关于执行策略About Execution Policies

简短说明Short Description

介绍 PowerShell 执行策略并说明如何管理它们。Describes the PowerShell execution policies and explains how to manage them.

详细说明Long Description

PowerShell 执行策略是一项安全功能,用于控制 PowerShell 加载配置文件和运行脚本的条件。PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. 此功能有助于防止恶意脚本的执行。This feature helps prevent the execution of malicious scripts.

在 Windows 计算机上,可以为本地计算机、当前用户或特定会话设置执行策略。On a Windows computer you can set an execution policy for the local computer, for the current user, or for a particular session. 你还可以使用组策略设置为计算机和用户设置执行策略。You can also use a Group Policy setting to set execution policies for computers and users.

本地计算机和当前用户的执行策略存储在注册表中。Execution policies for the local computer and current user are stored in the registry. 不需要在 PowerShell 配置文件中设置执行策略。You don't need to set execution policies in your PowerShell profile. 特定会话的执行策略仅存储在内存中,并在会话关闭时丢失。The execution policy for a particular session is stored only in memory and is lost when the session is closed.

执行策略不是限制用户操作的安全系统。The execution policy isn't a security system that restricts user actions. 例如,当用户无法运行脚本时,可以通过在命令行中键入脚本内容来轻松地绕过策略。For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. 相反,执行策略可帮助用户设置基本规则并防止无意中违反它们。Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.

在非 Windows 计算机上,默认的执行策略是不 受限制 的,无法更改。On non-Windows computers, the default execution policy is Unrestricted and cannot be changed. Set-ExecutionPolicyCmdlet 可用,但 PowerShell 会显示不受支持的控制台消息。The Set-ExecutionPolicy cmdlet is available, but PowerShell displays a console message that it's not supported. 虽然 Get-ExecutionPolicy 在非 windows 平台上返回不 受限制 ,但行为确实与 回避 匹配,因为这些平台不实现 Windows 安全区域。While Get-ExecutionPolicy returns Unrestricted on non-Windows platforms, the behavior really matches Bypass because those platforms do not implement the Windows Security Zones.

PowerShell 执行策略PowerShell execution policies

这些策略的强制仅在 Windows 平台上发生。Enforcement of these policies only occurs on Windows platforms. PowerShell 执行策略如下所示:The PowerShell execution policies are as follows:

AllSignedAllSigned

  • 脚本可以运行。Scripts can run.
  • 要求所有脚本和配置文件都由受信任的发布者签名,包括在本地计算机上编写的脚本。Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
  • 在从尚未归类为受信任或不受信任的发布者运行脚本之前,将提示您。Prompts you before running scripts from publishers that you haven't yet classified as trusted or untrusted.
  • 运行已签名但恶意脚本的风险。Risks running signed, but malicious, scripts.

免验证Bypass

  • 不阻止任何操作,并且没有任何警告或提示。Nothing is blocked and there are no warnings or prompts.
  • 此执行策略适用于以下配置:将 PowerShell 脚本内置于更大的应用程序或配置,其中 PowerShell 是具有其自己的安全模型的程序的基础。This execution policy is designed for configurations in which a PowerShell script is built in to a larger application or for configurations in which PowerShell is the foundation for a program that has its own security model.

默认Default

  • 设置默认的执行策略。Sets the default execution policy.
  • Windows 客户端 限制Restricted for Windows clients.
  • 适用于 Windows server 的 RemoteSignedRemoteSigned for Windows servers.

RemoteSignedRemoteSigned

  • Windows server 计算机的默认执行策略。The default execution policy for Windows server computers.
  • 脚本可以运行。Scripts can run.
  • 要求来自受信任的发布者的脚本和配置文件的数字签名,这些脚本和配置文件是从 internet 下载的,其中包括电子邮件和即时消息程序。Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the internet which includes email and instant messaging programs.
  • 不需要在本地计算机上编写的脚本上的数字签名,也不需要从 internet 下载。Doesn't require digital signatures on scripts that are written on the local computer and not downloaded from the internet.
  • 如果未对脚本进行阻止,则运行从 internet 下载的脚本,而不是未签名的脚本,例如通过使用 Unblock-File cmdlet。Runs scripts that are downloaded from the internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
  • 从 internet 以外的源运行未签名脚本的风险,以及可能是恶意的签名脚本。Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.

