Vista - Security warning.....

I am learning PowerShell and want to remove the following security warning.
Is it possible?

Bill


PS C:\MyScripts> Set-ExecutionPolicy unrestricted
PS C:\MyScripts> ./threeamigos.ps1

Security Warning
Run only scripts that you trust. While scripts from the Internet can be us
computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

Hi,

I don't see this warning on Windows XP or Windows Server 2003 for
locally created scripts even with the execution policy set to
RemoteSigned.

If you execute

get-executionpolicy

is it returning Unrestricted?

What OS are you using?

Andrew Watt MVP

On Thu, 11 Jan 2007 13:12:02 -0800, bill
<bill@discussions.microsoft.com> wrote:

>I am learning PowerShell and want to remove the following security warning.
>Is it possible?
>
>Bill
>
>
>PS C:\MyScripts> Set-ExecutionPolicy unrestricted
>PS C:\MyScripts> ./threeamigos.ps1
>
>Security Warning
>Run only scripts that you trust. While scripts from the Internet can be us
>computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
>[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

Where did you get threeamigos.ps1 from? Warning for internet script is the
correct behavior.
You can check whether it is from the internet by doing the following in
cmd.exe:
notepad threeamigos.ps1:Zone.Identifier

Change the ZoneId to 0 and save the file, and the warning will disappear.
--
Wei Wu [MSFT]
Windows PowerShell Team
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
Visit the Windows PowerShell Team blog at:
http://blogs.msdn.com/PowerShell



Visit the Windows PowerShell ScriptCenter at:
http://www.microsoft.com/technet/scr.../hubs/msh.mspx


"bill" <bill@discussions.microsoft.com> wrote in message
news:BA86318C-77B2-46F7-A37C-E0BDE9BFB1F0@microsoft.com...
>I am learning PowerShell and want to remove the following security warning.
> Is it possible?
>
> Bill
>
>
> PS C:\MyScripts> Set-ExecutionPolicy unrestricted
> PS C:\MyScripts> ./threeamigos.ps1
>
> Security Warning
> Run only scripts that you trust. While scripts from the Internet can be us
> computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
> [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
>

The "threeamigos.ps1" was a script I downloaded from the website associated
with the book "Windows PowerShell Programmming for the Absolute Begineer".

When I ran "notepad threeamigos.ps1:0" it said it couldn't find the file. I
don't understand what you wanted me to do.

Bill



"Wei Wu [MSFT]" wrote:

> Where did you get threeamigos.ps1 from? Warning for internet script is the
> correct behavior.
> You can check whether it is from the internet by doing the following in
> cmd.exe:
> notepad threeamigos.ps1:Zone.Identifier
>
> Change the ZoneId to 0 and save the file, and the warning will disappear.
> --
> Wei Wu [MSFT]
> Windows PowerShell Team
> Microsoft Corporation
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Visit the Windows PowerShell Team blog at:
> http://blogs.msdn.com/PowerShell
>
>
>
> Visit the Windows PowerShell ScriptCenter at:
> http://www.microsoft.com/technet/scr.../hubs/msh.mspx
>
>
> "bill" <bill@discussions.microsoft.com> wrote in message
> news:BA86318C-77B2-46F7-A37C-E0BDE9BFB1F0@microsoft.com...
> >I am learning PowerShell and want to remove the following security warning.
> > Is it possible?
> >
> > Bill
> >
> >
> > PS C:\MyScripts> Set-ExecutionPolicy unrestricted
> > PS C:\MyScripts> ./threeamigos.ps1
> >
> > Security Warning
> > Run only scripts that you trust. While scripts from the Internet can be us
> > computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
> > [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
> >
>
>
>

Yes,

get-executionpolicy returns "Unrestrictred". I am running Windows 2003
Server Standard Edition, Sp1.


Bill




"Andrew Watt [MVP]" wrote:

> Hi,
>
> I don't see this warning on Windows XP or Windows Server 2003 for
> locally created scripts even with the execution policy set to
> RemoteSigned.
>
> If you execute
>
> get-executionpolicy
>
> is it returning Unrestricted?
>
> What OS are you using?
>
> Andrew Watt MVP
>
> On Thu, 11 Jan 2007 13:12:02 -0800, bill
> <bill@discussions.microsoft.com> wrote:
>
> >I am learning PowerShell and want to remove the following security warning.
> >Is it possible?
> >
> >Bill
> >
> >
> >PS C:\MyScripts> Set-ExecutionPolicy unrestricted
> >PS C:\MyScripts> ./threeamigos.ps1
> >
> >Security Warning
> >Run only scripts that you trust. While scripts from the Internet can be us
> >computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
> >[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
>

What he is suggesting is removing the ADS (Alternate Data Stream
http://www.wikistc.org/wiki/Alternate_data_streams)
Microsoft uses a ADS on the file to let you know it came from the internet.
If you remove the ADS... it has no Idea. Therefore... no warning.


I would recommend some google time if you have it... lots of good stuff out
there about ADS.
Here some starters:
http://support.microsoft.com/kb/105763
http://www.securityfocus.com/infocus/1822
http://www.irongeek.com/i.php?page=security/altds


"bill" <bill@discussions.microsoft.com> wrote in message
news:6E884C10-921B-479A-B4B9-DC75B7B6E937@microsoft.com...
> The "threeamigos.ps1" was a script I downloaded from the website
> associated
> with the book "Windows PowerShell Programmming for the Absolute Begineer".
>
> When I ran "notepad threeamigos.ps1:0" it said it couldn't find the file.
> I
> don't understand what you wanted me to do.
>
> Bill
>
>
>
> "Wei Wu [MSFT]" wrote:
>
>> Where did you get threeamigos.ps1 from? Warning for internet script is
>> the
>> correct behavior.
>> You can check whether it is from the internet by doing the following in
>> cmd.exe:
>> notepad threeamigos.ps1:Zone.Identifier
>>
>> Change the ZoneId to 0 and save the file, and the warning will disappear.
>> --
>> Wei Wu [MSFT]
>> Windows PowerShell Team
>> Microsoft Corporation
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Visit the Windows PowerShell Team blog at:
>> http://blogs.msdn.com/PowerShell
>>
>>
>>
>> Visit the Windows PowerShell ScriptCenter at:
>> http://www.microsoft.com/technet/scr.../hubs/msh.mspx
>>
>>
>> "bill" <bill@discussions.microsoft.com> wrote in message
>> news:BA86318C-77B2-46F7-A37C-E0BDE9BFB1F0@microsoft.com...
>> >I am learning PowerShell and want to remove the following security
>> >warning.
>> > Is it possible?
>> >
>> > Bill
>> >
>> >
>> > PS C:\MyScripts> Set-ExecutionPolicy unrestricted
>> > PS C:\MyScripts> ./threeamigos.ps1
>> >
>> > Security Warning
>> > Run only scripts that you trust. While scripts from the Internet can be
>> > us
>> > computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
>> > [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
>> >
>>
>>
>>

Wei Wu,

It depends on how you acquire the file. Currently I could find the
file Bill mentions as part of a zip file at
http://www.courseptr.com/ptr_detail....=1-59863-354-6.

If you unzip a bunch of scripts downloaded earlier from the Internet
then they are run by PowerShell with no warning (assuming that the
execution policy is Unrestricted).

So, I suspect, the bad guys will simply zip up malicious scripts for
the unsuspecting to unzip and then run. Is there a protective
mechanism that I've overlooked?

In Pro Windows PowerShell I recommend that users *never* run a script
they don't fully understand.

Andrew Watt MVP

On Thu, 11 Jan 2007 17:52:56 -0800, "Wei Wu [MSFT]"
<wwu@microsoft.com> wrote:

>Where did you get threeamigos.ps1 from? Warning for internet script is the
>correct behavior.
>You can check whether it is from the internet by doing the following in
>cmd.exe:
>notepad threeamigos.ps1:Zone.Identifier
>
>Change the ZoneId to 0 and save the file, and the warning will disappear.
>--
>Wei Wu [MSFT]
>Windows PowerShell Team
>Microsoft Corporation
>This posting is provided "AS IS" with no warranties, and confers no rights.
>Visit the Windows PowerShell Team blog at:
>http://blogs.msdn.com/PowerShell
>
>
>
>Visit the Windows PowerShell ScriptCenter at:
>http://www.microsoft.com/technet/scr.../hubs/msh.mspx
>
>
>"bill" <bill@discussions.microsoft.com> wrote in message
>news:BA86318C-77B2-46F7-A37C-E0BDE9BFB1F0@microsoft.com...
>>I am learning PowerShell and want to remove the following security warning.
>> Is it possible?
>>
>> Bill
>>
>>
>> PS C:\MyScripts> Set-ExecutionPolicy unrestricted
>> PS C:\MyScripts> ./threeamigos.ps1
>>
>> Security Warning
>> Run only scripts that you trust. While scripts from the Internet can be us
>> computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
>> [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
>>

> So, I suspect, the bad guys will simply zip up malicious scripts for
> the unsuspecting to unzip and then run. Is there a protective
> mechanism that I've overlooked?

