In PowerShell, is there an advantage to a restrictive execution policy besides trying to control which script files can run?
By default, PowerShell scripts are not allowed to run, but it seems like if a malicious party wants to run PowerShell script they can just bootstrap into it using a BAT file that calls PowerShell with the -ExecutionPolicy parameter set to "bypass".
Am I missing something, or does this defeat the execution policy mechanism? Why sign scripts (which looks like quite a hassle) when you can just make the execution policy less restrictive?
Below is a BAT script I wrote that creates an unsigned .ps1 file and runs it. It works on a machine with the execution policy of Restricted, which should disallow scripts. UAC is on and no elevation prompt is shown. It even dials out to the Internet and gets the latest headline of the "Hey, Scripting Guy!" blog.
echo write-host "`r`nPowershell code running on $(hostname).`r`n`r`nHere's the latest headline from the 'Hey, Scripting Guy!' blog: '$(([xml](New-Object Net.WebClient).DownloadString("http://blogs.technet.com/b/heyscriptingguy/atom.aspx")).feed.entry[0].title)'.`r`n`r`nPress Enter to close.`r`n"; read-host > script.ps1
powershell -ExecutionPolicy bypass -Command .\script.ps1
The execution policy will prevent someone from modifying an existing script that's being run by someone else, or as an automated process (e.g. a scheduled task). From a security standpoint, using that .bat file is no different that compiling code to do the same thing into an .exe.
Also, the -ExecutionPolicy parameter doesn't work when the execution policy is set via local/group policy on the machine (per Ansgar's comment on the question).
The default PowerShell execution policy of disallowing scripts is useful for little more than preventing accidental invocations of the script. It can be trivially violated, even on earlier versions of powershell which didn't have the per instance parameter, by doing the following
Open any script you want to run in notepad
Copy the contents to the clipboard
Paste the clipboard to an instance of powershell
Anyone who really wants to run a script can do so using this or a variety of other mechanisms. It's only really useful for preventing unintentional execution of scripts
Related
I have to run my powershell scripts ONLY with these way:
Get-Content "ScriptName.ps1" -raw | powershell.exe -ExecutionPolicy byPass -NoExit -Command -
It works ok with some scripts but others cannot be executed with these way, even if they work from PowerShell ISE, or Visual Studio code. Executing ends without any output or warnings.
For me, it looks like when we run raw text as a Command for powershell.exe some symbols or commands don't work the same way as we run .ps1 script from ISE or VS code. I cannot find the rules for Execution scripts like these. Could someone help me with the rules, what i need to do with any script before i wanna run it like these?
I have tried escaping special characters with "/" but it doesnt work
PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts.
Script editors run PS commands as if you typed them into the console, therefore don't trigger the execution policy in most cases.
Rather than trying to bypass the execution policy this way you should either sign your scripts or put in place a domain policy which allows the script to be run normally.
I've scheduled a batch file that has this command in a TaskScheduler and it never completes:
powershell -command "& 'C:\Test\CleanUp.ps1'"
The .ps1 file has a simple script that deletes files on different shares. The powershell script runs successfully when run in ISE or even the above mentioned command runs successfully when run at cmd prompt.
I've even tried the option below with the command and also searched a number of blogs but no luck.
-ExecutionPolicy Unrestricted
The task is scheduled to run with a service account and I've setup a number of identical jobs the same way and they worked fine. I have powershell version 4.0.
How do I get the job to complete? (successfully or with a failure)
I have seen this problem before and generally it turns out to be that, when running as a different user and/or with a different profile, the script hangs because it needs to prompt for input, e.g. a missing mandatory parameter, Get-Credential, or something like that.
I'll assume that you have run the command from an interactive shell running as the service account, as this could reveal whether there is something different about the service account profile, etc. that may interfere with the running of the script.
I'll also assume that you have tried setting up the scheduled task with your own account, under which you know the script will run correctly.
Next, look at some of the other command line options for powershell.exe:
https://technet.microsoft.com/en-gb/library/hh847736.aspx
I'm not sure whether you'll get much mileage from the -ExecutionPolicy switch, as my experience is that people tend to set the policy to Unrestricted almost as soon as the server is commissioned and then never think about it again.
You might want to look at the -NoProfile switch, as that is something I see used quite often when calling PowerShell from a .bat file or directly in the task scheduler.
Notice the -File switch, which you might consider using instead of -Command.
I have created the below batch file and it works flawlessly as long as I run it manually.
However, if I run the .bat file from a HTA application, PowerShell says that he can't run the script because it is not signed/not trusted: "File cannot be loaded because the execution of scripts is disabled on this system".
