PowerShell: fixing script signing errors even after you had “Set-ExecutionPolicy RemoteSigned”
Posted by jpluimers on 2013/06/27
Once every while PowerShelll users get an error like this:
PS C:\bin> . .\DownloadedScript.ps1 . : File C:\bin\DownloadedScript.ps1 cannot be loaded. The file C:\bin\DownloadedScript.ps1 is not digitally signed. The script will not execute on the system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:3 + . .\DownloadedScript.ps1 + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) , PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess PS C:\bin>
I recently had it too, but was surprised this happened as I took the steps in my previous blog posts on this topic:
- Enabling powershell to run unsigned scripts for the current user only (via: Absoblogginlutely!).
- PowerShell: the 2 most common error messages for starters.
The execution policy was correct:
PS C:\bin> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser RemoteSigned LocalMachine Undefined
So what gave PowerShell the idea that this was not a local script?
Well: I gave the hint away with the script’s filename: DownloadedScript.ps1.
In fact I downloaded the script from the internet, so it had a “Zone.Identifier” NTFS alternate datastream. I wrote about those before as well, but in a different context: Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warning popup.
Killing the ADS was easy:
C:\bin>list-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1 C:\bin\DownloadedScript.ps1: :Zone.Identifier:$DATA 26 C:\bin>show-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1 C:\bin>more 0<DownloadedScript.ps1:Zone.Identifier [ZoneTransfer] ZoneId=3 C:\bin>kill-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1 Streams v1.56 - Enumerate alternate NTFS data streams Copyright (C) 1999-2007 Mark Russinovich Sysinternals - www.sysinternals.com C:\bin\DownloadedScript.ps1: Deleted :Zone.Identifier:$DATA
Now the script runs fine (:
PS: a small table of ZoneId values from URLZONE enumeration (Windows), via Code rant: Detecting and Changing a File’s Internet Zone in .NET: Alternate Data Streams:
- -1 = URLZONE_INVALID,
- 0 = URLZONE_PREDEFINED_MIN / URLZONE_LOCAL_MACHINE,
- 1 = URLZONE_INTRANET,
- 2 = URLZONE_TRUSTED,
- 3 = URLZONE_INTERNET,
- 4 = URLZONE_UNTRUSTED,
- 999 = URLZONE_PREDEFINED_MAX,
- 1000 = URLZONE_USER_MIN,
- 10000 = URLZONE_USER_MAX
- Enabling powershell to run unsigned scripts for the current user only (via: Absoblogginlutely!) « The Wiert Corner – irregular stream of stuff.
- PowerShell: the 2 most common error messages for starters « The Wiert Corner – irregular stream of stuff.
- Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warning popup « The Wiert Corner – irregular stream of stuff.