Powershell 执行策略远程签名矛盾?
Powershell execution policy remotesigned contradiction?
请看下面URL:URL
现在它对下载的脚本有以下说明:
"Runs scripts that are downloaded from the Internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet."
我刚刚从 technet 库 (PS2EXE) 下载了一个脚本,我可以 运行 包含的测试脚本,而无需使用 Unblock_file cmdlet。到底是怎么回事?我是误会了 Microsoft 告诉我的内容还是这是一个小故障?
help unblock-file:
Internally, the Unblock-File cmdlet removes the Zone.Identifier alternate data stream, which has a value of "3" to indicate that it was downloaded from the Internet.
文件是 "remote" 或 "coming from the internet" 的意思是您本地计算机文件系统上的数据,必须通过下载文件的工具将其放在那里,它不包含在文件中下载。
如果您通过 Internet Explorer 下载文件,可能是 FireFox、Invoke-WebRequest,这些将添加它。如果您下载其他内容,该工具可能不会添加此备用流。
看看它的表现:
# Show folder is empty
PS C:\temp\> Get-ChildItem
# Make a test script which prints Hello World, and run it
PS C:\temp\> "'Hello World'" | Set-Content -Path .\test.ps1
PS C:\temp\> .\test.ps1
Hello World
# Show the file exists
PS C:\temp\> Get-ChildItem
Directory: C:\temp\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 01/08/2018 22:07 15 test.ps1
# Add the Zone Identifier alternate data stream
PS C:\temp\> "[ZoneTransfer]`nZoneId=3" | Set-Content -Path 'test.ps1' -Stream 'Zone.Identifier'
# Show that it doesn't appear in a normal directory listing:
PS C:\temp\> Get-ChildItem
Directory: C:\temp\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 01/08/2018 22:08 15 test.ps1
# Show how it blocks the file from running
PS C:\temp\> .\test.ps1
.\test.ps1 : File C:\temp\test.ps1 cannot be loaded. The file C:\temp\test.ps1 is not digitally signed. You cannot
run this script on the current system. For more information about running scripts and setting execution policy, see
about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\test.ps1
+ ~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
# Show file content
PS C:\temp\> Get-Content -Path .\test.ps1
'Hello World'
# Show alternate data stream content
PS C:\temp\> Get-Content -Path .\test.ps1 -Stream 'Zone.Identifier'
[ZoneTransfer]
ZoneId=3
# Unblock-File removes this alternate stream
PS C:\temp\> Unblock-File .\test.ps1
# Script runs again
PS C:\temp\> .\test.ps1
Hello World
所以主要的问题是,如果你 运行 Get-Content file.ps1:Zone.Identifier 并且看到 ZoneId 是 3 and 仍然可以 运行 脚本 and Get-ExecutionPolicy 是 RemoteSigned,那么你会遇到一些奇怪的事情。
但我猜是下载工具没有添加这个数据,所以文件看起来就像本地创建的一样。
注意。 RemoteSigned 不是一个安全功能,它是一个 "help guard against accidentally running scripts before reading them and deliberately choosing to run them" 检查,就像一个 "are you sure?" 框,而不是密码提示。
请看下面URL:URL
现在它对下载的脚本有以下说明:
"Runs scripts that are downloaded from the Internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet."
我刚刚从 technet 库 (PS2EXE) 下载了一个脚本,我可以 运行 包含的测试脚本,而无需使用 Unblock_file cmdlet。到底是怎么回事?我是误会了 Microsoft 告诉我的内容还是这是一个小故障?
help unblock-file:
Internally, the Unblock-File cmdlet removes the Zone.Identifier alternate data stream, which has a value of "3" to indicate that it was downloaded from the Internet.
文件是 "remote" 或 "coming from the internet" 的意思是您本地计算机文件系统上的数据,必须通过下载文件的工具将其放在那里,它不包含在文件中下载。
如果您通过 Internet Explorer 下载文件,可能是 FireFox、Invoke-WebRequest,这些将添加它。如果您下载其他内容,该工具可能不会添加此备用流。
看看它的表现:
# Show folder is empty
PS C:\temp\> Get-ChildItem
# Make a test script which prints Hello World, and run it
PS C:\temp\> "'Hello World'" | Set-Content -Path .\test.ps1
PS C:\temp\> .\test.ps1
Hello World
# Show the file exists
PS C:\temp\> Get-ChildItem
Directory: C:\temp\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 01/08/2018 22:07 15 test.ps1
# Add the Zone Identifier alternate data stream
PS C:\temp\> "[ZoneTransfer]`nZoneId=3" | Set-Content -Path 'test.ps1' -Stream 'Zone.Identifier'
# Show that it doesn't appear in a normal directory listing:
PS C:\temp\> Get-ChildItem
Directory: C:\temp\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 01/08/2018 22:08 15 test.ps1
# Show how it blocks the file from running
PS C:\temp\> .\test.ps1
.\test.ps1 : File C:\temp\test.ps1 cannot be loaded. The file C:\temp\test.ps1 is not digitally signed. You cannot
run this script on the current system. For more information about running scripts and setting execution policy, see
about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\test.ps1
+ ~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
# Show file content
PS C:\temp\> Get-Content -Path .\test.ps1
'Hello World'
# Show alternate data stream content
PS C:\temp\> Get-Content -Path .\test.ps1 -Stream 'Zone.Identifier'
[ZoneTransfer]
ZoneId=3
# Unblock-File removes this alternate stream
PS C:\temp\> Unblock-File .\test.ps1
# Script runs again
PS C:\temp\> .\test.ps1
Hello World
所以主要的问题是,如果你 运行 Get-Content file.ps1:Zone.Identifier 并且看到 ZoneId 是 3 and 仍然可以 运行 脚本 and Get-ExecutionPolicy 是 RemoteSigned,那么你会遇到一些奇怪的事情。
但我猜是下载工具没有添加这个数据,所以文件看起来就像本地创建的一样。
注意。 RemoteSigned 不是一个安全功能,它是一个 "help guard against accidentally running scripts before reading them and deliberately choosing to run them" 检查,就像一个 "are you sure?" 框,而不是密码提示。