powershellregistryvisual-studio-code

VSCode overrides PowerShell ExecutionPolicy


When using Get-ExecutionPolicy -list within VSCode for PowerShell v5 x64 & x86 it returns the following:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process          Bypass
  CurrentUser       Undefined
 LocalMachine       Undefined

When using the same command within VSCode and using a PowerShell v7 console it returns:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process    RemoteSigned
  CurrentUser       Undefined
 LocalMachine    RemoteSigned

There are 2 registry entries that set the ExecutionPolicy (Originally: ByPass)

HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\Shell\0\Command      REG_SZ  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process RemoteSigned }; & '%1'" 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellScript.1\Shell\0\Command        REG_SZ  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process RemoteSigned }; & '%1'"

These 2 entries were originally set to Set the Execution Policy to ByPass , and I have set these 2 entries manually to RemoteSigned. (why are these 2 entries within the registry and why were they set to bypass?!).

There are no further Policies set for PowerShell within the registry then these 2 entries. Setting these to RemoteSigned seemed to have done the trick for v7 but not for v5.

When checking the ExecutionPolicy within a v5 PowerShell Console they are all undefined.

when checking the vscode-powershell.log it says that it starts PowerShell with arguments:
PowerShell args: -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Import-Module ...

I can see the vscode powershell extension sets some of these parameters within the following file: C:\Users\UserName.vscode\extensions\ms-vscode.powershell-2020.3.0\out\src\process.js
But I am not sure if this is the correct file to make these changes.

I want to be able to check/set the ExecutionPolicy for VSCode to RemoteSigned when it starts the language server , where do I do this?

Also , Why are there 2 entries within the registry that sets the ExecutionPolicy to ByPass when the ExecutionPolicy Not Equals AllSigned. This might have occurred after having installed Chocolatey using their one line installer: Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

Im not using any profiles.

I know its a bit messy, sorry for that , my main question is where VSCode sets the ExecutionPolicy when starting the language server and can I change this. When doing some investigation, I figured there was 2 registry entries that sets the ExecutionPolicy to bypass , why is that , is that standard , looks like a security issue. (which might have caused by installing chocolatey, not sure)


Solution

  • The PowerShell extension for Visual Code respects the persistent execution policy settings[1] of whatever PowerShell version / edition it is configured to use (see this answer); to manage these settings, call Set-ExecutionPolicy from the respective version / edition, as a one-time configuration step.

    If you want to override the persistently configured policy in Visual Studio Code, add a Set-ExecutionPolicy command to the $PROFILE file as used by the PowerShell extension:


    As for your question:

    Since HKEY_CLASSES_ROOT is a composite view of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes, there is only one entry in this case, which you can access with either key path.

    This entry, however, does not control the persistent execution policies for Windows PowerShell; instead, it is a convenience context-menu command definition that allows you to execute a *.ps1 file directly from File Explorer or the desktop. As a security feature, the command ensures that the execution policy in effect for the process being created only (-Scope Process) is at least as restrictive as RemoteSigned.


    [1] Optional reading: Where PowerShell editions store their (non-GPO) persistent execution-policy settings:

    The following applies to Windows only, because execution policies are fundamentally unsupported on Unix-like platforms.

    Note:

    PowerShell [Core] (version 6 or higher) stores the settings in .json files:

    Windows PowerShell (version up to 5.1) stores the settings in the registry (keys won't exist, if you've never run Set-ExecutionPolicy or if you run Set-ExecutionPolicy to set a scope's policy to Undefined):