Not really. If you're running unrestricted, downloading and running scripts
from the internet there's not much PowerShell can do to protect you. The
security warning if the file is from the internet relies on the fact that IE
saves the zone information in an alternate data stream. However, if you
used some other browser to download the file which doesn't add that ADS or
if you run some other app on that file (Unzip) which strips (or in this case
doesn't copy) the ADS, then PowerShell never finds out the file was from the
internet.

So yeah, like you said, NEVER run a script you don't understand. And if
you ARE going to do it... (which you shouldn't!) then at the very least
create a new user with very limited permissions and run it from that account
(preferably on a virtual machine which is locked away in a small room and
never connected to the internet again ).


"Andrew Watt [MVP]" <SVGDeveloper@aol.com> wrote in message
news:7vmeq21rsejqkqm4i0s6pdb52vkh3ei1tb@4ax.com...
> Wei Wu,
>
> It depends on how you acquire the file. Currently I could find the
> file Bill mentions as part of a zip file at
> http://www.courseptr.com/ptr_detail....=1-59863-354-6.
>
> If you unzip a bunch of scripts downloaded earlier from the Internet
> then they are run by PowerShell with no warning (assuming that the
> execution policy is Unrestricted).
>
> So, I suspect, the bad guys will simply zip up malicious scripts for
> the unsuspecting to unzip and then run. Is there a protective
> mechanism that I've overlooked?
>
> In Pro Windows PowerShell I recommend that users *never* run a script
> they don't fully understand.
>
> Andrew Watt MVP
>
> On Thu, 11 Jan 2007 17:52:56 -0800, "Wei Wu [MSFT]"
> <wwu@microsoft.com> wrote:
>
>>Where did you get threeamigos.ps1 from? Warning for internet script is the
>>correct behavior.
>>You can check whether it is from the internet by doing the following in
>>cmd.exe:
>>notepad threeamigos.ps1:Zone.Identifier
>>
>>Change the ZoneId to 0 and save the file, and the warning will disappear.
>>--
>>Wei Wu [MSFT]
>>Windows PowerShell Team
>>Microsoft Corporation
>>This posting is provided "AS IS" with no warranties, and confers no
>>rights.
>>Visit the Windows PowerShell Team blog at:
>>http://blogs.msdn.com/PowerShell
>>
>>
>>
>>Visit the Windows PowerShell ScriptCenter at:
>>http://www.microsoft.com/technet/scr.../hubs/msh.mspx
>>
>>
>>"bill" <bill@discussions.microsoft.com> wrote in message
>>news:BA86318C-77B2-46F7-A37C-E0BDE9BFB1F0@microsoft.com...
>>>I am learning PowerShell and want to remove the following security
>>>warning.
>>> Is it possible?
>>>
>>> Bill
>>>
>>>
>>> PS C:\MyScripts> Set-ExecutionPolicy unrestricted
>>> PS C:\MyScripts> ./threeamigos.ps1
>>>
>>> Security Warning
>>> Run only scripts that you trust. While scripts from the Internet can be
>>> us
>>> computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
>>> [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
>>>

There are a couple of good resources here for a PowerShell security
overview:

http://www.leeholmes.com/blog/Demons...yFeatures.aspx
http://www.leeholmes.com/blog/MonadA...istaVirus.aspx

It all comes down to the fact that PowerShell scripts are executable code.
If an attacker can smooth-talk a user to follow arbitrary instructions to
exploit their own computer (ie: unzipping, typing in a password,) then no
software can save them from themselves. There is another bump in the road if
the user runs under the AllSigned mode (as the script must be signed,) but
then the attacker can just kindly request that the user change their
Execution Policy.

Due to the PowerShell security restrictions, said attacker would be much
better off picking another attack vehicle (such as a traditional .exe) if he
or she can convince the user to run untrusted code from a .ZIP file.

