The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,231 other followers

PowerShell: fixing script signing errors even after you had “Set-ExecutionPolicy RemoteSigned”

Posted by jpluimers on 2013/06/27

Once every while PowerShelll users get an error like this:

PS C:\bin> . .\DownloadedScript.ps1
. : File C:\bin\DownloadedScript.ps1 cannot be loaded.
The file C:\bin\DownloadedScript.ps1 is not digitally signed.
The script will not execute on the system. For more information, see about_Execution_Policies at
At line:1 char:3
+ . .\DownloadedScript.ps1
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
PS C:\bin>

I recently had it too, but was surprised this happened as I took the steps in my previous blog posts on this topic:

The execution policy was correct:

PS C:\bin> Get-ExecutionPolicy -List

                                  Scope                         ExecutionPolicy
                                  -----                         ---------------
                          MachinePolicy                               Undefined
                             UserPolicy                               Undefined
                                Process                               Undefined
                            CurrentUser                            RemoteSigned
                           LocalMachine                               Undefined

So what gave PowerShell the idea that this was not a local script?

Well: I gave the hint away with the script’s filename: DownloadedScript.ps1.

In fact I downloaded the script from the internet, so it had a “Zone.Identifier” NTFS alternate datastream. I wrote about those before as well, but in a different context: Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warning popup.

Killing the ADS was easy:

C:\bin>list-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1
   :Zone.Identifier:$DATA       26

C:\bin>show-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1
C:\bin>more  0<DownloadedScript.ps1:Zone.Identifier

C:\bin>kill-Zone.Identifier-$DATA-stream-from-internet-download.bat DownloadedScript.ps1

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals -

   Deleted :Zone.Identifier:$DATA

Now the script runs fine (:

PS: a small table of ZoneId values from URLZONE enumeration (Windows), via Code rant: Detecting and Changing a File’s Internet Zone in .NET: Alternate Data Streams:

  • 1000 = URLZONE_USER_MIN,
  • 10000 = URLZONE_USER_MAX



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: