Home Blog EXE Generator: Untrusted Network Protection

EXE Generator: Untrusted Network Protection

Starting with ISESteroids, you can now control how PowerShell EXEs should behave when they are located on non-trusted network shares. Let us quickly walk you through the new options.

untrusted network protection

Untrusted Network Protection

If you run a PowerShell EXE from a local drive, the following does not apply to you. It only affects EXEs that are launched from a network location (which could be a roaming profile, too).

Windows differentiates between trusted and untrusted network locations. An untrusted network location can be a share that is outside your domain, or a share referenced via IP address. By default, the technique used by previous versions of ISESteroids would not allow EXEs to run from such locations. The reason is security: when binaries are launched from untrusted network locations, anyone in control of these network infrastructure could act as man-in-the-middle, and inject unwanted code. So in general, untrusted network protection is a good thing.

However, the error message emitted in such cases was confusing. So changes this and outputs a meaningful error message.

Turning Off the Untrusted Network Protection

There are valid use cases where you want to run an EXE no matter where it is located. Therefore, adds a new option to the dialog that opens when you choose Tools/Turn Code into EXE. The new option is labelled “Untrusted Network Protection” and is unchecked by default, thus turning the network protection off by default.

Any EXE created this way will launch even when the EXE is located on an untrusted share. Although that is not entirely true. The technique used here requires at least .NET Framework 4.0. So with old PowerShell versions like PowerShell 2.0, you might still not be able to run EXEs from untrusted network locations.