PowerShell ExecutionPolicy Restricted - NSClient (0.5.0.19) returns 0 (ok)


#1

Hi, I am looking for a solution for a fallowing problem. I could not find in anywhere.

Output from nsclient for powershell external scripts is: File C:\Program Files\op5\NSClient++\scripts\check_ad_time.ps1 cannot be loaded because the execution of scripts is disabled on this system.

And that is ok but exit code from fallowing error is 0. Most preferably it should be 3. I tried to mess with wrappings but those does not seem to work. Tried to recreate problem from this topic https://github.com/mickem/nscp/issues/207 and “solving” it with solution presented at the end of it, but it seems like nsclient is ignoring “wrappings”.

Other simple (i guess) solution would be if nsclient returned 3 every time unless executed script provided differently. But I could not find such functionality. Basically any output that is not provided by executed script should not return 0 (imo).


#2

Hi,

I think the reason that you always get the error code 0 is, that the script cannot be excuted. So the content of the script gets ignored, because Windows has disabled powershell scripts.

You have to enable the execution of powershell scripts in Windows. Open Powershell and enter: Set-ExecutionPolicy Unrestricted

After this, the script should be executed. Give it a try :wink:

Kind regards Matze


#3

Thanks for a response and sorry, I might have written it not clear enough. The real problem is that when you have hundreds of windows hosts and some of them got ExecutionPolicy set to Restricted (that is the moment when the message shows up) you do not know something is wrong because it is “green”. There is no error while there should be. In current situation I do not even know what hosts have a problem with that settings. My goal is to make nsclient return exit code 2 or 3 when this message pops up while trying to execute a powershell script.


#4

Ahh okay… Two options: Force Powershell Policy over GPO.

Or maybe this batch-script: @echo off powershell -file “C:\path\to\powershell\script\test.ps1” > test-out.txt findstr /m “execution of scripts is disabled on this system” test-out.txt if %errorlevel%==0 ( echo not found exit 0 ) if %errorlevel%==1 ( echo found exit 3 )

Here you execute the powershell script over a batch file and write the output in test-out.txt Then you search for the string “execution of scripts is disabled on this system” in this txt-File. If it returns the string you exit with errorcode 3, if you dont find the string you exit with errorcode 0.

Maybe this works for you :slight_smile:


#5

Thanks for reply. Solution you provided works fine. Although in a meantime i found another, in my opinion interesting workaround (also earlier today I did not know how “wrappings” works… now I know). Here is my wrap for ps1 scripts: ps1=cmd /c echo Try { scripts%SCRIPT% $ARGS$} Catch { “Error message”; exit (3) } ; exit($lastexitcode) | powershell.exe /noprofile -command -

Now I need to choose what solution will be better and which one to implement. Thank you for help.


#6

Would it be an adequate workaround to call powershell with the -ExecutionPolicy flag set (either “Bypass” or "Unrestricted)? Supposedly it opens up security vulnerabilities when you run it Unrestricted system wide.

So, an example command line would be: Powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command “C:\Scripts\Write-HelloWorld.ps1”

This will run the script with no Execution Policy, no “profile”, and no interactive prompts for the duration of the script.


#7

I have tested it later that day and it worked where I did test it. Although I already sent previous solution so couldn’t use that one. I will have that in mind in case I will have to use it again. Thanks.