What are PSScriptPolicyTest Powershell Files?
search cancel

What are PSScriptPolicyTest Powershell Files?

book

Article ID: 285634

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection) Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black EDR (formerly Cb Response)

Issue/Introduction

What are PSScriptPolicyTest PowerShell files used for within Windows?

Environment

  • Microsoft Windows: All Versions
  • Microsoft PowerShell: All Supported Versions

Resolution

These files are randomly generated by Microsoft and execution is attempted to determine which Language Mode PowerShell will run in when using one of the supported application control policies.

PowerShell automatically runs in ConstrainedLanguage mode when it's running under a system application control policy. The application control policies detected are AppLocker and Windows Defender Application Control (WDAC) on Windows platforms.
  • Allowing them to execute enables Full Language Mode in PowerShell.
  • Blocking them from execution (using a supported application control policy) enables Constrained Language Mode in PowerShell.

 

Additional Information

  • Constrained Language Mode helps to reduce the attack surface of PowerShell.
  • Full Language Mode grants access to any language element and therefore to any Windows API.
  • If using App Control, it is highly recommended to create a Custom Rule and ABExclusion to prevent the information from being returned to the Server.