PowerShell script integrity modes and custom encryption prior to version 7
-
This page describes how to run PowerShell scripts in low and medium integrity mode for Snow Inventory Agent for Windows version 6.14.5 or earlier. It also describes how to encrypt custom created PowerShell scripts with a custom encryption key. The corresponding functionality for the latest version of the agent is described in Running PowerShell scripts as part of the scanning process.
-
Be aware of the vulnerabilities CVE-2023-7169 and CVE-2024-1149, affecting Snow Inventory Agent for Windows version 6.14.5 or earlier. For more information, refer to Inventory Agent Security Update on Snow Globe.
The file extension of a script file decides in which integrity mode it runs.
-
.ps1: PowerShell scripts with this file extension are not encrypted and they are run in low integrity mode. The low integrity mode prevents these PowerShell scripts from potentially harming the system. In this mode, the scripts and child processes cannot modify the underlying system.
-
.snow-ps1: PowerShell scripts with this file extension are encrypted and they are run in medium integrity mode.
For details regarding Windows integrity modes, refer to the following MSDN article: https://msdn.microsoft.com/en-us/library/bb625957.aspx
Custom encryption and decryption of PowerShell scripts
To make it possible for users to run PowerShell scripts not written by Flexera in medium integrity mode, a unique custom encryption key can be used instead of the default encryption key. The custom encryption key overwrites the default key.
To generate a custom encryption key, use the psencrypt.exe tool. You can download the tool via the following Snow Globe article: https://community.snowsoftware.com/s/article/PSEncrypt-tool . You must be signed in to Snow Globe to access the article.
psencrypt.exe keygen
To enable encryption with a custom encryption key, use the setting key powershell.encryption_key in the SystemSettings element of the agent configuration file:
<SystemSettings>
<Setting key="powershell.encryption_key" value="[value of custom encryption key]"/>
</SystemSettings>
To encrypt scripts with the custom encryption key:
-
Use the psencrypt.exe tool:
psencrypt.exe encrypt <path_to_target_script> <path_to_output_file>
-
When asked for input, enter the custom encryption key.
noteScripts created by Flexera and customers can both be encrypted by using a custom encryption key.
noteWhen the agent is configured to use a custom encryption key it will not execute the default scripts provided by Flexera. To execute these scripts, they must be encrypted a second time, using the custom encryption key:
psencrypt.exe encrypt <Snow Software standard script>.snow-ps1 <re-encrypted Snow Software script>.snow-ps1
To decrypt scripts with the custom encryption key:
-
Use the psencrypt.exe tool:
psencrypt.exe decrypt <path_to_target_script> <path_to_output_file>
-
When asked for input, enter the custom encryption key.