{"id":8331,"date":"2007-03-06T22:26:00","date_gmt":"2007-03-06T22:26:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2007\/03\/06\/how-does-the-remotesigned-execution-policy-work\/"},"modified":"2019-02-18T13:16:49","modified_gmt":"2019-02-18T20:16:49","slug":"how-does-the-remotesigned-execution-policy-work","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/how-does-the-remotesigned-execution-policy-work\/","title":{"rendered":"How does the RemoteSigned execution policy work?"},"content":{"rendered":"

You might have wondered how the “RemoteSigned” execution policy protects us from running unsigned PowerShell scripts downloaded from the internet.  We use the URL Security Zones API related to <\/span><\/span>“Attachment Execution Service” (AES) introduced in Windows XP SP2 and Windows Server 2003 SP1.  Internet Explorer and Outlook Express are among the applications that participate in the AES system, while FireFox, Microsoft Office Outlook and Live Messenger do not follow AES.<\/span><\/p>\n

 <\/span><\/p>\n

AES-participating applications call the Save<\/span><\/a> method of IAttachmentExecute<\/span><\/a> interface to add a Zone.Identifier alternate data stream to store the zone from which the file came. We then call <\/span>System.Security.Policy.Zone.CreateFromUrl<\/span><\/a> to determine which zone the file originated from. Here is the mapping between ZoneId and SecurityZone enum:<\/span><\/span><\/p>\n

public<\/span> enum<\/span> SecurityZone
<\/span>{
        <\/span>NoZone = -1,
        <\/span>MyComputer = 0,
        <\/span>Intranet = 1,
        <\/span>Trusted = 2,
        <\/span>Internet = 3,
        <\/span>Untrusted = 4,
}<\/span><\/p>\n

<\/span><\/span> <\/p>\n

If the file has a ZoneId >= 3, PowerShell considers it remote. Furthermore, PowerShell considers Intranet as remote, if your computer is set up with the Internet Explorer Enhanced Security Configuration.<\/span><\/p>\n

Let’s do a little experiment.<\/span><\/p>\n

1)    <\/span>Download a PowerShell script from the internet using Internet Explorer
 <\/span><\/b><\/span>http:\/\/www.reskit.net\/Monad\/samplescripts\/Get-WhoAmI.ps1<\/font><\/a><\/span><\/span><\/p>\n

2)    <\/span>Open the Zone.Identifier alternate data stream in notepad<\/span><\/p>\n

notepad \u201cGet-WhoAmI.ps1:Zone.Identifier”<\/font><\/p>\n

You will get:<\/span><\/p>\n

<\/span><\/span><\/p>\n

3)    <\/span>Set ExecutionPolicy to RemoteSigned, and run this script<\/span><\/p>\n

PS C:\\toolbox\\lads> Set-ExecutionPolicy RemoteSigned
PS C:\\toolbox\\lads> .\\Get-WhoAmI.ps1
<\/font>File C:\\toolbox\\lads\\Get-WhoAmI.ps1 cannot be loaded. The file C:\\toolbox\\lads\\Get-WhoAmI.ps1 is not digitally signed. The script will not execute on the system. Please see “get-help about_signing” for more details..
At line:1 char:17
+ .\\Get-WhoAmI.ps1 <<<<<\/span><\/p>\n

4)    <\/span>Change ZoneId to 2 in notepad, and rerun the script, now the script is considered local<\/span><\/p>\n

PS C:\\toolbox\\lads> .\\Get-WhoAmI.ps1
PS C:\\toolbox\\lads><\/font><\/p>\n

Links:<\/span><\/b><\/p>\n