logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Powershell Execution Policy inquiry (machine)

Status: Approved Submitted by on ‎05-31-2022 08:15 AM

Description: This query looks for the 'ExecutionPolicy' registry key under HKLM hive to provide information on Powershell script execution policy on the local computer context.

What The Data Shows: The value provided is the value native to Powershell which determines Powershell scripts execution policy, as per described in Microsoft's documentation[1]. This can be useful for IT hygiene as well as for keeping systems secure by later changing the values if deemed necessary.

SQL: SELECT data, path FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell' AND name = 'ExecutionPolicy';

EDIT: As per suggested by @jnelson 

SELECT data AS 'execution_policy',
  'machine' AS 'scope',
  datetime(mtime, 'unixepoch''localtime'AS mtime
FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
  AND name = 'ExecutionPolicy';

 

[1] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_p...

Comment
3 Comments
jnelson
Carbon Black Employee
‎06-01-2022 11:17 AM
‎06-01-2022 11:17 AM
Status changed to: Approved

@HenriqueLima Thanks a lot for your contribution! I did make a few changes to your query and if you want to include the you can edit your post:

SELECT data AS 'execution_policy',
  'machine' AS 'scope',
  datetime(mtime, 'unixepoch', 'localtime') AS mtime
FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
  AND name = 'ExecutionPolicy';
 
Your post also inspired me to write one for the user execution policy which I will post by itself.
HenriqueLima
New Contributor II
‎06-01-2022 11:25 AM
‎06-01-2022 11:25 AM

@jnelson 

Thank you! I amended my original post with your suggestion.

Have a good one!

HenriqueLima
New Contributor II
‎06-03-2022 12:35 PM
‎06-03-2022 12:35 PM

For those who are interested, this is the post by @jnelson that has the same query, but for the user context.

https://community.carbonblack.com/t5/Query-Exchange/Powershell-Execution-Policy-inquiry-user/idi-p/1...

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.