The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming

    20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now

    20140424-Windows-7-free-disk-space

    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,714 other followers

PowerShell: fixing script signing errors even after you had “Set-ExecutionPolicy RemoteSigned”

Posted by jpluimers on 2013/06/27

Once every while PowerShelll users get an error like this:

PS C:\bin> . .\DownloadedScript.ps1
. : File C:\bin\DownloadedScript.ps1 cannot be loaded.
The file C:\bin\DownloadedScript.ps1 is not digitally signed.
The script will not execute on the system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . .\DownloadedScript.ps1
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
PS C:\bin>

I recently had it too, but was surprised this happened as I took the steps in my previous blog posts on this topic:

The execution policy was correct:

PS C:\bin> Get-ExecutionPolicy -List

                                  Scope                         ExecutionPolicy
                                  -----                         ---------------
                          MachinePolicy                               Undefined
                             UserPolicy                               Undefined
                                Process                               Undefined
                            CurrentUser                            RemoteSigned
                           LocalMachine                               Undefined

So what gave PowerShell the idea that this was not a local script?

Well: I gave the hint away with the script’s filename: DownloadedScript.ps1.

In fact I downloaded the script from the internet, so it had a “Zone.Identifier” NTFS alternate datastream. I wrote about those before as well, but in a different context: Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warning popup.

Killing the ADS was easy:

C:\bin>list-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1
C:\bin\DownloadedScript.ps1:
   :Zone.Identifier:$DATA       26

C:\bin>show-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1
C:\bin>more  0<DownloadedScript.ps1:Zone.Identifier
[ZoneTransfer]
ZoneId=3

C:\bin>kill-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\bin\DownloadedScript.ps1:
   Deleted :Zone.Identifier:$DATA

Now the script runs fine (:

PS: a small table of ZoneId values from URLZONE enumeration (Windows), via Code rant: Detecting and Changing a File’s Internet Zone in .NET: Alternate Data Streams:

  • -1 = URLZONE_INVALID,
  • 0 = URLZONE_PREDEFINED_MIN / URLZONE_LOCAL_MACHINE,
  • 1 = URLZONE_INTRANET,
  • 2 = URLZONE_TRUSTED,
  • 3 = URLZONE_INTERNET,
  • 4 = URLZONE_UNTRUSTED,
  • 999 = URLZONE_PREDEFINED_MAX,
  • 1000 = URLZONE_USER_MIN,
  • 10000 = URLZONE_USER_MAX

–jeroen

via:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: