Run scripts and set the execution policy in Windows PowerShell

  • 12 minutes

Before you modify or create Windows PowerShell scripts, you need to know how to run them. You might be familiar with the idea of double-clicking an executable file or selecting it and then selecting Enter to run it, but that process doesn't work for Windows PowerShell scripts.

A common problem with many scripting languages is that scripts are too easy to run accidentally. Users can accidentally run a script by double-clicking it or selecting it and then selecting Enter. This risk increases when file extensions are hidden and an attachment contains malware. For example, an attached file named receipt.txt.vbs would display as receipt.txt and users would run it accidentally, thinking it's a simple text file. This setting isn't a concern for Windows PowerShell scripts because of the actions required to run a script.

Integration with File Explorer

To make Windows PowerShell scripts more secure, the .ps1 file extension is associated with Notepad. Therefore, when you double-click a .ps1 file or select it and then select Enter, it opens in Notepad. This setting means that users can’t be tricked into running a Windows PowerShell script by double-clicking it or selecting it and then selecting Enter.

When you right-click a Windows PowerShell script or activate its context menu, you have three options:

  • Open. This option opens the script in Notepad.
  • Run with PowerShell. This option runs the script, but the Windows PowerShell prompt doesn't remain open when the script completes.
  • Edit. This option opens the script in the Windows PowerShell ISE, if it is installed. On systems where the ISE is not present, consider using Visual Studio Code with the PowerShell extension, which is the currently recommended editor.

To keep the Windows PowerShell prompt open when you run a script, run it from an already-open Windows PowerShell prompt.

Running scripts at the PowerShell prompt

When you run an executable file at a command prompt, you can enter its name to run it in the current directory. For example, when the current directory is C:\app, you can enter app.exe to run C:\app\app.exe. You can't use this process to run Windows PowerShell scripts, because it doesn't search the current directory.

To run a Windows PowerShell script at the Windows PowerShell prompt, you can use the following methods:

  • Enter the full path to the script; for example, C:\Scripts\MyScript.ps1.
  • Enter a relative path to the script; for example, \Scripts\MyScript.ps1.
  • Reference the current directory; for example, .\MyScript.ps1.

The script execution policy

You can control whether Windows PowerShell scripts can run on Windows computers by setting the execution policy. The default execution policy on a computer varies depending on the operating system version. To be sure of the current configuration, you can use the Get-ExecutionPolicy cmdlet.

The options for the execution policy are:

  • Restricted. No scripts can run.
  • AllSigned. Scripts run only if they're digitally signed.
  • RemoteSigned. Downloaded scripts run only if they're digitally signed.
  • Unrestricted. All scripts can run, but a confirmation prompt appears for unsigned scripts downloaded from the internet.
  • Bypass. All scripts run without prompts.

Note

Setting the script execution policy provides a safety net that can prevent untrusted scripts from being run accidentally. However, the execution policy can always be overridden.

You can set the execution policy on a computer by using the Set-ExecutionPolicy cmdlet. However, this setting is difficult to manage across many computers. When you configure the execution policy for many computers, you can use the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on Script Execution Group Policy setting to override the local setting.

You can override the execution policy for an individual Windows PowerShell instance. This setting is useful if company policy requires the execution policy to be set as Restricted, but you still must run scripts occasionally. To override the execution policy, run PowerShell.exe with the -ExecutionPolicy parameter.

Powershell.exe -ExecutionPolicy ByPass

If you modify a script downloaded from the internet, it retains the attributes that mark it as downloaded. To remove that status, use the Unblock-File cmdlet.