locked
Can I Prevent Scripts from running under a 2.0 Context in PowerShell on a Windows 7 Machine RRS feed

  • Question

  • I understand that these machines should be upgraded to Windows 10. However, they will not be upgraded until the end of 2018. I want to make sure Windows 7 is secure by somehow removing PowerShell "old". I know that Windows PowerShell 2.0 is built into Windows 7 and is not an optional feature like it is on Windows 10, so I cannot simply disable the powershell version 2 feature.  Thanks in advance for any help on this question.
    Wednesday, January 3, 2018 4:22 PM

All replies

  • Just uninstall PS2.  When V5.1 is installed all versions from V3 to V5 should work but an error will be returned if you try to do this:

    powershell -version 2


    \_(ツ)_/

    Wednesday, January 3, 2018 4:35 PM
  • What would be the best way to do this? Should I search for the KB that corresponds with version 2.0, or should I uninstall the framework instead? 
    Wednesday, January 3, 2018 4:57 PM
  • Upgrading PS on Win7 replaces PS 2 with the newer version.  On WS2012 and later servers and W10 workstations PS 2 support is optional and can be turned off.


    \_(ツ)_/

    Wednesday, January 3, 2018 5:06 PM
  • That is basically what I figured, and thank you for reassuring me on that. What I understand is that on Windows 7 powershell is preinstalled, and on Windows 8 and above powershell is an optional feature that allows version 2.0 to run side by side. The PC has powershell version 5.0 installed. However, when I run the powershell -version 2 command it does not throw any error. 
    Wednesday, January 3, 2018 5:31 PM
  • Hi,

    According to the current situation, I recommend running $PSVersionTable to get the current PowerShell version.

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 4, 2018 9:18 AM
  • Thank you for replying, but how does that answer my question? Please read my question and the responses before responding. 
    Thursday, January 4, 2018 6:40 PM
  • Thank you for replying, but how does that answer my question? Please read my question and the responses before responding. 

    I think he means check the version and exit the script.


    \_(ツ)_/

    Thursday, January 4, 2018 7:22 PM
  • Hi,

    Based on my research, there might have no built-in ways to disable PowerShell v2 in Windows 7.

    Also, if you need any help regarding Windows 7, you can seek help in our Windows 7 forum:
    https://social.technet.microsoft.com/Forums/windows/en-US/home?category=w7itpro
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.

    Thanks for your understanding and cooperation.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 8, 2018 11:04 AM
  • Oh okay, but I want the windows 7 OS to prevent powershell scripts from running on the 2.0 engine? That check would work if it were my own scripts, but how does that block someone else's powershell script from using powershell 2.0?
    Monday, January 8, 2018 10:27 PM
  • Thank you for your research.
    Monday, January 8, 2018 10:28 PM
  • Hi,

    Also, I would suggest you open up a case with Microsoft Technical Support to see if they could get more information regarding this problem: https://www.microsoft.com/en-us/worldwide.aspx.

    Thanks for your understanding and cooperation.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 10, 2018 8:34 AM
  • It's almost not possible. If we analyze the requirement you need a mechanism which should keep eye on every command/ script/ module execution like a spy. I don't think we have any such tools provided by Microsoft.

    Alternatively, create a GPO to identify the machines with PowerShell 2.0 and on those list of computers you can apply the PowerShell execution policy to "Restricted". This way you can prevent others as well to run scripts on PS 2.0 engine.

    • Proposed as answer by KLVSagar Wednesday, January 17, 2018 6:30 PM
    Wednesday, January 10, 2018 11:07 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Appreciate for your feedback.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 12, 2018 7:49 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Appreciate for your feedback.

    Best Regards,
    Albert


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 16, 2018 2:28 AM
  • Hi pappa31 -

    I had the exact same question as you: Disabling PowerShell v2.0 on Windows 7 when 5.1 is installed.  Unfortunately, this thread didn't have any information to solve the problem, but in the course of follow-on research, I found this great Lee Holmes post for using AppLocker or Software Restriction Policies (SRP) to block the older binaries while still allowing PS version 5.1 (or higher) on Windows 7:

    Essentially, and not my own work product, you'll run the following commands to determine where your PS 2.0 binaries reside:

    powershell -version 2 -noprofile -command "(Get-Item ([PSObject].Assembly.Location)).VersionInfo"

    and

    powershell -version 2 -noprofile -command "(Get-Item (Get-Process -id $pid -mo | ? { $_.FileName -match 'System.Management.Automation.ni.dll' } | % { $_.FileName })).VersionInfo"

    Then, you'll probably need to create path rules in either method that suits your environment; however, I caution you to read the entire blog excerpt here and test extensively:

    http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/

    As for the comment, "Alternatively, create a GPO to identify the machines with PowerShell 2.0 and on those list of computers you can apply the PowerShell execution policy to "Restricted," please see the following MSDN blog post and associated comment:

    "ExecutionPolicy is like a baby door. The ExecutionPolicy keeps babies safe but every grown-up surpasses it easily.

    There are like over 20 ways to surpass the ExecutionPolicy even as a standard user. Therefore you should set it via GPO as you like it. (RemoteSigned e.g.) It may prevent some people using Powershell scripts from the internet but you should not count on it."

    From: https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/

    Unfortunately, this article is wrong for disabling PowerShell v2.0 on Windows 7, but DOES apply to Windows 8.x and 10 (use Disable-WindowsOptionalFeature for MicrosoftWindowsPowerShellV2Root):

    https://blogs.msdn.microsoft.com/powershell/2017/08/24/windows-powershell-2-0-deprecation/

    Hopefully, it will help the next person that stumbles onto this thread days/months/years later.

    Correction:  I could not get the restrictions to work with SRP but was successful with AppLocker and enabling DLL rule processing (using wildcards and path rules for the two PS 2.0 DLLs)


    • Edited by S. Oxford Tuesday, May 8, 2018 7:04 PM Correction
    Tuesday, May 8, 2018 4:05 PM
  • Hi,

    Just use this at the beginning of all your scripts:

    #Requires -Version 3.0

    This will disallow the script to launch in PowerShell versions lower than 3.0


    Thursday, May 10, 2018 11:38 AM
  • Hi Evgeny -

    Thanks for the reply, but it unfortunately doesn't answer the question.  They (and me) are trying to prevent PowerShell 2.0 from being launched at all (script or command line [e.g., C:\powershell.exe -Version 2 "some code here"]) in Windows 7.  If there was a malicious attempt to intentionally "downgrade" PowerShell to version 2 (say a red-teamer, hacker, or penetration tester on your network) and elude the enhanced features in PS 5 (like logging), then using "#Requires -Version 3.0" would not do anything helpful--an attacker isn't going to run 3.0 and higher if they can elude your attempts at tracking them by not typing the above at the beginning of their scripts.  Make sense?

    Also, as mentioned before, Windows 10 can safely (as far as I can tell) remove 2.0 through "Optional Features," but that isn't available on Windows 7.  The only thing that I've found (other than a non-Microsoft, third-party application control solution) that would be native to Windows is an AppLocker policy to prevent the v2.0 Native Image and MSIL files from loading in accordance with the above links.


    S. Oxford MCT, MCSE, MCSA (Security + Exchange), MCP (SMS 2003), CCNP, CCNA, Security+, Server+, Network+, A+

    Friday, May 11, 2018 3:20 AM