Convenience over Security – Enjoy Running Unsigned PowerShell Scripts

I’ve been very pro-Windows Vista but sometimes it’s just too difficult to deal with its annoyances.

Yesterday I wanted to run some PowerShell script copied from someone’s blog. First, it wouldn’t run ’cause there was no PowerShell installed. What?? Oh, well, I guess it did not ship with Vista. I downloaded and installed PowerShell but – alas! – it wouldn’t execute unsigned code.

Great! Back to Scroogle – let’s look for workarounds and solutions. After a while – bingo! – I landed at http://www.hanselman.com/blog/SigningPowerShellScripts.aspx. That’s some complicated and time consuming stuff! Does it really have to be this complicated?

Oh, well, let’s download the few hundred MBs of stuff we need. At first I got MS Visual Studio 2008 (quite a download) but it didn’t have makecert.exe. All right, let’s try .NET Framework 2.0. As I struggled with the poor download speed, I had to call it a day.

What a waste of time. Things like this make me sick!

Today I continued to waste time on this crap. The makecert utility would fail ( Error: WriteFile failed => 0x5 (5)).

After additional scroogling I found out (http://www.appdeploy.com/messageboards/tm.asp?m=20873) that the stupid error means that I (admin on this machine) do not have the permission to write to c:\. How stupid is that? Changing makecert’s destination to c:\users\admin made it complete without error.

Next, I couldn’t execute Set-ExecutionPolicy AllSigned (mind you, I’m administrator of this computer) because the attempt to modify the Windows registry required was refused. Really smart!

At this point I had enough so here’s my workaround for you:
Run regedit.exe – go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
and add a “String Value” registry key called ExecutionPolicy with the value of Unrestricted.
– or –
Save this file (click here – this is for Windows Vista x86 – I don’t know if Windows XP and/or Vista x64 have the same key) below as something that ends on “.reg” – e.g. ps_unrestricted.reg and make sure that the file is properly formatted (there are extra line breaks in it right now). Next, if you’re not Administrator, run regedit.exe, navigate to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ PowerShell \ 1 \ ShellIds \ Microsoft.PowerShell, right-click on Microsoft.PowerShell (in the left pane) and give your account (e.g. dick) all permissions that can be given. Then double-click on ps_unrestricted.reg and the key should be created in your registry. Now you can remove your account from the list of accounts with permissions on this key.

And I’ve got an enhancement request for the Windows Vista team: I want a “god” account type that has absolute powers, permissions and all.

P.S. The PS script I downloaded in the end didn’t work (many syntax errors in the code). Wonderful…

Update [2008/02/12]: The “god” mode works after one disables user access control.

Update [2008/05/03]: The workaround works for Windows Server 2008 as well. Also I corrected above instructions (I incorrectly stated that “DWORD” should be created which of course wouldn’t work).

Advertisements

3 Responses to Convenience over Security – Enjoy Running Unsigned PowerShell Scripts

  1. shalin2 says:

    Another solution is to switch to a serious and well designed operating system like Linux or Mac OS X.

    Being UNIXes, those systems have a “god” account (its name is “root”).

    Disabling access control under windows is not the same as having a “god” user, because disabling access control also opens the door back to viruses and all Windows pleas.

    There is a port of PowerShell to Linux currently being written, but there is also a lot of very good shells, and they have been there for a much longer time than under Windows, so they are much more stable. Also, you don’t need to install them, they are part of the operating system.

    Best regards,

  2. cancanucan says:

    Don’t use PowerShell if you can’t take the time to understand it.

    Actually … don’t use -anything- at all if you can’t take the time to understand it, your frustrations will never cease.

    You can’t understand how dumb you’ve made yourself appear to all competent individuals on this planet who are reading your blog. Guess what?

    set-executionpolicy remotesigned

    That’s what.

    If you’re smart you’ll re-enable policies when you’re done with your editing/developing.

    The first thing I was told by PowerShell when I tried to run a script for the first time was:

    ‘Please see get-help about_signing’

    … on THAT very page, just scroll your terribly inconvenienced self a bit down the page and you find;

    ‘To run unsigned script that you write on your local computer and signed scripts from other users, use the following command to change the execution policy on the computer to RemoteSigned

    Set-ExecutionPolicy RemoteSigned’

    …. PowerShell tells you EXACTLY how to deal with the issue. Instead of demonstrating any level of rationality or reason you rampage on with your burst of insanity declaring lies and deceit as if they were objectively valid.

    The truth is you have some immature and primitive NEEd to hate something, the same addiction to drama and absurdity 99% of people alive are literally out in search for.

    Microsoft is not the problem here.

    • sean says:

      @cancanucan: I don’t like your tone, but then again maybe I’m too sensitive so I’ll approve the comment.

      What bothered me was not PowerShell’s security model but the poor diagnostics and documentation (not only PowerShell, but also other components such as that makecert utility).

      It says that “RemoteSigned runs local scripts without requiring them to be trusted; scripts downloaded from the Internet, however, must be trusted before they can run.”
      This was the one and only requirement – all I wanted was to run scripts downloaded from the Internet because I was getting started with PowerShell and wanted to try out some examples.
      I even mentioned in the post (the first “P.S. ” entry) that I downloaded the PS script, but I guess you already had your mind set on sending out your comment, so you didn’t have time to fully understand the question.

      I don’t remember now (since that was more than 2 years ago), but I think I did read online help and tried RemoteSigned. And of course, it couldn’t have possibly worked – because the script had been downloaded from the Internet*.
      So RemoteSigned wouldn’t/couldn’t have solved this problem at all.

      The fact that you (1) ignored to understand details of the post you commented on and (2) dispensed incorrect advice makes your comment apply to you more than it does to me (as (1) I did RTFM and (2) I clearly indicated dangers of the approach in the post’s subject (Convenience over Security).)

      * Here (http://blog.case.edu/bes7/2008/04/22/removing_security_warning_on_files_downloaded_with_firefox_30) is a workaround for the helpful “scripts downloaded from the Internet must be trusted” aspect of “RemoteSigned” execution policy.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: