none
Scheduled Tasks & Signed Scripts

    Question

  • I'm looking into signing all of our PowerShell admin scripts and using "Set-ExecutionPolicy AllSigned".  One of the tests I'm doing right now is to sign a script used in a scheduled task then modify it without resigning.  All works fine when the script is properly signed.  When I modify it without resigning is where I'm having difficulty.  Launching the script from a PowerShell commandline I get:

    PS E:\posh> .\hw.ps1
    File E:\posh\hw.ps1 cannot be loaded. The contents of file E:\posh\hw.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not execute on the system. Please see "get-help about_signing" for more details..
    At line:1 char:9
    + .\hw.ps1 <<<<
        + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
        + FullyQualifiedErrorId : RuntimeException

    Yet the scheduled tasks shows it completed successfully without any mention of an error occuring.

    <snip>action "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" with return code 0.

    There also wasn't anything logged to the Windows Event Logs (inc: system, application, security, powershell).  Can someone help me think out of the box on how to trap this error?  Ideally I would like something to be logged if this occurs so an alert can be generated.  Without daisy chaining scripts.  :^)

    Friday, August 10, 2012 11:43 PM

Answers

  • get-help about_eventlogs

    Set to $true $LogCommandHealthEvent($LogCommandHealthEvent = 1)

    $LogEngineLifeCycleEvent     Logs starting and stopping of
                                 Windows PowerShell.
    
    $LogEngineHealthEvent        Logs Windows PowerShell program errors.
    
    $LogProviderLifeCycleEvent   Logs starting and stopping of
                                 Windows PowerShell providers.
    
    $LogProviderHealthEvent      Logs Windows PowerShell provider errors.
    
    $LogCommandLifeCycleEvent    Logs starting and completion of commands.
    
    $LogCommandHealthEvent       Logs command errors.

    • Marked as answer by pjhanson Monday, August 13, 2012 4:14 PM
    Sunday, August 12, 2012 11:07 AM

All replies

  • Does the "tampered" script run stand-alone?  (i.e., not through TS, but directly)

    Grant Ward, a.k.a. Bigteddy

    Saturday, August 11, 2012 7:13 AM
  • Does the "tampered" script run stand-alone?  (i.e., not through TS, but directly)

    Grant Ward, a.k.a. Bigteddy

    I think the error message noted in the OP's post resulted from an attempt to run the script from the powershell console.

    I'm wondering exactly how the script was run as a scheduled task. If run indirectly by a batch script, that scrtipe would have needed to pass the errorlevel code back.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Saturday, August 11, 2012 4:05 PM
  • get-help about_eventlogs

    Set to $true $LogCommandHealthEvent($LogCommandHealthEvent = 1)

    $LogEngineLifeCycleEvent     Logs starting and stopping of
                                 Windows PowerShell.
    
    $LogEngineHealthEvent        Logs Windows PowerShell program errors.
    
    $LogProviderLifeCycleEvent   Logs starting and stopping of
                                 Windows PowerShell providers.
    
    $LogProviderHealthEvent      Logs Windows PowerShell provider errors.
    
    $LogCommandLifeCycleEvent    Logs starting and completion of commands.
    
    $LogCommandHealthEvent       Logs command errors.

    • Marked as answer by pjhanson Monday, August 13, 2012 4:14 PM
    Sunday, August 12, 2012 11:07 AM
  • The running the tampered script produces the error previously provided:

    PS E:\posh> .\hw.ps1
    File E:\posh\hw.ps1 cannot be loaded. The contents of file E:\posh\hw.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not execute on the system. Please see "get-help about_signing" for more details..
    At line:1 char:9
    + .\hw.ps1 <<<<
        + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
        + FullyQualifiedErrorId : RuntimeException

    Monday, August 13, 2012 3:40 AM
  • The Action is set to Start a program.

    Program/script:
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Add arguments (optional):
    -nologo -noprofile -noninteractive -file e:\posh\hw.ps1

    Monday, August 13, 2012 3:43 AM
  • Thanks Kazun!  That did the trick!

    In the All Users, All Hosts profile ($Profile.AllUsersAllHosts) I had to set the variable:
    $LogCommandHealthEvent = $true

    Since my execution policy is currently set to AllSigned, I also had to sign the profile otherwise it wouldn't load.

    Finally I removed the "-noprofile" switch from my scheduled task action so the above profile would load.

    Now the following event appears:

    Log Name:      Windows PowerShell
    Source:        PowerShell
    Date:          8/13/2012 9:14:02 AM
    Event ID:      200
    Task Category: Command Health
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      FOO.domain.com
    Description:
    Command Health: File E:\posh\hw.ps1 cannot be loaded. The contents of file E:\posh\hw.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not execute on the system. Please see "get-help about_signing" for more details...

    Details:
     ExceptionClass=PSSecurityException
     ErrorCategory=NotSpecified
     ErrorId=RuntimeException
     ErrorMessage=File E:\posh\hw.ps1 cannot be loaded. The contents of file E:\posh\hw.ps1 may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not execute on the system. Please see "get-help about_signing" for more details..

     Severity=Warning

     SequenceNumber=10

     HostName=ConsoleHost
     HostVersion=2.0
     HostId=95cc73b9-a04a-42a6-86e3-71a369427a6b
     EngineVersion=2.0
     RunspaceId=2ddb48c4-b1b5-41b5-b361-19a7b0aa26e3
     PipelineId=2
     CommandName=
     CommandType=
     ScriptName=
     CommandPath=
     CommandLine=

    Monday, August 13, 2012 4:23 PM