Is there any fix/workaround for this without having to actually sign the script?
Batch file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". '%cd%\temp_oooscript\wrapper.ps1'"
Thank you.
This problem is caused by Windows Execution-policy setting.
To check what policy is running type this command:
Get-ExecutionPolicy
You policy should be one of these 4:
Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
AllSigned - Only scripts signed by a trusted publisher can be run.
RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
Unrestricted - No restrictions; all Windows PowerShell scripts can be run.
Not sure you are running remotely or locally.
If locally then your policy might be "all signed".
If remotely then your policy might be "RemoteSigned" or "all signed".
To fix the problem, 2 ways:
Adjust the policy setting. Don't make it too loose like unrestricted (I assume it is a medium to large production environment). The same reason if this is true I don't pro the bypass way by Graimer.
If this is a lab or small and trusted env then "unrestricted" can be an option. Or the bypass method proposed by Graimer.
Get the script signed.You need to run some "makecert" stuff to generate the signature and then copy it to the machine. The following link might help:
http://www.hanselman.com/blog/SigningPowerShellScripts.aspx
Try setting the exeuctionpolicy for powershell to bypass when executing it. Like this:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -executionpolicy bypass -command ". '%cd%\temp_oooscript\wrapper.ps1'"
The reason you're seing this is most likely because the HTA application is run as a 32 bit software, while your os is 64bit. Because the HTA app is running as 32 bit, it uses the powershell in C:\windows\syswow64\windowspowershell... (even though you specified system32 in your code). The execution policy there has is it's own setting, seperate from what you have in your normal 64-bit powershell.
The best way to fix it would be to sign the script using the PKI infrastructure in your enviroment. As a workaround you can use the code I provided above. The advantage for the workaround above is that the executionpolicy is only set to bypass ("disabled") for the PROCESS, and not as a default setting that could compromise security.
YES!! Found the bloody solution!! the HTA file needs to be run from through the mshta.exe from system32 instead of SysWOW64. Woohoo!!!
When providing script to customers, Script will not execute unless they did set-executionpolicy.
What is the common practice when providing a script to customers?
Whether set-executionpolicy would be run as first command in script so that it would execute without any error or some documents will be captured about set-executionpolicy.
I am giving powershell script first time to our customers. Previously i simply use to execute in our environment so i did not think about it.
Some one please help me to get some light on this
One approach:
Also a send a bat file as a wrapper to the .ps1 which will do something like:
#powershell -ExecutionPolicy RemoteSigned -File script.ps1
If I am providing a script to a customer, I'll digitially sign it and recommend that they consider using the REMOTESIGNED execution policy.
For most admins, though, I normally recommend UNRESTRICTED. These admins have sufficient power, making them jump through hoops to run code seems a waste of time. At the end of the day, they can ALWAYS run the code via one way or the other - so why waste time making signing a requirement.
I'm using Hudson version 1.324 for CI and have a couple of issues:
Environment:
Windows Server 2008
Powershell v1.0
Hudson 1.324 running as a service
Hudson Powershell Plugin installed
Psake (aka. "Powershell Make/Rake" available from Github) 0.23
(All current/latest versions as of this initial post)
I have a Powershell (PS) script that works to compile, run NUnit tests, and if successful, create a 7z file of the output. The PS script works from the command line, on both my local development box as well as the CI server where Hudson is installed.
1) Execution Policy with Powershell.
I initially ran a PS console on the server, ran Set-ExecutionPolicy Unrestricted, which allows any script to be run. (Yes, I realize the security concerns here, I'm trying to get something to work and Unrestricted should remove the security issues so I can focus on other problems.)
[This worked, and allowed me to fire off the PS build script from Hudson yesterday. I then encountered another problem, but we'll discuss that more in item #2.]
Once Hudson could fire off a PS script, it complained with the following error:
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell "&
'OzSystems.Tools\psake\psake.ps1' '.\oz-build.ps1'" The term
'OzSystems.Tools\psake\psake.ps1' is not recognized as a cmdlet, funct
ion, operable program, or script file. Verify the term and try again.
At line:1 char:2
+ & <<<< 'OzSystems.Tools\psake\psake.ps1' '.\oz-build.ps1'"
Using the same command line, I am able to successfully execute the PS script from the command line manually. However Hudson is unable to get PS to do the same. After looking at additional PS documentation I also tried this:
"& 'OzSystems.Tools\psake\psake.ps1' '.\oz-build.ps1'"
and got a similar error. There does not appear to be any documentation for the Powershell plugin for Hudson. I've gone through all the Powershell plugin files and don't see anything that's configurable. I can't find a log file for Hudson to get additional information.
