0

When invoking Powershell directly by invoking PWSH.EXE, it accepts an -ExecutionPolicy parameter for essentially a "one time/this-instance-only" invocation with something other than the policy default for that context.

I infer, but cannot confirm, that invoking this parameter requires the caller to have local administrative access. I have not been able to confirm or refute this by looking at PWSH documentation from MS. I make this inference that it would be a trivial bypass of the entire -ExecutionPolicy concept to allow a non-privileged account to run a script that sets this parameter arbitrarily, then fire a script that causes all kinds of mayhem. But I have found nothing in MS docs stating the rules either way.

To Clarify: This question inquires as to the permissions of the calling process contest that invokes PWSH with the -ExecutionPolicy option.

3
  • 1
    The simplest way to confirm that changing the ExecutionPolicy of a PowerShell script does indeed require elevated permissions, is to attempt to change the policy, in a script whose permission were not elevated.
    – Ramhound
    Commented May 23 at 14:03
  • The only way a script would have elevated permissions is if the calling process also had it. What policy are you trying to set? Different polices have different permissions that will be required. If you find this comment to be unhelpful, ignore it, and flag as no longer necessary. There is no need to tell me you find it unhelpful.
    – Ramhound
    Commented May 23 at 14:52
  • I never said it was unhelpful. I said it wasn't germane. You're answering a question I did not ask, and I couldn't ask the question more simply. I need to know if invoking PWSH with -ExecutionPolicy parameter requires the calling process to hold specific privileges, such as local administrator, regardless of the actual script being invoked.
    – David W
    Commented May 23 at 15:09

1 Answer 1

1

No, you do not require administrative elevation to use ExecutionPolicy. While this is quoted for Windows PowerShell Script Security it has not changed for newer versions.

It may seem odd to permit users to override an administrator-established value for the execution policy, but remember that the execution policy is intended to help stop unintended script execution. It is not intended to stop skilled users from executing scripts at all, merely to ensure that they do not do so without knowing what they are doing. Running Powershell.exe and specifying a command-line parameter is definitely not something that can easily be accomplished by accident.

Source https://learn.microsoft.com/en-us/previous-versions/msdn10/gg261722(v=msdn.10)

1
  • Thank you for this thoughtful and informative answer. In my digging about on this issue, I never saw the posted comment that specifically addressed my concern. Why MS wouldn't just add that to the detail docs for the parameter is beyond me. Chosen as answer.
    – David W
    Commented May 29 at 13:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .