is there a programmatic way with PowerShell to instruct Windows Defender to mark that script on the exclusion list?
Would you say that Unrestricted is a bit unsafe? If so, what is the process of making these scripts signed (or self-signed?), or is this not possible? i.e. Set to Unrestricted so that files are not nuked, then download the file, then somehow put it on an exclusion list, then set the ExecutionPolicy back to RemoteSigned?

Downloaded files are marked as from the internet. Your need to unblock them. Use the built-in cmdlet for that.
# Get specifics for a module, cmdlet, or function
(Get-Command -Name Unblock-File).Parameters
(Get-Command -Name Unblock-File).Parameters.Keys
Get-help -Name Unblock-File -Examples
# Results
<#
Unblock-File -Path C:\Users\User01\Documents\Downloads\PowerShellTips.chm
dir C:\Downloads\*PowerShell* | Unblock-File
Get-Item * -Stream "Zone.Identifier" -ErrorAction SilentlyContinue
C:\ps-test\Start-ActivityTracker.ps1
Get-Item C:\ps-test\Start-ActivityTracker.ps1 | Unblock-File
#>
Get-help -Name Unblock-File -Full
Get-help -Name Unblock-File -Online
Any script you use will be looked at for actions it is performing. Your AV solution (Windows Defender notwithstanding) will take action(s) on it if it appears to be doing unexpected/nefarious things at any point. This has nothing to do with whether they are signed or not, or what ExecutionPolicy you set.
EP = only means allow a script(s) to run, not control what the script does/is going to do and the EP is not a security boundary, as documented in the help files.
Unblock-File Module: Microsoft.PowerShell.Utility
Unblocks files that were downloaded from the Internet.
This is all related to Windows ADS.
'windows alternate data streams downloaded file'
### Detecting Alternate Data Streams with PowerShell and DOS
dir /s /r | find ":DATA"
Get-Item –Path 'C:\users\me\desktop\*' -Stream *
Get-Content –Path 'C:\users\me\some_file.exe' -Stream zone.identifier
# Results
<#
[ZoneTransfer]
ZoneId=3
1
2
#>
Downloaded file via zone 3, we now know that is the Internet Zone as depicted in the chart below.
Value Setting
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone
Or using MS SysInternals: streams.exe

Related

Powershell script to push installation via intune

I am trying to create an intunewin file to update dell command update on all computers (via MS endpoint manager).
Dell CU will not install itself, if the older version of the app is present on the pc. Or rather it will install, but it won't run.
Solution - To create a powershell script, that first uninstalls the older versions of dell CU, and only then installs the newest one.
The code:
Remove-Item -Path "C:\Program Files\Dell\CommandUpdate" -Recurse -Force -EA SilentlyContinue -Verbose
Remove-Item -Path "C:\Program Files (x86)\Dell\CommandUpdate" -Recurse -Force -EA SilentlyContinue -Verbose
./Dell-Command-Update-Windows-Universal-Application_601KT_WIN_4.5.0_A00_01.EXE
This works just fine, when run like this on my computer. Actually I run the cmd script:
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File .\script.ps1
Where script.ps1 is the first script above.
So I have 3 files in the folder - the ps1 script, the cmd command, and the EXE file itself. From these 3 I create the intunewin file.
When pushed via intune, the app does not install itself. I can see 'downloading' notification, but never receive installation notification, neither successful nor failed one.
Can this be related to intune settings itself? The detection method and install command are most likely correct and were working before, when I was just using the exe file for intunewin creation.
I have to change this, because Dell CU won't install itself if the older version is there - as mentioned in the first sentence.
I assume this might be related to the powershell code. Maybe intune does not understand
./Dell-Command-Update-Windows-Universal-Application_601KT_WIN_4.5.0_A00_01.EXE
anymore, when it is given intunewin file instead?
If that's the case, how can I modify my script to 'make sense in intune'?
Thank you in advance for all the advices

Group Policy Issue

I'm hoping you can help. For a bit of background one of our Domain Controllers is Server 2008 R2 and the other is 2012 R2, the 2012 R2 contains the more recent ADMX files. The primary DC is the 2008 version and we plan on upgrading this soon.
I have a Default Domain Policy that contains a basic logon script (.bat) that maps drives and adds documents to users desktops. This policy is Enforced and Link Enabled and pushes to all OU's.
I have an additional Policy setup within an OU that is linked to our domain, this includes a Powershell script that runs at logon. This was created on the secondary DC (2012) as it uses the "Start Screen Layout" feature within Start Menu and Taskbar - the primary DC (2008) doesn't have this features available.
For some reason the Default Domain Policy isn't running, the second policy however is successfully running. Is there any reason this might be happening? I've had a mess with the enforcement options for the second policy but I can't fathom out why it's not running both.
It's definately something to do with the Powershell commands I have running in the second policy, if I remove these the default policy login scripts run fine.
Some More Info
To explain, there's 3 scripts in total (all of which sit in the Policy location within sysvol). The first ps1 file copies a shortcut for devices and printers from a network location that all users have access to and pastes it into %appdata% for all users. Part of this script uses the startlayout.xml to reference this location which then add the shortcut to the users start menu.
Copy-Item -Path "\\Server\Share\*.lnk" -Destination "$env:APPDATA\Microsoft\Windows\Start Menu\Programs"
The next command removes a load of the bloatware that Win 10 installs to a users profile, I won't post all of the apps in the script but a few so you get the gist:
$AppList = #(
"*Microsoft.3dbuilder*"
"*AdobeSystemsIncorporated.AdobePhotoshopExpress*"
"*Microsoft.WindowsAlarms*"
"*Microsoft.Asphalt8Airborne*"
)
foreach ($App in $AppList) {
Get-AppxPackage -Name $App | Remove-AppxPackage -ErrorAction SilentlyContinue
}
The script that is added as the actual logon script references the location the two scripts above sit in and run them:
Get-ChildItem \\domain\SysVol\domain\Policies\'{Policy Number}'\User\Scripts\Logon | ForEach-Object {
& $_.FullName
}
Hope this helps, whether or not there's isn't an exit command maybe I'm not sure as I'm not too savy with Powershell scripting.
Further Update
Hi All, another update. I've made all my drive mappings and document copies through Group Policy now which eliminates the first policy therefore there is only one logon script that should run now which is to remove the Bloatware. I've decided to try and call it from a .bat file using the following command:
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "\\domainm\SysVol\domain\Policies\{Policy Number}\User\Scripts\Logon\BloatwareRemoval.ps1"'-Wait}"
Again this will only run after a user logs on for the second time. Is there something glaringly obvious I'm missing here?Thanks in advance.
Thanks in advance.

