Built off the open source project Osquery
Description: This query looks for the 'ExecutionPolicy' registry key under HKLM hive to provide information on Powershell script execution policy on the local computer context.
What The Data Shows: The value provided is the value native to Powershell which determines Powershell scripts execution policy, as per described in Microsoft's documentation[1]. This can be useful for IT hygiene as well as for keeping systems secure by later changing the values if deemed necessary.
SQL: SELECT data, path FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell' AND name = 'ExecutionPolicy';
EDIT: As per suggested by @jnelson
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.