受限制Restricted

  • Windows 客户端计算机的默认执行策略。The default execution policy for Windows client computers.
  • 允许单独的命令,但不允许脚本。Permits individual commands, but does not allow scripts.
  • 阻止运行所有脚本文件,包括格式设置和配置文件 (.ps1xml) 、模块脚本文件 (.psm1) 和 PowerShell 配置文件 (.ps1) 。Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).

UndefinedUndefined

  • 当前作用域中没有设置执行策略。There is no execution policy set in the current scope.
  • 如果所有作用域中的执行策略均未 定义 ,则对 windows 客户端和 Windows Server RemoteSigned 的有效执行策略将 受到限制If the execution policy in all scopes is Undefined , the effective execution policy is Restricted for Windows clients and RemoteSigned for Windows Server.

非受限Unrestricted

  • 非 Windows 计算机的默认执行策略无法更改。The default execution policy for non-Windows computers and cannot be changed.
  • 未签名的脚本可以运行。Unsigned scripts can run. 存在运行恶意脚本的风险。There is a risk of running malicious scripts.
  • 在运行不在本地 intranet 区域中的脚本和配置文件之前警告用户。Warns the user before running scripts and configuration files that are not from the local intranet zone.

备注

在不区分通用命名约定 (UNC) 路径与 internet 路径的系统上,可能无法使用 RemoteSigned 执行策略来运行 unc 路径标识的脚本。On systems that do not distinguish Universal Naming Convention (UNC) paths from internet paths, scripts that are identified by a UNC path might not be permitted to run with the RemoteSigned execution policy.

执行策略作用域Execution policy scope

可以设置仅在特定作用域内有效的执行策略。You can set an execution policy that is effective only in a particular scope.

作用域 的有效值为 MachinePolicyUserPolicyProcessCurrentUserLocalMachineThe valid values for Scope are MachinePolicy , UserPolicy , Process , CurrentUser , and LocalMachine . 设置执行策略时, LocalMachine 为默认值。LocalMachine is the default when setting an execution policy.

作用域 值按优先级顺序列出。The Scope values are listed in precedence order. 优先级相同的策略在当前会话中有效,即使在优先级较低的情况下设置了限制性更强的策略也是如此。The policy that takes precedence is effective in the current session, even if a more restrictive policy was set at a lower level of precedence.

有关详细信息,请参阅 set-executionpolicyFor more information, see Set-ExecutionPolicy.

MachinePolicyMachinePolicy

为计算机的所有用户组策略设置。Set by a Group Policy for all users of the computer.

UserPolicyUserPolicy

为计算机的当前用户组策略设置。Set by a Group Policy for the current user of the computer.

过程Process

进程 范围仅影响当前 PowerShell 会话。The Process scope only affects the current PowerShell session. 执行策略保存在环境变量中 $env:PSExecutionPolicyPreference ,而不是保存在注册表中。The execution policy is saved in the environment variable $env:PSExecutionPolicyPreference, rather than the registry. 关闭 PowerShell 会话后,会删除变量和值。When the PowerShell session is closed, the variable and value are deleted.

CurrentUserCurrentUser

执行策略仅影响当前用户。The execution policy affects only the current user. 它存储在 HKEY_CURRENT_USER 注册表子项中。It's stored in the HKEY_CURRENT_USER registry subkey.

LocalMachineLocalMachine

执行策略会影响当前计算机上的所有用户。The execution policy affects all users on the current computer. 它存储在 HKEY_LOCAL_MACHINE 注册表子项中。It's stored in the HKEY_LOCAL_MACHINE registry subkey.

通过 PowerShell 管理执行策略Managing the execution policy with PowerShell

若要获取当前 PowerShell 会话的有效执行策略,请使用 Get-ExecutionPolicy cmdlet。To get the effective execution policy for the current PowerShell session, use the Get-ExecutionPolicy cmdlet.

