If you run a PowerShell script that you downloaded, you might get a security warning that lectures you that scripts from the Internet can be potentially harmful. One way to avoid this message in PowerShell is to bypass ExecutionPolicy. However, other ways exist to deal with this problem.

Security warning for downloaded scripts ^

This is the message you will see even if your PowerShell ExecutionPolicy is set to Unrestricted if you start a script that you downloaded from the Internet:

It is not a big deal to just type “R” to run the script. However, this message can get on your nerves if you intend to use the script regularly or if you often download scripts. Depending on the purpose, you have several options to avoid this warning.

Alternate data streams and PowerShell ^

But let me first explain what causes this message. NTFS supports Alternate Data Streams (ADS), Microsoft’s implementation of file system forks. ADS enables applications to store multiple sets of data in a file. You can’t see these alternate data streams in File Explorer, which is why this feature is popular among rootkit creators.

Whereas ADS was originally introduced to improve compatibility with other operating systems, Internet Explorer’s developers had the idea to use ADS to mark files as potentially harmful. Other browser makers added this feature later. Thus, Chrome and Firefox will also add a data stream to all files downloaded from the Internet. Opera currently doesn’t show this behavior.

There is hardly a Windows feature that isn’t supported by PowerShell, and so you can also deal with ADS in Microsoft’s scripting language. The Get-Item cmdlet offers the Stream parameter, which allows you to check whether a file contains alternate streams.

The first stream is the default stream and is of type $DATA. In my example, it has a length of 17645 bytes. Zone.Identifier is an alternate data stream that was added by a web browser when I downloaded the file. To view the contents of the stream, you can use the Get-Content cmdlet.

A ZoneID of “3” indicates that the file was downloaded from the Internet. These are all possible zones that you might know from Internet Explorer’s security settings:

Read on to see the options you have to get rid of the warning and the Zone.Identifier data stream.

Bypass ExecutionPolicy ^

As noted above, the security warning that you are about to run a potentially harmful script will appear even if you have set your ExecutionPolicy to Unrestricted. Even more unrestricted than Unrestricted is ExecutionPolicy Bypass because it disables all blocks and warnings. You’ll need a PowerShell console with administrator privileges to change your ExecutionPolicy.

If you now run a PowerShell script that you downloaded from the Internet, you will no longer be bothered by warnings. The question is whether you find this security warning to be useful. If you don’t trust yourself to only download scripts from trustworthy sites, you might consider the option described below instead.

Unblock files with PowerShell ^

The Unblock-File cmdlet does exactly what its name suggests. It unblocks files downloaded from the Internet.

As you can see, the Unblock-File cmdlet simply removes the Zone.Identifier stream from the file. From now on, the PowerShell script will behave like any other script. If you want to unblock all PowerShell scripts in your current directory, you can use the command below:

Unblock files in File Explorer ^

If you just want to unblock a single file, you can also do this in File Explorer. Right-click the file, select Properties, and then click Unblock.

Unblock in File Explorer

Unblock in File Explorer

A simple way to unblock multiple files in File Explorer (some people would call this “automating the task”) is to copy the files to a FAT32 drive such as a USB stick because Windows will then remove the alternate stream. If you then copy the files back to your NTFS drive, the files will be unblocked.

Disable preservation of zone information ^

Another option is the Group Policy Do not preserve zone information in file attachments. This policy doesn’t remove the Zone.Identifier stream from files that you already downloaded, but it will prevent Internet Explorer, Chrome, and Firefox from adding the alternate data stream in the future. Notice that this will affect not only PowerShell scripts but all kinds of files that you download from the Internet. You can find the policy in User Configuration > Administrative Templates > Windows Components > Attachment Manager.

Do not preserve zone information in file attachments

Do not preserve zone information in file attachments

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

1+
Share
1 Comment
  1. Kelvin Wong 3 years ago

    Many thanks for this article, this is exactly what I am looking for. For a very restrictive place where I work, setting bypass doesn't work as our servers are very locked down. The unblock-file trick works perfectly!

    2+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account