Enabling powershell to run unsigned scripts for the current user only (via: Absoblogginlutely!)
Posted by Jeroen Pluimers on 2012/03/21
More than a year ago, I wrote about enabling PowerShell to run unsigned scripts, and a way to circumvent the “cannot be loaded because the execution of scripts is disabled on this system” error.
The solution there uses the Set-ExecutionPolicy cmdlet, but only works for administrators. As of PowerShell 2.0, there is more fine grained control for the Set-ExecutionPolicy cmdlet, and an updated Set-ExecutionPolicy cmdlet topic which I overlooked.
The solution below shows what happens when the current user is not an administrator, and works around it by applying it only for the current user.
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied.
Sure enough I don’t have permission to this registry key.
I checked with our admin to ensure this wasn’t set in group policy before I started fiddling around. Found out that there is another setting that is user specific that can be set with
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
This will allow the current user to run unsigned scripts he wrote himself, but still require remote (for instance downloaded) scripts to be signed.
Note it is easy to strip the “remote” flag of a downloaded script: NTFS keeps this flag in the Zone:Identifier NTFS alternate data stream.
Only do that for scripts you trust.