以下命令将获取有效的执行策略:The following command gets the effective execution policy:

Get-ExecutionPolicy

若要获取影响当前会话的所有执行策略,并按优先顺序显示它们:To get all of the execution policies that affect the current session and display them in precedence order:

Get-ExecutionPolicy -List

结果与以下示例输出类似:The result looks similar to the following sample output:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser    RemoteSigned
 LocalMachine       AllSigned

在这种情况下,有效的执行策略是 RemoteSigned ,因为当前用户的执行策略优先于为本地计算机设置的执行策略。In this case, the effective execution policy is RemoteSigned because the execution policy for the current user takes precedence over the execution policy set for the local computer.

若要获取为特定作用域设置的执行策略,请使用的 作用域 参数 Get-ExecutionPolicyTo get the execution policy set for a particular scope, use the Scope parameter of Get-ExecutionPolicy.

例如,以下命令将获取 CurrentUser 作用域的执行策略:For example, the following command gets the execution policy for the CurrentUser scope:

Get-ExecutionPolicy -Scope CurrentUser

更改执行策略Change the execution policy

若要更改 Windows 计算机上的 PowerShell 执行策略,请使用 Set-ExecutionPolicy cmdlet。To change the PowerShell execution policy on your Windows computer, use the Set-ExecutionPolicy cmdlet. 更改立即生效。The change is effective immediately. 不需要重新启动 PowerShell。You don't need to restart PowerShell.

如果设置作用域 LocalMachineCurrentUser 的执行策略,则更改将保存在注册表中并保持有效,直到再次更改。If you set the execution policy for the scopes LocalMachine or the CurrentUser , the change is saved in the registry and remains effective until you change it again.

如果为 进程 范围设置了执行策略,则它不会保存在注册表中。If you set the execution policy for the Process scope, it's not saved in the registry. 将保留执行策略,直到关闭当前进程和任何子进程。The execution policy is retained until the current process and any child processes are closed.

备注

在 Windows Vista 和更高版本的 Windows 中,若要运行更改本地计算机的执行策略的命令 ,则 可以通过 "以 管理员身份运行 " 选项启动 PowerShell。In Windows Vista and later versions of Windows, to run commands that change the execution policy for the local computer, LocalMachine scope, start PowerShell with the Run as administrator option.

更改执行策略:To change your execution policy:

Set-ExecutionPolicy -ExecutionPolicy <PolicyName>

例如:For example:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

若要设置特定范围中的执行策略,请执行以下操作:To set the execution policy in a particular scope:

Set-ExecutionPolicy -ExecutionPolicy <PolicyName> -Scope <scope>

例如:For example:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

用于更改执行策略的命令可以成功,但仍不会更改有效的执行策略。A command to change an execution policy can succeed but still not change the effective execution policy.

例如,为本地计算机设置执行策略的命令可能会成功,但会被当前用户的执行策略覆盖。For example, a command that sets the execution policy for the local computer can succeed but be overridden by the execution policy for the current user.

删除执行策略Remove the execution policy

若要删除特定作用域的执行策略,请将执行策略设置为 UndefinedTo remove the execution policy for a particular scope, set the execution policy to Undefined .

例如,要为本地计算机的所有用户删除执行策略,请执行以下操作:For example, to remove the execution policy for all the users of the local computer:

Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope LocalMachine

删除 作用域 的执行策略:To remove the execution policy for a Scope :

Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser

如果未在任何范围内设置执行策略,则会 限制 有效执行策略,这是 Windows 客户端的默认设置。If no execution policy is set in any scope, the effective execution policy is Restricted , which is the default for Windows clients.

为一个会话设置不同的策略Set a different policy for one session

你可以使用 pwsh.exeset-executionpolicy 参数为新的 PowerShell 会话设置执行策略。You can use the ExecutionPolicy parameter of pwsh.exe to set an execution policy for a new PowerShell session. 策略只影响当前会话和子会话。The policy affects only the current session and child sessions.

