Query Exchange

 View Only
  • 1.  Powershell Execution Policy inquiry (machine)

    Posted May 31, 2022 03:15 PM

    Description: This query looks for the 'ExecutionPolicy' registry key under HKLM hive to provide information on Powershell script execution policy on the local computer context.

    What The Data Shows: The value provided is the value native to Powershell which determines Powershell scripts execution policy, as per described in Microsoft's documentation[1]. This can be useful for IT hygiene as well as for keeping systems secure by later changing the values if deemed necessary.

    SQL: SELECT data, path FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell' AND name = 'ExecutionPolicy';

    EDIT: As per suggested by  

    SELECT data AS 'execution_policy',
      'machine' AS 'scope',
      datetime(mtime, 'unixepoch''localtime'AS mtime
    FROM registry
    WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
      AND name = 'ExecutionPolicy';

     

    [1] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2


    #Compliance
    #Windows
    #Community
    #ITHygiene
    #VulnerabilityManagement


  • 2.  RE: Powershell Execution Policy inquiry (machine)

    Broadcom Employee
    Posted Jun 01, 2022 06:17 PM

     Thanks a lot for your contribution! I did make a few changes to your query and if you want to include the you can edit your post:

    SELECT data AS 'execution_policy',
      'machine' AS 'scope',
      datetime(mtime, 'unixepoch', 'localtime') AS mtime
    FROM registry
    WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
      AND name = 'ExecutionPolicy';
     
    Your post also inspired me to write one for the user execution policy which I will post by itself.


  • 3.  RE: Powershell Execution Policy inquiry (machine)

    Posted Jun 01, 2022 06:26 PM

     

    Thank you! I amended my original post with your suggestion.

    Have a good one!



  • 4.  RE: Powershell Execution Policy inquiry (machine)

    Posted Jun 03, 2022 07:36 PM

    For those who are interested, this is the post by  that has the same query, but for the user context.

    https://community.carbonblack.com/t5/Query-Exchange/Powershell-Execution-Policy-inquiry-user/idi-p/113027