Running Scripts Downloaded from the Internet

Over on the Microsoft.Public.Windows.PowerShell newsgroup Stefan had a number of questions about the following scenario:

I want to start ps1 scripts over UNC paths or mapped network shares. I tried
to change the execution policy to unrestricted but I always get the
following prompt:

Security Warning
Run only scripts that you trust. While scripts from the Internet can be
useful, this script can potentially harm your
computer. Do you want to run \\blablabla\bla?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is “D”):

This has confused a number of people. That is because most of us never read the documentation. J If there is one piece of documentation you should read, it is about_signing.

Chainsaws are awesome tools but if you apply them to your leg – it will be a really bad day.
So too, scripting is an awesome tool but if you make the wrong security decisions, it is going to be a bad day.
This is why we ship PowerShell in RESTRICTED mode which allows interactive use but does not allow scripts to be run. As soon as you try to run a script, we give an error and tell you to read About_Signing.

[0]PS> .\test.ps1
File C:\Temp\wmi\test.ps1 cannot be loaded because the execution of scripts
is disabled on this system. Please see “get-help about_signing” for more details.
At line:1 char:11
+ .\test.ps1 <<<<

About_Signing is designed to layout the security decisions you need to make and then detail their risks and benefits. Here is what it says about UNRESTRICTED:

Unrestricted
– Unsigned scripts can run.
Scripts and configuration files that are downloaded from the Internet
(including Microsoft Outlook, Outlook Express and Windows Messenger)

run after warning you that the file originated from the Internet.
– Risks running malicious scripts.

What this is saying is that various tools (like IE and Outlook) tag downloaded content with origin information. PowerShell looks for this and when it detects that a script comes from the internet, we warn you and you have to make an explicit decision to run it or not. Think of this as the functional equivalent of having to put your foot on the brakes before you can put your car in reverse.

As a general rule, you need to be very careful running stuff you pulled down from the internet. If you’ve reviewed the script and found it to be trustworthy, you can remove its origin information by UNBLOCKING it from the properties dialog box in Explorer (Select the object in explorer, right click, select properties, unclick BLOCKED).

As a reminder, I’ve included the execution policy choices you have:

POWERSHELL EXECUTION POLICIES
——————————


The PowerShell execution policies are:


Restricted
– Default execution policy.
– Permits individual commands, but scripts cannot run.

AllSigned
– Scripts can run.
– Requires a digital signature from a trusted publisher on all scripts
and configuration files, including scripts that you write on the
local computer.
– Prompts you before running scripts from trusted publishers.
– Risks running signed, but malicious, scripts.

RemoteSigned
– Scripts can run.
– Requires a digital signature from a trusted publisher on scripts and
configuration files that are downloaded from the Internet (including
e-mail and instant messaging programs).
– Does not require digital signatures on scripts run from the
local computer.
– Does not prompt you before running scripts from trusted publishers.
– Risks running signed, but malicious, scripts.


Unrestricted
– Unsigned scripts can run.
– Scripts and configuration files that are downloaded from the Internet
(including Microsoft Outlook, Outlook Express and Windows Messenger)
run after warning you that the file originated from the Internet.
– Risks running malicious scripts.

Happy Scripting!


Jeffrey Snover [MSFT]
Windows Management Partner Architect
Visit the Windows PowerShell Team blog at: http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at: http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx