Security Issues with Windows PowerShell

As with any tool as versatile as Windows PowerShell, there are bound to be some security concerns. Security, however, was one of the design goals in the development of Windows PowerShell.

When you launch Windows PowerShell, it opens in your Documents And Settings folder; this ensures you are in a directory where you will have permission to perform certain actions and activities. This is far safer than opening at the root of the drive, or even opening in system root.

To change to a directory, you cannot automatically go up to the next level; you must explicitly name the destination of the change directory operation.

The running of scripts is disabled by default and can be easily managed through group policy.

Controlling Execution of PowerShell Cmdlets

Have you ever opened a CMD interpreter prompt, typed in a command, and pressed Enter so that you could see what it does? What if that command happened to be Format C:\? Are you sure you want to format your C drive? In this section, we will look at some arguments that can be supplied to cmdlets that allow you to control the way they execute. Although not all cmdlets support these arguments, most of those included with Windows PowerShell do. The three arguments we can use to control execution are -whatif, -confirm, and suspend. Suspend is not really an argument that is supplied to a cmdlet, but rather is an action you can take at a confirmation prompt, and is therefore another method of controlling execution.

Most of the Windows PowerShell cmdlets support a “prototype” mode that can be entered using the -whatif parameter. The implementation of -whatif can be decided on by the person developing the cmdlet; however, it is the recommendation of the Windows PowerShell team that developers implement -whatif. The use of the -whatif argument is seen in the procedure below. The commands used in the procedure are in the  UsingWhatif.txt file.

Using -whatif to prototype a command

1. Start the Windows PowerShell by using Start | Run | Windows PowerShell. The PowerShell prompt will open by default at the root of your Documents And Settings.

2. Start an instance of Notepad.exe. Do this by typing notepad and pressing the Enter key. This is shown here:

    notepad

3. Identify the Notepad process you just started by using the Get-Process cmdlet. Type enough of the process name to identify it, and then use a wild card asterisk (*) to avoid typing the entire name of the process. This is shown as follows:

    get-process note*

4. Examine the output from the Get-Process cmdlet, and identify the process ID. The output on my machine is shown here. Please note that in all likelihood, the process ID used by your instance of Notepad.exe will be different from the one on my machine.

    Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName  -------  ------    -----      ----- -----   ------     -- -----------       39       2      944        400    29     0.05   1056 notepad

5. Use -whatif to see what would happen if you used Stop-Process to stop the process ID you obtained in step 4. This process ID will be found under the Id column in your output. Use the -id parameter to identify the Notepad.exe process. The command is as follows:

    stop-process -id 1056 -whatif

6. Examine the output from the command. It tells you that the command will stop the Notepad process with the process ID that you used in your command.

    What if: Performing operation "Stop-Process" on Target "notepad (1056)"

Confirming Commands

As we saw in the previous section, we can use -whatif to prototype a cmdlet in Windows PowerShell. This is useful for seeing what a command would do; however, if we want to be prompted before the execution of the command, we can use the -confirm argument. The commands used in the Confirming the execution of cmdlets procedure are listed in the ConfirmingExecutionOfCmdlets.txt file.

Confirming the execution of cmdlets

1. Start the Windows PowerShell by using Start | Run | Windows PowerShell. The PowerShell prompt will open by default at the root of your Documents And Settings.

2. Start an instance of Notepad.exe. Do this by typing notepad and pressing the Enter key. This is shown here:

    notepad

3. Identify the Notepad process you just started by using the Get-Process cmdlet. Type enough of the process name to identify it, and then use a wild card asterisk (*) to avoid typing the entire name of the process. This is illustrated here:

    get-process note*

4. Examine the output from the Get-Process cmdlet, and identify the process ID. The output on my machine is shown here. Please note that in all likelihood, the process ID used by your instance of Notepad.exe will be different from the one on my machine.

    Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName  -------  ------    -----      ----- -----   ------     -- -----------       39       2      944        400    29     0.05   1768 notepad

5. Use the -confirm argument to force a prompt when using the Stop-Process cmdlet to stop the Notepad process identified by the get-process note* command. This is shown here:

    stop-process -id 1768 -confirm

6. The Stop-Process cmdlet, when used with the -confirm argument, displays the following confirmation prompt:

    Confirm Are you sure you want to perform this action? Performing operation "Stop-Process" on Target "notepad (1768)". [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

7. Type y and press Enter. The Notepad.exe process ends. The Windows PowerShell prompt returns to the default ready for new commands, as shown here:

    PS C:\>

Suspending Confirmation of Cmdlets

The ability to prompt for confirmation of the execution of a cmdlet is extremely useful and at times may be vital to assisting in maintaining a high level of system uptime. There are times when you have typed in a long command and then remember that you need to do something else first. For such eventualities, you can tell the confirmation you would like to suspend execution of the command. The commands used for suspending execution of a cmdlet are in the SuspendConfirmationOfCmdlets.txt file.

Suspending execution of a cmdlet

1. Start the Windows PowerShell by using Start | Run | Windows PowerShell. The PowerShell prompt will open by default at the root of your Documents And Settings.

2. Start an instance of Notepad.exe. Do this by typing notepad and pressing the Enter key. This is shown here:

    notepad

3. Identify the Notepad process you just started by using the Get-Process cmdlet. Type enough of the process name to identify it, and then use a wild card asterisk (*) to avoid typing the entire name of the process. This is shown here:

    get-process note*

4. Examine the output from the Get-Process cmdlet, and identify the process ID. The output on my machine is seen below. Please note that in all likelihood, the process ID used by our instance of Notepad.exe will be different from the one on my machine.

    Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName  -------  ------    -----      ----- -----   ------     -- -----------       39       2      944        400    29     0.05   3576 notepad

5. Use the -confirm argument to force a prompt when using the Stop-Process cmdlet to stop the Notepad process identified by the Get-Process Note* command. This is illustrated here:

    stop-process -id 3576 -confirm

6. The Stop-Process cmdlet, when used with the -confirm argument, displays the following confirmation prompt:

    Confirm Are you sure you want to perform this action? Performing operation "Stop-Process" on Target "notepad (3576)". [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

7. To suspend execution of the Stop-Process cmdlet, enter s. A triple arrow prompt will appear, as follows:

    PS C:\>>>

8. Obtain a list of all the running processes that begin with the letter n. Use the Get-Process cmdlet to do this. The syntax is as follows:

    get-process n*

9. On my machine, two processes appear. The Notepad process we launched earlier, and another process. This is shown here:

    Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName  -------  ------    -----      ----- -----   ------     -- -----------       39       2      944        400    29     0.05   3576 notepad       75       2     1776       2708    23     0.09    632 nvsvc32

10. Return to the previous confirmation prompt by typing exit. This is shown here:

     exit

11. Once again, the confirmation prompt appears as follows:

     Confirm Are you sure you want to perform this action? Performing operation "Stop-Process" on Target "notepad (3576)". [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

12. Type y and press Enter to stop the Notepad process. There is no further confirmation. The prompt will now display the default Windows PowerShell PS>, as shown here:

     PS C:\>