若要为新会话设置执行策略,请在命令行中启动 PowerShell,如 cmd.exe 或 powershell,然后使用 pwsh.exeset-executionpolicy 参数设置执行策略。To set the execution policy for a new session, start PowerShell at the command line, such as cmd.exe or from PowerShell, and then use the ExecutionPolicy parameter of pwsh.exe to set the execution policy.

例如:For example:

pwsh.exe -ExecutionPolicy AllSigned

你设置的执行策略未存储在注册表中。The execution policy that you set isn't stored in the registry. 相反,它存储在 $env:PSExecutionPolicyPreference 环境变量中。Instead, it's stored in the $env:PSExecutionPolicyPreference environment variable. 关闭设置了策略的会话时,将删除该变量。The variable is deleted when you close the session in which the policy is set. 不能通过编辑变量值来更改策略。You cannot change the policy by editing the variable value.

在会话期间,为会话设置的执行策略优先于在注册表中为本地计算机或当前用户设置的执行策略。During the session, the execution policy that is set for the session takes precedence over an execution policy that is set in the registry for the local computer or current user. 但是,它不会优先于通过使用组策略设置的执行策略。However, it doesn't take precedence over the execution policy set by using a Group Policy.

使用组策略来管理执行策略Use Group Policy to Manage Execution Policy

您可以使用 " 打开脚本执行 组策略" 设置来管理企业中的计算机的执行策略。You can use the Turn on Script Execution Group Policy setting to manage the execution policy of computers in your enterprise. 组策略设置将替代在所有作用域中在 PowerShell 中设置的执行策略。The Group Policy setting overrides the execution policies set in PowerShell in all scopes.

" 打开脚本执行 " 策略设置如下所示:The Turn on Script Execution policy settings are as follows:

  • 如果禁用 " 启用脚本执行 ",脚本将不会运行。If you disable Turn on Script Execution , scripts do not run. 这等效于 受限制 的执行策略。This is equivalent to the Restricted execution policy.

  • 如果启用 "启用 脚本执行 ",则可以选择执行策略。If you enable Turn on Script Execution , you can select an execution policy. 组策略设置等效于以下执行策略设置:The Group Policy settings are equivalent to the following execution policy settings:

    组策略Group Policy 执行策略Execution Policy
    允许所有脚本Allow all scripts 非受限Unrestricted
    允许本地脚本和远程签名的脚本Allow local scripts and remote signed scripts RemoteSignedRemoteSigned
    仅允许签名脚本Allow only signed scripts AllSignedAllSigned
  • 如果未配置 " 启用脚本执行 ",则它不起作用。If Turn on Script Execution is not configured, it has no effect. 在 PowerShell 中设置的执行策略是有效的。The execution policy set in PowerShell is effective.

PowerShellExecutionPolicy 和 PowerShellExecutionPolicy 文件将 打开脚本执行 策略添加到组策略编辑器中的 "计算机配置" 和 "用户配置" 节点,路径如下。The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx files add the Turn on Script Execution policy to the Computer Configuration and User Configuration nodes in Group Policy Editor in the following paths.

对于 Windows XP 和 Windows Server 2003:For Windows XP and Windows Server 2003:

管理 \Windows 组件 \Windows PowerShellAdministrative Templates\Windows Components\Windows PowerShell

对于 Windows Vista 和更高版本的 Windows:For Windows Vista and later versions of Windows:

管理 Templates\Classic 管理模板 Administrative Templates\Classic Administrative Templates
Windows \Windows PowerShellWindows Components\Windows PowerShell

"计算机配置" 节点中设置的策略优先于 "用户配置" 节点中设置的策略。Policies set in the Computer Configuration node take precedence over policies set in the User Configuration node.

有关详细信息,请参阅 about_Group_Policy_SettingsFor more information, see about_Group_Policy_Settings.

