Powershell Doesn't Run Scripts "Out of the Box"

Most people think that Powershell is a "scripting language" but when you install the current version the first thing you notice is that you can't run scripts.

In fact you are more likely to see errors like this.

"Install.ps1 cannot be loaded because the execution of scripts is disabled on this system."

 The first reaction to this could be something less polite than "Hey I thought this thing did scripts". However scripting has a history in Microsoft that makes this completely normal.

In the beginning Microsoft was a languages company. It wrote computer programming languages for operating systems. It got pushed into operating systems with the launch of the IBM PC and DOS (Disk Operating System). With this the first 'batch language' came into play. You could put a few commands into a file with the extension 'bat' and it would run. The 'autoexec.bat' ran automatically if it was present when a PC booted. The command processor 'command.com' loaded and ran the batch file.

Your 'hello world' announcement in batch would look something like this.

echo off
cls
echo "Hello World"

This was scripting 1980s style. You can still use batch today. Even Windows 10 will run a batch file.

Third parties wrote enhancements to this. One of the most well known in the 1980s was 4DOS from JP Software. You can still get a freeware copy here. I know a little about JP Software because I worked for a firm that sold their products in the UK.

Microsoft introduced two major enhancements to scripting. The first was the'cmd.exe'' command processor introduced with Windows NT. The second was VB Script, a variation on their Basic language product.

Both of these enhancements were created in a world of standalone PCs rarely connected to the outside world. Both assumed the person running the script was the PC's owner, primary user, and knew what they were doing. So they just ran. Anything with the file name ending in .bat, .cmd or .vbs would just run. These scripts ran commands that immediately made changes and, in the case of vbs, quickly were used in Microsoft Office products like Excel, Word, Powerpoint and Outlook.

Outlook was the most dangerous. You could receive an email with a vbs attached and just by clicking on it could run a massively distructive script. Microsoft added approved file extensions into Outlook so criminals just embedded their scripts in Word or Excel documents. The war was on.

On 15th January 2002 Bill Gates sent his "Trustworthy Computing" memo. Microsoft was under massive pressure from it's customers in the new connected world of the Internet that Windows was not sufficiently secure. This was true. Unlike Unix based operating systems that were built to be connected to the Internet the Microsoft world had been a world of standalone unconnected devices. Once these were attached to networks then fundamental design issues could not be dealt with by patches. Gates announced that from 2002 Microsoft's priorities would be; Security, Privacy, Reliability, and Business Integrity,

 After the memo the world changed for Microsoft. Every product now had to be secure by default. Windows XP got service pack 2 and Windows Server began to be delivered with services switched off by default and ports blocked and then administrators had to switch on features.

 In 2003 project monad was first revealled to developers. This project eventually became Powershell As a product devised in the new "switched off by default world" scripts dont run by default. 

 To run a script you need to devise an "execution policy" to make the script secure by default.  A comandlet called Set-ExecutionPolicy is used to decide whether a script should run or not. This does not effect the command line just scripts. 

 Microsoft recommend you dont set the policy to "unrestricted" but use signed scripts to protect your system. 

 This is why Powershell doesn't run scripts "out of the box".

Comments

Post a Comment

Popular posts from this blog

Powershell Symlink to Onedrive

Image
I have more than one PC. To be precise, and overly pedantic, 3 Windows 10 laptops. All are slightly different and of various ages. One I use with a Windows 10 Insider Build to keep up with the next thing coming down the pipeline. On each, I do a bit of Powershell . Powershell is the latest generation of Windows command line tools. The Linux enthusiast would look down on the Windows command line of whatever generation but Microsoft has always provided command line tools. In the early days MSDOS was a command line OS. It did little but create directories (folders), copy, move or delete files. It ran “command.com” which some said was just a basic file system manager and way of loading programs into memory. It wasn’t difficult to disagree. Developers brought out alternatives to this such as 4DOS , literally “for dos”, by JP Software . They also produced 4NT, which enhance the Windows NT command processor and 4OS2. The latter was for the IBM OS2 Operating System of the late 80s and ea
Read more

Being progressive rather than universal

Image
Microsoft was not short of ambition for its tiled interface and One Windows strategy . Microsoft was doing what no other tech firm had done - uniting mobile to desktop/laptop PCs in one experience. Apple had two OSs available - IOS for phone/tablet and OSX for its desktop/laptop users. They were different and had different interfaces. Google had two OSs - Android for phone/tablet and ChromeOS for its Chromebook devices. Of course, even One Windows doesn't mean exactly the same OS but it does mean components have such similarity that the interface appears the same to users and, with little modification, apps can run on all platforms. Unfortunately, the app platform UWP (Universal Windows Platform) was hobbled from day one. Microsoft had a poor quality application store, ever-changing developer tools and standards and a Store that only worked (on the PC side) for Windows 8 and latterly Windows 10. While people used legacy versions of Windows such as Windows 7 and XP t
Read more

Identity as the new security boundary

 Not so long ago a PC was safe behind a firewall. The idea was that the physical infrastructure of a network would be enough. Anti-virus and anti-malware products sat on PCs to protect users. Then hybrid working came along. Digital nomads who could connect to networks from anywhere. New startups had users connecting to web based applications. People were bringing their own devices, tablets, phones, projectors and so on into the workplace. Security has now started looking at people. Microsoft call this zero-trust. You don’t just trust someone because they can login. You have systems that secure identity itself. There are three steps to identity security.  1.The credentials that give you authorisation. For most people this is an account identity and password. Often the identity is an email address or some public identity. This leaves the account secured by password. The strength and complexity of the password protecting authentication. 2. Authorization is the next step. What you can a
Read more