What’s behind ‘Run with PowerShell’ context menu?

To find out what the “Run with PowerShell” action does, let’s dig into the registry:

.ps1 file exetension is associated with the Microsoft.PowerShellScript.1 type.

I can find the “Run with PowerShell” string into the cache.

Using the verb, it clearly uses the registry key named 0 and its command below

I can see what action will be performed on the file with I click ‘Run with PowerShell’:

(Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\Microsoft.PowerShellScript.1\Shell\0\Command").'(default)'

It will do the following: (%1 represents the location (fullpath) of the ps1 file being launched)

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'"

If the Execution policy is set to AllSigned, there’s no attempt to modify the execution policy in the process scope.

In my case, this prompt is expected considering what the ‘run with PowerShell’ action does

But sometimes, I don’t get a prompt. Strange 😦

There’s an about file about_Run_With_PowerShell that states:

The “Run with PowerShell” feature starts a Windows PowerShell
session that has an execution policy of Bypass, runs the
script, and closes the session.

It runs a command that has the following format:
PowerShell.exe -File -ExecutionPolicy Bypass

“Run with PowerShell” sets the Bypass execution policy only
for the session (the current instance of the PowerShell process)
in which the script runs. This feature does not change the execution
policy for the computer or the user.

The “Run with PowerShell” feature is affected only by the AllSigned
execution policy. If the AllSigned execution policy is effective for
the computer or the user, “Run with PowerShell” runs only signed
scripts. “Run with PowerShell” is not affected by any other execution
policy. For more information, see about_Execution_Policies.

Troubleshooting Note: Run with PowerShell command might prompt you
to confirm the execution policy change.

If I compare to what I see in the registry, Powershell.exe isn’t invoked with the -File parameter and the -Executionpolicy parameter set to bypass.
Also note that the help file states that the command might prompt you to confirm the execution policy change.
“Might” actually means: it’s true, I can get a prompt, but it’s not very likely.
This is actually the definition of an inconsistent behavior.

My Applocker policy seems to catch and block the execution.

But, I also immediatly get the event 4104 in the Microsoft-Windows-PowerShell/Operational as I turned on (non protected) scriptblock logging

Whether I get a prompt or not, whether I answer yes or no to the prompts, the code inside the ps1 file is executed.
The code being executed is a single WMI query that requires administrative privileges.
Its execution ends with a terminating error because the parent process of PowerShell.exe is Explorer and PowerShell.exe inherits from its integrity level set to “Medium”, running in the standard user context. (i.e. not running as administrator).

Anyway, I also turned on Transcripts and I clearly get the confirmation that the code inside .ps1 file is executed:



PowerShell scriptblock logging and transcripts are more reliable than Applocker.
“Run with PowerShell” actually bypassed the Appplocker policy by launching powershell.exe -command “& ”” and dot sourcing the script the same way malware do in their post-exploitation phase.

Better safe than sorry, I changed the behavior of the “Run with PowerShell” context menu.
I set it to the default behavior when you double-click on a .ps1 file: notepad.exe opens it, nothing is executed.

Set-ItemProperty -Path `
"HKLM:\SOFTWARE\Classes\Microsoft.PowerShellScript.1\Shell\0\Command" `
-Name '(default)' -Value '"C:\Windows\System32\notepad.exe" "%1"'

Anybody logging on this machine will now benefit from the new behavior.

One thought on “What’s behind ‘Run with PowerShell’ context menu?

  1. Pingback: Dew Drop - July 20, 2016 (#2291) - Morning Dew

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s