Can anyone help me past this?
2) I spent yesterday wrestling with #1. I came in this AM and tried to dig in again, after restarting the Hudson server/service, and now it appears that the ExecutionPolicy has been reset to Restricted. I did what worked yesterday, opened a PS console and Set-ExecutionPolicy to Unrestricted. It shows Unrestricted in the PS console, but Hudson says that it doesn't have rights to execution PS scripts. I reopened a new PS console and confirmed that the ExecutionPolicy is still Unrestriced -- it is. But Hudson evidently is not aware of this change. Restarting Hudson service again does not change Hudson's view of the policy.
Does anyone know what's going on here?
Thanks, Derek
I just ran into the problem of running powershell scripts in hudson. The thing is that you are running a 32-bit process of Java, and you've configured Hudson for 64-bit but not for 32-bit. See the following thread we created at microsoft.
http://social.technet.microsoft.com/Forums/en/winserverpowershell/thread/a9c08f7e-c557-46eb-b8a6-a19ba457e26d
If your lazy.
1. Start powershell (x86) from the start menu as administrator
2. Set the execution policy to remotesigned
Run this once and your homefree.
When Running PowerShell from a scheduled task or Hudson you want to:
Specify the -ExecutionPolicy parameter (in your case: -Ex Unrestricted)
Specify that command using either -Command { ... } or -File NOT BOTH and not without specifying which you mean.
Try this (except that I don't recommend using relative paths):
PowerShell.exe -Ex Unrestricted -Command "C:\Path\To\OzSystems.Tools\psake\psake.ps1" ".\oz-build.ps1"
To be clear, this will work too:
PowerShell.exe -Ex Unrestricted -Command "&{&'OzSystems.Tools\psake\psake.ps1' '.\oz-build.ps1'}"
The first string after -Command is interpreted as THE NAME OF A COMMAND, and every parameter after that is just passed to that command as a parameter. The string is NOT a script, it's the name of a command (in this case, a script file)... you cannot put "&'OzSystems.Tools\psake\psake.ps1'" but you can put "OzSystems.Tools\psake\psake.ps1" even if it has spaces.
To quote from the help (run PowerShell -?) emphasis mine:
-Command
Executes the specified commands (and any parameters) as though they were
typed at the Windows PowerShell command prompt, and then exits, unless
NoExit is specified. The value of Command can be "-", a string. or a
script block.
If the value of Command is "-", the command text is read from standard
input.
If the value of Command is a script block, the script block must be enclosed
in braces ({}). You can specify a script block only when running PowerShell.exe
in Windows PowerShell. The results of the script block are returned
to the parent shell as deserialized XML objects, not live objects.
If the value of Command is a string, Command must be the last parameter
in the command , because any characters typed after the command are
interpreted as the command arguments.
I have been having the same problems as you (as you've seen from my comments). I have given up on the powershell launcher and moved to running things using the batch file launcher. Even though I had set the system to unrestricted that setting didn't seem to matter to hudson's launcher. I don't know if it runs in some other context or something, even adding things to the global profile.ps1 didn't seem to help. What I ended up doing was running
powershell " set-executionpolicy Unrestricted; & 'somefile.ps1'"
which does what I need, although it isn't ideal. I've e-mailed the plugin author about this and will update.
For question #1, try this (assuming you are using PowerShell 2.0):
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell -executionPolicy Unrestricted -file OzSystems.Tools\psake\psake.ps1 C:\{path}\oz-build.ps1"
You are using "." for the path to oz-build.ps1. I suspect you will need to provide the full path to your oz-build.ps1 file to make this work. Unless the infrastructure that executes the command above happens to have the current dir set correctly. And even if it is set correctly for the "process", that only matters to .NET/Win32 API calls and not to PowerShell cmdlets. Current dir in PowerShell is tracked differently than the process's current dir because PowerShell can have multiple runspaces running simultaneously. That sort of global, mutable value doesn't work in this concurrent scenario.
As for question #2, what account does the Hudson service run under? Make sure that account has executed Set-ExecutionPolicy RemoteSigned (or unrestricted).
I just got through this exact problem. What a pain!
If you are running a 32-bit JVM on a 64-bit Windows, make sure that you set the execution policy for the 32-bit Powershell interface. I found my 32 bit executable here:
C:\Windows\syswow64\Windowspowershell\v1.0\powerhsell.exe
The 32- and 64-bit Powershell environments are completely distinct so setting the execution policy in one has no effect on the other.