November 6, 2011

PowerShell and the execution policies explained

The PowerShell Execution Policy
The execution policy of PowerShell enabled you to configure which PowerShell scripts are allowed, if they are allowed at all, to be executed. You can get the currently active execution policy with the following command: “Get-ExecutionPolicy”.

The PowerShell execution policy has six kinds of flavor:

  1. Restricted
    No scripts may be run, only commands from a PowerShell prompt can be executed.
  2. AllSigned
    Only scripts that are signed by a trusted publisher are allowed to be executed.
  3. RemoteSigned
    All downloaded scripts must be signed by a trusted publisher before they are allowed to be executed.
  4. Unrestricted
    There are no restrictions, all PowerShell scripts are allowed to be executed.
  5. Bypass
    No scripts are blocked and no warnings or prompts are provided.
  6. Undefined
    This removes all currently configured execution policies from the system, with the exception of those configured by Group Policy.

Changing the execution policy
To change the PowerShell execution policy you can use the “Set-ExecutionPolicy” cmdlet, for example “Set-ExecutionPolicy AllSigned”. When you change the execution policy, you will be prompted with a warning that you’re changing the it.
If you don’t want to get that confirmation you can simply use the “-Force” parameter behind your command. For example, the “Set-ExecutionPolicy RemoteSigned –Force” command will change the execution policy to “RemoteSigned” without prompting you for a confirmation.
If you want to be sure this confirmation prompt to appear you can use the “-Confirm” parameter to make sure of that.

The scope of the execution policy
There are three different scopes for the execution policy:

  1. LocalMachine (default)
    This scope will affect all users and processes on the machine.
  2. CurentUser
    This scope will affect only the current user and all it’s processes.
  3. Process
    This scope will affect only the current PowerShell process.

The scope can be set with the “-Scope” parameter as an addition to the “Set-ExecutionPolicy” command and it can be removed by setting the execution policy for that scope to “Undefined”.

Bypassing the execution policy
There is a secret parameter called “-“. When you use it, you can pipe a script into powershell.exe and execute it line. Here is an example: “Get-Content ‘C:\somescript.ps1’ | powershell.exe -noprofile -“

Leave a Reply

Your email address will not be published. Required fields are marked *