Unsigned Powershell scripts from HTA

Question

I have created the below batch file and it works flawlessly as long as I run it manually.

However, if I run the .bat file from a HTA application, PowerShell says that he can't run the script because it is not signed/not trusted: "File cannot be loaded because the execution of scripts is disabled on this system".

Is there any fix/workaround for this without having to actually sign the script?

Batch file:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". '%cd%\temp_oooscript\wrapper.ps1'"

Thank you.

Frode F. · Answer 1 · 2013-05-11T17:24:45.890

0

Try setting the exeuctionpolicy for powershell to bypass when executing it. Like this:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -executionpolicy bypass -command ". '%cd%\temp_oooscript\wrapper.ps1'"

The reason you're seing this is most likely because the HTA application is run as a 32 bit software, while your os is 64bit. Because the HTA app is running as 32 bit, it uses the powershell in C:\windows\syswow64\windowspowershell... (even though you specified system32 in your code). The execution policy there has is it's own setting, seperate from what you have in your normal 64-bit powershell.

The best way to fix it would be to sign the script using the PKI infrastructure in your enviroment. As a workaround you can use the code I provided above. The advantage for the workaround above is that the executionpolicy is only set to bypass ("disabled") for the PROCESS, and not as a default setting that could compromise security.

edited May 11 '13 at 17:24

answered May 11 '13 at 15:52

Frode F.

46,607
8
80
103

This allows the script to run but I am receiving other errors... seems like the script is not fully functional this way: – AdrianM May 11 '13 at 17:00
erorrs like path in some registry not found.. to be more clear, the wrapper.ps1 contains 2 ps1 scripts... first one connects to exchange server and seconds one runs a command on the exchange server. – AdrianM May 11 '13 at 17:01
if path is not found it may be a permissions-question. Is the parent process(HTA application?) run as Administrator? – Frode F. May 11 '13 at 17:09

Peter · Answer 2 · 2013-05-11T17:22:48.307

0

This problem is caused by Windows Execution-policy setting.

To check what policy is running type this command:

Get-ExecutionPolicy

You policy should be one of these 4:

Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.

AllSigned - Only scripts signed by a trusted publisher can be run.

RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.

Unrestricted - No restrictions; all Windows PowerShell scripts can be run.

Not sure you are running remotely or locally.

If locally then your policy might be "all signed".

If remotely then your policy might be "RemoteSigned" or "all signed".

To fix the problem, 2 ways:

Adjust the policy setting. Don't make it too loose like unrestricted (I assume it is a medium to large production environment). The same reason if this is true I don't pro the bypass way by Graimer.

If this is a lab or small and trusted env then "unrestricted" can be an option. Or the bypass method proposed by Graimer.
Get the script signed.You need to run some "makecert" stuff to generate the signature and then copy it to the machine. The following link might help:

http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

edited May 11 '13 at 17:22

answered May 11 '13 at 17:09

Peter

196
1
10

And all computers running the app needs the certificate(if self-signed) or a parent certificate(ex. root or issuing that created it), if not he will recieve a warning if I remember correctly. Something you'd want to avoid in this situation. The reason I suggested bypass was to simplify this so he could find the error before making a big fuzz with signing the script. :-) – Frode F. May 11 '13 at 17:13
Got it, @Graimer you want him narrow down the issue. I believe if he run get-execution policy then it will move one step forward regarding where the problem comes from. – Peter May 11 '13 at 17:16
Another beautiful article about exact issue and error mesg: http://technet.microsoft.com/en-us/library/ee176949.aspx – Peter May 11 '13 at 17:20
Just saw you are running it on exchange server. As a former exchange admin, I don't think you should make the execution policy too loose :) – Peter May 11 '13 at 17:25
According to this your exch server might set up as "restricted" since you can run manually (in interactive mode) OK but not from a app. `Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.` – Peter May 11 '13 at 18:16
thx for the answers. thing is, it works fine when running it from a .vbs application but not from a .hta application – AdrianM May 11 '13 at 19:10
vbs app and hta app are on same box? – Peter May 11 '13 at 19:28
If vbs script and ps script are on same box.that then it could be vbs might get signed while the powershell one is not – Peter May 11 '13 at 19:38
Not sure what you mean by "same box". I have the script in a .vbs file which works fine if I run it manually (double click on the file). But fails to execute the powershell script is the .vbs file if accessed from hta (ex: through a hyperlink or a run command) – AdrianM May 11 '13 at 20:20
@user2372754: when you run it manually, it is "interactive mode"; when you run it through hta it is not "interactive mode". So this indicates your server ( when I say box I mean server) might be in `"restricted execution policy mode"` which can explain why you can run it manually. You can verify this by typing "Get-executionPolicy" cmdlet in powershell. Then we can go from there. – Peter May 11 '13 at 20:46
RemoteSigned. To sum it up, the .vbs file that I have runs a powershell script and works fine. If the vbs file is ran from an hta file, the powershell script is not ran due to policy restrictions. I still don't understand how it can work one way and not work the other way :( – AdrianM May 11 '13 at 21:28
Is there any way to have the powershell script working from HTA with the current policy? – AdrianM May 11 '13 at 21:35
@AdrianM I believe you will need to run the signing procedure. And this makes sense to a server in long run, esp. for an exchange server. Another good ref:http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2.aspx – Peter May 11 '13 at 22:18
I ignored one thing: you should be a developer not system admin. You can bring this to admins and let them know what your app needs. – Peter May 11 '13 at 22:36
Thanks, I'll look into it. How do certificates work? After I put the signature into the script, what happens if later I update/modify the script? I'll need to sign it again? – AdrianM May 12 '13 at 09:27
I have experimented with this a bit more. I have a SIGNED script which works fine when I double-click on the .bat file that launched it in powershell but fails to execute when launching the same .bat file from a hta app... – AdrianM May 12 '13 at 15:40
YES!! Found the bloody solution!! the HTA file needs to be run from through the mshta.exe from system32 instead of SysWOW64. Woohoo!!! – AdrianM May 12 '13 at 15:49

score 0 · Accepted Answer · answered May 12 '13 at 15:50

0

YES!! Found the bloody solution!! the HTA file needs to be run from through the mshta.exe from system32 instead of SysWOW64. Woohoo!!!

answered May 12 '13 at 15:50

AdrianM

47
1
3
13

Unsigned Powershell scripts from HTA

3 Answers3