执行策略优先级Execution policy precedence

在确定会话的有效执行策略时,PowerShell 将按以下优先顺序评估执行策略:When determining the effective execution policy for a session, PowerShell evaluates the execution policies in the following precedence order:

  • 组策略: MachinePolicyGroup Policy: MachinePolicy
  • 组策略: UserPolicyGroup Policy: UserPolicy
  • 执行策略:处理 (或 pwsh.exe -ExecutionPolicy) Execution Policy: Process (or pwsh.exe -ExecutionPolicy)
  • 执行策略: CurrentUserExecution Policy: CurrentUser
  • 执行策略: LocalMachineExecution Policy: LocalMachine

管理签名和未签名的脚本Manage signed and unsigned scripts

在 Windows 中,Internet Explorer 和 Microsoft Edge 等程序将备用数据流添加到下载的文件中。In Windows, programs like Internet Explorer and Microsoft Edge add an alternate data stream to files that are downloaded. 这会将该文件标记为 "来自 Internet"。This marks the file as "coming from the Internet". 如果 PowerShell 执行策略是 RemoteSigned ,则 powershell 不会运行从 internet 下载的未签名脚本,其中包括电子邮件和即时消息程序。If your PowerShell execution policy is RemoteSigned , PowerShell won't run unsigned scripts that are downloaded from the internet which includes email and instant messaging programs.

你可以对脚本进行签名,或选择运行未签名的脚本,而无需更改执行策略。You can sign the script or elect to run an unsigned script without changing the execution policy.

从 PowerShell 3.0 开始,可以使用 cmdlet 的 Stream 参数 Get-Item 来检测因从 internet 下载而被阻止的文件。Beginning in PowerShell 3.0, you can use the Stream parameter of the Get-Item cmdlet to detect files that are blocked because they were downloaded from the internet. 使用 Unblock-File cmdlet 取消阻止脚本,以便可以在 PowerShell 中运行它们。Use the Unblock-File cmdlet to unblock the scripts so that you can run them in PowerShell.

有关详细信息,请参阅 about_Signing获取项取消阻止文件For more information, see about_Signing, Get-Item, and Unblock-File.

备注

下载文件的其他方法可能不会将文件标记为来自 Internet 区域。Other methods of downloading files may not mark the files as coming from the Internet Zone. 示例包括:Some examples include:

  • curl.exe
  • Invoke-RestMethod
  • Invoke-WebRequest

Windows Server Core 和 Window Nano Server 上的执行策略Execution policy on Windows Server Core and Window Nano Server

在某些情况下,当 PowerShell 6 在 Windows Server Core 或 Windows Nano Server 上运行时,执行策略可能会失败并出现以下错误:When PowerShell 6 is run on Windows Server Core or Windows Nano Server under certain conditions, execution policies can fail with the following error:

AuthorizationManager check failed.
At line:1 char:1
+ C:\scriptpath\scriptname.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

PowerShell 使用 Windows Desktop Shell 中的 Api (explorer.exe) 验证脚本文件的区域。PowerShell uses APIs in the Windows Desktop Shell (explorer.exe) to validate the Zone of a script file. Windows Shell 在 Windows Server Core 和 Windows Nano Server 上不可用。The Windows Shell is not available on Windows Server Core and Windows Nano Server.

如果 Windows 桌面 Shell 不可用或无响应,也可能会在任何 Windows 系统上收到此错误。You could also get this error on any Windows system if the Windows Desktop Shell is unavailable or unresponsive. 例如,在登录过程中,PowerShell 登录脚本可以在 Windows 桌面准备就绪之前开始执行,从而导致失败。For example, during sign on, a PowerShell logon script could start execution before the Windows Desktop is ready, resulting in failure.

使用 绕过AllSigned 的执行策略不需要区域检查来避免此问题。Using an execution policy of ByPass or AllSigned does not require a Zone check which avoids the problem.

另请参阅See Also

about_Environment_Variablesabout_Environment_Variables

about_Group_Policy_Settingsabout_Group_Policy_Settings

about_Signingabout_Signing

Get-ExecutionPolicyGet-ExecutionPolicy

Get-ItemGet-Item

Pwsh 控制台帮助Pwsh Console Help

Set-ExecutionPolicySet-ExecutionPolicy

Unblock-FileUnblock-File