If you run a PowerShell script that you downloaded, you might get a security warning that lectures you that scripts from the Internet can be potentially harmful. One way to avoid this message in PowerShell is to bypass ExecutionPolicy. However, other ways exist to deal with this problem.

Security warning for downloaded scripts ^

This is the message you will see even if your PowerShell ExecutionPolicy is set to Unrestricted if you start a script that you downloaded from the Internet:

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\foo.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

It is not a big deal to just type “R” to run the script. However, this message can get on your nerves if you intend to use the script regularly or if you often download scripts. Depending on the purpose, you have several options to avoid this warning.

Alternate data streams and PowerShell ^

But let me first explain what causes this message. NTFS supports Alternate Data Streams (ADS), Microsoft’s implementation of file system forks. ADS enables applications to store multiple sets of data in a file. You can’t see these alternate data streams in File Explorer, which is why this feature is popular among rootkit creators.

Whereas ADS was originally introduced to improve compatibility with other operating systems, Internet Explorer’s developers had the idea to use ADS to mark files as potentially harmful. Other browser makers added this feature later. Thus, Chrome and Firefox will also add a data stream to all files downloaded from the Internet. Opera currently doesn’t show this behavior.

There is hardly a Windows feature that isn’t supported by PowerShell, and so you can also deal with ADS in Microsoft’s scripting language. The Get-Item cmdlet offers the Stream parameter, which allows you to check whether a file contains alternate streams.

PS> Get-Item foo.ps1 –Stream *

FileName: C:\foo.ps1

Stream Length
------ ------
:$DATA 17645
Zone.Identifier 26

The first stream is the default stream and is of type $DATA. In my example, it has a length of 17645 bytes. Zone.Identifier is an alternate data stream that was added by a web browser when I downloaded the file. To view the contents of the stream, you can use the Get-Content cmdlet.

PS> Get-Content foo.ps1 -Stream Zone.Identifier

A ZoneID of “3” indicates that the file was downloaded from the Internet. These are all possible zones that you might know from Internet Explorer’s security settings:

Value Setting 
0     My Computer 
1     Local Intranet Zone 
2     Trusted sites Zone 
3     Internet Zone 
4     Restricted Sites Zone

Read on to see the options you have to get rid of the warning and the Zone.Identifier data stream.

Bypass ExecutionPolicy ^

As noted above, the security warning that you are about to run a potentially harmful script will appear even if you have set your ExecutionPolicy to Unrestricted. Even more unrestricted than Unrestricted is ExecutionPolicy Bypass because it disables all blocks and warnings. You’ll need a PowerShell console with administrator privileges to change your ExecutionPolicy.

Set-ExecutionPolicy Bypass

If you now run a PowerShell script that you downloaded from the Internet, you will no longer be bothered by warnings. The question is whether you find this security warning to be useful. If you don’t trust yourself to only download scripts from trustworthy sites, you might consider the option described below instead.

Unblock files with PowerShell ^

The Unblock-File cmdlet does exactly what its name suggests. It unblocks files downloaded from the Internet.

PS> Unblock-File foo.ps1
PS> Get-Item foo.ps1 –Stream *

 FileName: C:\foo.ps1

Stream Length
------ ------
:$DATA 17645

As you can see, the Unblock-File cmdlet simply removes the Zone.Identifier stream from the file. From now on, the PowerShell script will behave like any other script. If you want to unblock all PowerShell scripts in your current directory, you can use the command below:

Get-ChildItem -Filter *.ps1 | Unblock-File

Unblock files in File Explorer ^

If you just want to unblock a single file, you can also do this in File Explorer. Right-click the file, select Properties, and then click Unblock.

Unblock in File Explorer

Unblock in File Explorer

A simple way to unblock multiple files in File Explorer (some people would call this “automating the task”) is to copy the files to a FAT32 drive such as a USB stick because Windows will then remove the alternate stream. If you then copy the files back to your NTFS drive, the files will be unblocked.

Disable preservation of zone information ^

Another option is the Group Policy Do not preserve zone information in file attachments. This policy doesn’t remove the Zone.Identifier stream from files that you already downloaded, but it will prevent Internet Explorer, Chrome, and Firefox from adding the alternate data stream in the future. Notice that this will affect not only PowerShell scripts but all kinds of files that you download from the Internet. You can find the policy in User Configuration > Administrative Templates > Windows Components > Attachment Manager.

Do not preserve zone information in file attachments

Do not preserve zone information in file attachments

1 Comment
  1. Kelvin Wong 4 years ago

    Many thanks for this article, this is exactly what I am looking for. For a very restrictive place where I work, setting bypass doesn't work as our servers are very locked down. The unblock-file trick works perfectly!

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account