Friday, November 6, 2009

PowerShell beginner

I'm just now beginning to learn PowerShell. It's been confusing because too much of the material doesn't tell the details. They shove snippets at you without telling you, "This only works with Windows 7, not in XP", or "This won't work with the default, restricted settings for PowerShell security."
A PowerShell script file ends with the .ps1 extension.

I developed a method to run scripts without permanently lowering my computer's security. You launch scripts from an old-fashioned batch script. The script calls PowerShell, commands security to be lowered just enough to execute the script(s), then raises it back up again. I would also end the .ps1 script by raising the security, in case there's ever a problem returning to the initial batch script.

Try this...

powershell -command "& {Set-ExecutionPolicy Unrestricted -force}"
@set /p ScriptName=What's the name of your Power Shell script? :
powershell -command .\%ScriptName%
:: Return the security policy to default, restricted.
powershell -command "& {Set-ExecutionPolicy Restricted -force}"

Run this batch file from the same folder where the PowerShell script resides.
Copy the full name of your script and when prompted, paste the name and hit Enter.

Here's a simple PowerShell script you can use to test this out...

# PowerShell script to find Error messages in the System eventlog.
get-EventLog system -newest 2000 | where {$_.entryType -match "Error"}

# Return the security policy to default, restricted.
Set-ExecutionPolicy Restricted -force

With default PowerShell security restrictions, calling the PowerShell script by itself will produce an error like the following...
File EventLogQry.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.
At line:0 char:0

Unfortunately, this doesn't work on Windows 7, only on Windows XP.
First, you have to right-click the batch script and "Run as administrator. Okay - no problem.
Second, what breaks it is that the script doesn't run from the path where the script resides. In XP, if you store and run the file from C:\Scripts\PowerShell>, it runs from that path. Not so for Win7. Win7 doesn't care where you run it from, it defaults to C:\Windows\System32>. If I have to hard-code the path, it ruins the convenience of this system.
Third, the command to lower security, or to raise security is squirrelly because I have no permissions on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell. The weird thing is that the Set-ExecutionPolicy command won't work on my Win7 machine from the PowerShell console, nor from a .ps1 script, but it will work from a batch script. This seems to be a gaping hole in Microsoft's grand scheme, but if it's consistent across Win7 versions and default settings, I'll use it.

I don't mind learning new ways to support Windows 7, but I hope there IS a way to support Windows 7. That was the problem with Vista - unsupportable in a corporate environment. To protect the computer from malicious scripts, Microsoft has set roadblocks just about everywhere. Many things just won't work without a GUI (Graphical User Interface) interruption. I'm really struggling to figure out how to support Windows 7 without lowering security permanently. If there's a way to leave all settings at default, and still operate, that's preferable.

No comments:

Post a Comment