运行 `Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass` 是否安全

Question

I installed this module from https://www.powershellgallery.com/packages/ImportExcel/7.1.0 inside our windows power shell:-

Install-Module -Name ImportExcel -RequiredVersion 7.1.0 

Then i run this command, but i got that the script is not digitally signed:-

PS C:\WINDOWS\system32> Import-Module ImportExcel
Import-Module : File C:\Program Files\WindowsPowerShell\Modules\ImportExcel\7.1.0\ImportExcel.psm1 cannot be loaded.
The file C:\Program Files\WindowsPowerShell\Modules\ImportExcel\7.1.0\ImportExcel.psm1 is not digitally signed. You
cannot run this script on the current system. For more information about running scripts and setting execution policy,
see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module ImportExcel
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand

and to fix this i run this command Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass .. so is this safe?

Answer 1

tl;dr

# Save the current execution policy...
$currPolicy = Get-ExecutionPolicy
# ... and temporarily set the policy to 'Bypass' for this process.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

# ASSUMING YOU TRUST MODULE ImportExcel:
# Execution of scripts in the context of importing the module is
# now permitted.
Install-Module -Name ImportExcel -RequiredVersion 7.1.0 

# Restore the previous execution policy for this process.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy $currPolicy -Force

---

To paraphrase Santiago Squarzon 's helpful comment on the question:

PowerShell's execution policies prevent potential harm by controlling if and under what conditions the execution of script files ( .ps1 ) is permitted: Restricted prevents execution altogether, AllSigned only allows cryptographically signed scripts to execute, RemoteSigned requires only scripts downloaded from the web to be signed, Unrestricted places no restriction on execution but prompts to confirm the intent to execute internet-downloaded scripts, Bypass doesn't restrict execution at all.

This means when the effective policy prevents execution of a given script, the implication is not that the particular script actually contains harmful content - the policies never check for that, they purely act on formal criteria.

Conversely, of course, any given script could contain harmful content.

It looks like you're using the ImportExcel module from the PowerShell Gallery , the official repository for open-source PowerShell modules; the gallery subjects modules submitted to it to security checks .

The fact that you've already installed this module suggests that you trust it in principle. (Of course, you can inspect the script in question - and the module as a whole - yourself, via the directory that (Get-Module ImportExcel -ListAvailable).Path reports.)

Importing it just so happens to involve running a script ( *.ps1 ), which not all modules do (doing so is used for module-internal helper scripts or for required modifications to the caller 's scope via the script specified in the ScriptsToProcess module-manifest entry).

To put it differently:

• An Import-Module call may not involve execution of scripts at all, yet it invariably involves importing commands into your session, which you should definitely trust in order to use them.

• Importing a module should therefore be an all-or-nothing trust proposition, and if you do trust it, the effective execution policy should not get in the way of importing it.

The code shown above minimizes the risk of making the process-level policy more permissive by effectively scoping it to the module import of interest.

---

As an aside: The problem wouldn't even arise on Unix-like platforms (which requires the cross-platform PowerShell (Core) v6+ edition), where execution policies do not apply.

Answer 2

You can run this command in your terminal.

Set-ExecutionPolicy -Scope CurrentUser

This should then ask for a value at which point you can set it to Bypass / RemoteSigned