Windows

Problem

You want to verify the digital signature of a PowerShell script or formatting file.

Solution

To validate the signature of a script or formatting file, use the GetAuthenticodeSignature cmdlet:

PS >GetAuthenticodeSignature .\test.ps1

Directory: C:\temp

SignerCertificate Status Path

FD48FAA9281A657DBD089B5A008FAFE61D3B32FD Valid test.ps1

Discussion

Problem

You want to control PowerShell’s security features in an enterprise setting.

Solution

To manage PowerShell’s security features enterprisewide:

• Apply PowerShell’s Group Policy templates to control PowerShell’s execution policy through Group Policy.
• Deploy Microsoft Certificate Services to automatically generate Authenticode codesigning certificates for domain accounts.
• Apply software restriction policies to prevent PowerShell from trusting specific script publishers.

Discussion

Discussion

It is possible to benefit from the tamperprotection features of signed scripts without having to pay for an official codesigning certificate. You do this by creating a selfsigned certificate. Scripts signed with a selfsigned certificate will not be recognized as valid on other computers, but still lets you sign scripts on your own computer.

When Example 161 runs, it prompts you for a password. Windows uses this pass word to prevent malicious programs from automatically signing files on your behalf.

Problem

You want to sign a PowerShell script so that it may be run on systems that have their execution policy set to require signed scripts.

Solution

To sign the script with your standard codesigning certificate, use the SetAuthenticodeSignature cmdlet:

$cert = @(GetChildItem cert:\CurrentUser\My CodeSigning)[0] SetAuthenticodeSignature file.ps1 $cert

Alternatively, you may also use other traditional applications (such as signtool.exe) to sign PowerShell .ps1 and .ps1xml files.

Discussion

Problem

PowerShell provides an error message when you try to run a script:

PS>.\Test.ps1 File C:\temp\test.ps1 cannot be loaded because the execution of scripts is disa bled on this system. Please see "gethelp about_signing" for more details. At line:1 char:10

+ .\Test.ps1 <<<<

Solution

To prevent this error message, use the SetExecutionPolicy cmdlet to change the PowerShell execution policy to one of the policies that allow scripts to run:

SetExecutionPolicy RemoteSigned

Discussion

Security plays two important roles in PowerShell. The first role is the security of PowerShell itself: scripting languages have long been a vehicle of emailbased malware on Windows, so PowerShell’s security features have been carefully designed to thwart this danger. The second role is the set of securityrelated tasks you are likely to encounter when working with your computer: script signing, certificates, and credentials, just to name a few.

Problem

You want to provide your users with an easy way to automate your program, but don’t want to write a scripting language on your own.

Discussion

One of the fascinating aspects of PowerShell is how easily it lets you add many of its capabilities to your own program. This is because PowerShell is, at its core, a powerful engine that any application can use. The PowerShell console application is in fact just a textbased interface to this engine.

Problem

You want to write your own PowerShell cmdlet.

Discussion

Problem

You want to access the functionality exposed by a .NET DLL, but that DLL is packaged as part of a developeroriented Software Development Kit (SDK).

Solution

To create objects contained in a DLL, use the [System.Reflection.Assembly]:: LoadFile() method to load the DLL, and the NewObject cmdlet to create objects contained in it. Example 159 illustrates this technique.

Example 159. Interacting with classes from the SharpZipLib SDK DLL

One of the natural languages to explore after learning PowerShell is C#. It uses many of the same programming techniques as PowerShell and uses the same classes and methods in the .NET Framework as PowerShell does, too. In addition, C# sometimes offers language features or performance benefits not available through PowerShell.

Rather than having to move to C# completely for these situations, Example 158 lets you write and invoke C# directly in your script.

Example 158. InvokeInline.ps1