How does the RemoteSigned execution policy work?

PowerShell Team

You might have wondered how the “RemoteSigned” execution policy protects us from running unsigned PowerShell scripts downloaded from the internet.  We use the URL Security Zones API related to “Attachment Execution Service” (AES) introduced in Windows XP SP2 and Windows Server 2003 SP1.  Internet Explorer and Outlook Express are among the applications that participate in the AES system, while FireFox, Microsoft Office Outlook and Live Messenger do not follow AES.


AES-participating applications call the Save method of IAttachmentExecute interface to add a Zone.Identifier alternate data stream to store the zone from which the file came. We then call System.Security.Policy.Zone.CreateFromUrl to determine which zone the file originated from. Here is the mapping between ZoneId and SecurityZone enum:

public enum SecurityZone
        NoZone = -1,
        MyComputer = 0,
        Intranet = 1,
        Trusted = 2,
        Internet = 3,
        Untrusted = 4,


If the file has a ZoneId >= 3, PowerShell considers it remote. Furthermore, PowerShell considers Intranet as remote, if your computer is set up with the Internet Explorer Enhanced Security Configuration.

Let’s do a little experiment.

1)    Download a PowerShell script from the internet using Internet Explorer

2)    Open the Zone.Identifier alternate data stream in notepad

notepad “Get-WhoAmI.ps1:Zone.Identifier”

You will get:

3)    Set ExecutionPolicy to RemoteSigned, and run this script

PS C:\toolbox\lads> Set-ExecutionPolicy RemoteSigned
PS C:\toolbox\lads> .\Get-WhoAmI.ps1
File C:\toolbox\lads\Get-WhoAmI.ps1 cannot be loaded. The file C:\toolbox\lads\Get-WhoAmI.ps1 is not digitally signed. The script will not execute on the system. Please see “get-help about_signing” for more details..
At line:1 char:17
+ .\Get-WhoAmI.ps1 <<<<

4)    Change ZoneId to 2 in notepad, and rerun the script, now the script is considered local

PS C:\toolbox\lads> .\Get-WhoAmI.ps1
PS C:\toolbox\lads>


Wei Wu [MSFT]



Discussion is closed.

Feedback usabilla icon