--
Lee Holmes [MSFT]
Windows PowerShell Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


"Marcel J. Ortiz [MSFT]" <mosoto@online.microsoft.com> wrote in message
news:%23kBGLHqNHHA.3872@TK2MSFTNGP06.phx.gbl...
>> So, I suspect, the bad guys will simply zip up malicious scripts for
>> the unsuspecting to unzip and then run. Is there a protective
>> mechanism that I've overlooked?
>
> Not really. If you're running unrestricted, downloading and running
> scripts from the internet there's not much PowerShell can do to protect
> you. The security warning if the file is from the internet relies on the
> fact that IE saves the zone information in an alternate data stream.
> However, if you used some other browser to download the file which doesn't
> add that ADS or if you run some other app on that file (Unzip) which
> strips (or in this case doesn't copy) the ADS, then PowerShell never finds
> out the file was from the internet.
>
> So yeah, like you said, NEVER run a script you don't understand. And if
> you ARE going to do it... (which you shouldn't!) then at the very least
> create a new user with very limited permissions and run it from that
> account (preferably on a virtual machine which is locked away in a small
> room and never connected to the internet again ).
>
>
> "Andrew Watt [MVP]" <SVGDeveloper@aol.com> wrote in message
> news:7vmeq21rsejqkqm4i0s6pdb52vkh3ei1tb@4ax.com...
>> Wei Wu,
>>
>> It depends on how you acquire the file. Currently I could find the
>> file Bill mentions as part of a zip file at
>> http://www.courseptr.com/ptr_detail....=1-59863-354-6.
>>
>> If you unzip a bunch of scripts downloaded earlier from the Internet
>> then they are run by PowerShell with no warning (assuming that the
>> execution policy is Unrestricted).
>>
>> So, I suspect, the bad guys will simply zip up malicious scripts for
>> the unsuspecting to unzip and then run. Is there a protective
>> mechanism that I've overlooked?
>>
>> In Pro Windows PowerShell I recommend that users *never* run a script
>> they don't fully understand.
>>
>> Andrew Watt MVP
>>
>> On Thu, 11 Jan 2007 17:52:56 -0800, "Wei Wu [MSFT]"
>> <wwu@microsoft.com> wrote:
>>
>>>Where did you get threeamigos.ps1 from? Warning for internet script is
>>>the
>>>correct behavior.
>>>You can check whether it is from the internet by doing the following in
>>>cmd.exe:
>>>notepad threeamigos.ps1:Zone.Identifier
>>>
>>>Change the ZoneId to 0 and save the file, and the warning will disappear.
>>>--
>>>Wei Wu [MSFT]
>>>Windows PowerShell Team
>>>Microsoft Corporation
>>>This posting is provided "AS IS" with no warranties, and confers no
>>>rights.
>>>Visit the Windows PowerShell Team blog at:
>>>http://blogs.msdn.com/PowerShell
>>>
>>>
>>>
>>>Visit the Windows PowerShell ScriptCenter at:
>>>http://www.microsoft.com/technet/scr.../hubs/msh.mspx
>>>
>>>
>>>"bill" <bill@discussions.microsoft.com> wrote in message
>>>news:BA86318C-77B2-46F7-A37C-E0BDE9BFB1F0@microsoft.com...
>>>>I am learning PowerShell and want to remove the following security
>>>>warning.
>>>> Is it possible?
>>>>
>>>> Bill
>>>>
>>>>
>>>> PS C:\MyScripts> Set-ExecutionPolicy unrestricted
>>>> PS C:\MyScripts> ./threeamigos.ps1
>>>>
>>>> Security Warning
>>>> Run only scripts that you trust. While scripts from the Internet can be
>>>> us
>>>> computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
>>>> [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
>>>>
>
>

I have a similar problem with a security warning, but it's for my
"profile.ps1", which I wrote myself. The problem is that my home directory
lies on a server, and is mapped via cached SMB to my laptop, so effectively
functions as a local directory. I think my problem is the remote nature of
my home directory, because if I copy the script to a local directory, it
runs without a warning. Both the server and laptop are joined to a domain.

Is there a way to tell PowerShell that I trust my home directory? I can't
imagine that anyone using a remotely mapped home directory (e.g. in a
domain) is expected to either digitally sign their profile, or to accept a
warning every time they launch a shell. The latter is especially annoying
because it ingrains the habit of ignoring the warning.

I hope there's a simple solution to this that I haven't noticed. Can anyone
suggest one?

-Thomas

"bill" <bill@discussions.microsoft.com> wrote in message
news:BA86318C-77B2-46F7-A37C-E0BDE9BFB1F0@microsoft.com...
>I am learning PowerShell and want to remove the following security warning.
> Is it possible?
>
> Bill
>
>
> PS C:\MyScripts> Set-ExecutionPolicy unrestricted
> PS C:\MyScripts> ./threeamigos.ps1
>
> Security Warning
> Run only scripts that you trust. While scripts from the Internet can be us
> computer. Do you want to run C:\MyScripts\ThreeAmigos.ps1?
> [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
>