Logging hash of signed PowerShell-Scripts

user1667906

5/8/24, 12:42 PM

I use signed PowerShell scripts within my infrastructure and log all PowerShell activity via Windows EventLog. Sadly it seem that windows does not log a hash or fingerprint of signed scripts or even any information about the status of a script as long as I do not prohibit unsigneds scripts from executing. I'm not quite ready to do that and had hoped to use the logging to find where unsigned scripts are in use.

Is there a way to make widows log not only sript execution but also more information about that script like is it signed, its hash or fingerprint and the validity of that signature or the signature itself?

Many thanks in advance.

0 + 3

powershell

windows-event-log

digital-signatures

Greg Askew

5/8/24, 1:15 PM

Disallowing unsigned scripts is simply intended to be a convenience for you. This feature only applies to regular users, and nearly all regular users aren't "PowerShell users", so they are probably running a script as part of a logon process or a scheduled task, but not directly. Additionally, an ability to do this doesn't mean much for someone that runs WebClient and streams a Base64-encoded byte array and runs that PowerShell code over the Internet without persisting the code to a script file at all.

twconnell

5/11/24, 10:09 PM

So what you're saying is the PowerShell execution policy is not a security feature worth fiddling with?

Bacon Bits

6/22/24, 2:37 PM

It's not really much of a security feature at all. When your execution policy is AllSigned, it's intended to prevent unauthorized modifications to script files like local logon or startup script. But that's it. It's very narrow. The about_Execution_Policies help topic says: "The execution policy isn't a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally."

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Logging hash of signed PowerShell-Scripts

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.