The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Powershell Execution Policy inquiry (machine)

Description: This query looks for the 'ExecutionPolicy' registry key under HKLM hive to provide information on Powershell script execution policy on the local computer context.

What The Data Shows: The value provided is the value native to Powershell which determines Powershell scripts execution policy, as per described in Microsoft's documentation[1]. This can be useful for IT hygiene as well as for keeping systems secure by later changing the values if deemed necessary.

SQL: SELECT data, path FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell' AND name = 'ExecutionPolicy';

EDIT: As per suggested by @jnelson 

SELECT data AS 'execution_policy',
  'machine' AS 'scope',
  datetime(mtime, 'unixepoch''localtime'AS mtime
FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
  AND name = 'ExecutionPolicy';



Carbon Black Employee
Status changed to: Approved

@HenriqueLima Thanks a lot for your contribution! I did make a few changes to your query and if you want to include the you can edit your post:

SELECT data AS 'execution_policy',
  'machine' AS 'scope',
  datetime(mtime, 'unixepoch', 'localtime') AS mtime
FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
  AND name = 'ExecutionPolicy';
Your post also inspired me to write one for the user execution policy which I will post by itself.
New Contributor II


Thank you! I amended my original post with your suggestion.

Have a good one!

New Contributor II

For those who are interested, this is the post by @jnelson that has the same query, but for the user context.