How to bypass security warning when running EXE from network location?

I am trying to write a complex unattended install script that installs from a network directory. I'm running PS in administrator mode with bypass security.
When I run:
Start-Process "\\192.168.5.7\MSChart.exe" -ArgumentList "/q" -Wait
I get:
How can I bypass this without adding the network location as a trusted server? Ideally simply using PowerShell. I've tried Unblock-File, no luck.
The network share is not trusted by your computer, hence it warns you. You would have to add the share to the trusted zone in the systems internet settings, and allow "launching programs and unsafe files".
You cannot bypass it, but
add the required configuration to the registry
or copy the files locally and run it from there
using PowerShell
You can bypass the warning by adding -NoNewWindow as in Start-Process "\\192.168.5.7\MSChart.exe" -ArgumentList "/q" -Wait -NoNewWindow.
You should however leverage DNS for your path (e.g. \\share.domain.com\file.exe) and ensure the URI (share.domain.com) is in your system 'Trusted Sites' or 'Intranet Sites' list or you may still be blocked. Copying the file to the local system first may also fix the problem.
Reference: https://social.technet.microsoft.com/Forums/en-US/92eab96d-fe1a-4119-a5bc-f171d517466a/getting-open-file-security-warning-using-startprocess?forum=winserverpowershell
Maybe you want to Unblock-File and accept all of the risks that come with that and then try to execute it?
I don't recommend anyone EVER run a script like this:
function Unblock-Dir()
{
gci -Directory | % {
push-location $_ ;
gci | % {
Write-Host "Unblocking $_";
Unblock-File $_
}
Unblock-Dir ;
Pop-Location
}
Unblock-File -path .\*
}
It's just too dangerous.

Where to put PowerShell profile scripts if standard locations are forbidden?

In our corporate environment, I am having difficulty with creating a PowerShell profile scripts.
To prevent users from writing documents on the local disk, the "Documents" directory is forced to be on a network drive. Commonly the "H:" (home) drive.
Likewise, users are forbidden from writing under C:\Windows\System32.
Where can I put the ISE profile script if these two are not available?
PSVersion 5.0.10586.117
PS C:\Windows\System32\WindowsPowerShell\v1.0> $HOME, $PSHOME
C:\Users\pwatson
C:\Windows\System32\WindowsPowerShell\v1.0
See also: Help-About about_Profiles
When I am not connected to the network, these are the $profile settings. I still cannot write under C:\Windows\System32 and the CurrentUser values are invalid.
PS C:\Windows\System32\WindowsPowerShell\v1.0> $profile | Get-Member -Type NoteProperty | ForEach-Object {$_.ToString
()}
string AllUsersAllHosts=C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
string AllUsersCurrentHost=C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
string CurrentUserAllHosts=WindowsPowerShell\profile.ps1
string CurrentUserCurrentHost=WindowsPowerShell\Microsoft.PowerShell_profile.ps1
PS C:\Windows\System32\WindowsPowerShell\v1.0>
One option is to create a shortcut with a target like this:
%systemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NoExit -file C:\somewhere\myprofile.ps1
and then always use this shortcut to start PowerShell.
This is not actually using the built-in PowerShell profile concept but it is dot-sourcing a ps1 file that behaves pretty much like a profile file.
If you like to start PowerShell from cmd.exe, create a batch-file with the same content as above and put it somewhere in your path (if you have permissions to do so)

Powershell Get-ChildItem doesn't work properly on IIS directory

I was going to write up a simple alias 'iis' to invoke the IIS Manager, which is 'C:\Windows\System32\inetsrv\InetMgr.exe'
set-alias iis "OpenIIS.ps1"
and in the OpenIIS.ps1 I have
$item = "C:\Windows\system32\inetsrv\InetMgr.exe"
invoke-item -path $item
This doesn't work. The error I get is "The system cannot find the file specified"
In fact, just doing a Get-ChildItem on the inetsrv won't show the InetMgr.exe (no difference with -Force switch)
Get-ChildItem C:\Windows\system32\inetsrv\*.exe -force
Obviously I can see it in Explorer and I can launch it using cmd, but not with Powershell it seems. Also, Powershell is running as Administrator.
What is going on?
As a workaround I tried creating a link to the file and then invoking that link from Powershell. I now get a 'NotSpecified' Win32Exception.
I have originally used 64 bit Powershell, but get the same result on the x86 Powershell (both run as Administrator)
Are you at the elevated PowerShell prompt? Some system files may not show up unless you use -Force parameter with Get-ChildItem.
I think evidently the file InetMgr.exe is not there as when I do a get-childitem in the mentioned directory,it lists the "InetMgr.exe" there.
This may not be the problem with Get-ChildItem or the Alias you created but instead with ur IIS Server.