Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Exchange Management Powershell raise an Error with AllSigned Execution Policy

701 views
Skip to first unread message

Ivo Looser

unread,
Jan 25, 2008, 7:42:29 AM1/25/08
to
Hi Together

In our Exchange 2007 SP1 Environment we applied over Group Policy
Management(Machine Policy) a AllSigned Execution Policy for
Powershell.

After then, when we open the Exchange Management Shell we get the
following Error from Powershell:

There were errors in loading the format data file:

Microsoft.Exchange.Management.PowerShell.Admin, D:\Program Files
\Microsoft Exchange\bin\Exchange.format.ps1xml : File skipped because
of validation exception: "
File D:\Program Files\Microsoft Exchange\bin\Exchange.format.ps1xml
cannot be loaded. The contents of file D:\Program Files\Microsoft
Exchange\bin\Exchange.format.ps1xml may have been tampered because the
hash of the file does not match the hash stored in the digital
signature. The script will not execute on the system. Please see "get-
help about_signing" for more details..".

Welcome to the Exchange Management Shell!
......
Here are the basic helptext from the Management Shell as we expect.
......
PS>

The other delivered Scripts from Microsoft works fine. It looks like
this is a lack in the Signature from the Exchange specific Formatting
Rules.

Can someone reproduce this Problem?

Thank in Advance.

Ivo Looser

Shay Levi

unread,
Jan 25, 2008, 8:17:03 AM1/25/08
to
Hi

I tried to reproduce the error and found this:

1. I set the execution policy to AllSigned
2. Launched EMS


Do you want to run software from this untrusted publisher?
File C:\Program Files\Microsoft\Exchange Server\bin\Exchange.format.ps1xml is
published by CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond,
S=Washington, C=US and is not trusted on your system. Only run scripts from
trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help
(default is "D"):v

I entered V for "Never run", and got this:


There were errors in loading the format data file:

Microsoft.Exchange.Management.PowerShell.Admin, C:\Program Files\Microsoft\Excha
nge Server\bin\Exchange.format.ps1xml : File skipped because of validation
excep
tion: "File C:\Program Files\Microsoft\Exchange Server\bin\Exchange.format.ps1xm
l cannot be loaded because you have elected to never run software from this
publ
isher.".


## this errors 'considered OK' becuase the Profile file is not signed

File C:\Documents and Settings\Administrator.domain\My Documents\Windo
wsPowerShell\Microsoft.PowerShell_profile.ps1 cannot be loaded. The file
C:\Doc
uments and Settings\Administrator.domain\My Documents\WindowsPowerShel
l\Microsoft.PowerShell_profile.ps1 is not digitally signed. The script will

not
execute on the system. Please see "get-help about_signing" for more details..

At line:1 char:2
+ . <<<< 'C:\Documents and Settings\Administrator.domain\My Documents
\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'

## this is not

File C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1 is published
b
y CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington,
C
=US. This publisher is explicitly untrusted on your system. The script will

not
execute on the system. Please see "get-help about_signing" for more details.

At line:1 char:2
+ . <<<< 'C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1'


Then I issued:

PS > dir cert:\CurrentUser\Disallowed

Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\Disallowed


Thumbprint Subject
---------- -------
564E01066387F26C912010D06BD78D3CF1E845AB CN=Microsoft Corporation, O=Microsoft
Corporation, L=Redmond, S=Washington...
7D7F4414CCEF168ADF6BF40753B5BECD78375931 OU=Microsoft Corporation, CN=Microsoft
Corporation, L=Redmond, S=Washingto...
637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 OU=Software, CN=Microsoft Corporation,
L=Washington, S=DC, C=US, OU=Digita...


PS > dir cert:\LocalMachine\Disallowed

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Disallowed


Thumbprint Subject
---------- -------
7D7F4414CCEF168ADF6BF40753B5BECD78375931 OU=Microsoft Corporation, CN=Microsoft
Corporation, L=Redmond, S=Washingto...
637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 OU=Software, CN=Microsoft Corporation,
L=Washington, S=DC, C=US, OU=Digita...

Try to right click the PS1 files in Windows Explorer > Properties > Digital
Signature Tab.
Double click the certificate in the Signature list box. I get a red X saying
that:

"A certificate was explicitly REVOKED by its issuer" (Thumbprint: 564E01066387F26C912010D06BD78D3CF1E845AB)


Checking the same procedure on my XP machine (not exchange) returns:

The digital certificate is OK.

Could it be that Microsoft signed the Exchange files with a Revoked certificate???

P.S. your error message includes "...may have been tampered...", I didn't
find that on mine.


-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> Hi Together
>
> In our Exchange 2007 SP1 Environment we applied over Group Policy
> Management(Machine Policy) a AllSigned Execution Policy for
> Powershell.
>
> After then, when we open the Exchange Management Shell we get the
> following Error from Powershell:
>
> There were errors in loading the format data file:
>
> Microsoft.Exchange.Management.PowerShell.Admin, D:\Program Files
> \Microsoft Exchange\bin\Exchange.format.ps1xml : File skipped because
> of validation exception: "
> File D:\Program Files\Microsoft Exchange\bin\Exchange.format.ps1xml
> cannot be loaded. The contents of file D:\Program Files\Microsoft
> Exchange\bin\Exchange.format.ps1xml may have been tampered because the
> hash of the file does not match the hash stored in the digital
> signature. The script will not execute on the system. Please see "get-
> help about_signing" for more details..".
>
> Welcome to the Exchange Management Shell!
> ......
> Here are the basic helptext from the Management Shell as we expect.
> ......

Ivo Looser

unread,
Jan 25, 2008, 10:00:27 AM1/25/08
to
Hi,

Thanks for your Review.

> "A certificate was explicitly REVOKED by its issuer" (Thumbprint: 564E01066387F26C912010D06BD78D3CF1E845AB)
>
>

> Could it be that Microsoft signed the Exchange files with a Revoked certificate???

You've right. The Certificate is simple Expired.

Do you want to run software from this untrusted publisher?

File D:\Program Files\Microsoft Exchange\bin\Exchange.ps1 is


published by
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond,

S=Washington,C=US and is not trusted on your system. Only run scripts


from trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help

(default is "D"):R

Welcome to the Exchange Management Shell!

[PS] C:\>get-AuthenticodeSignature -filepath 'D:\Program Files
\Microsoft Exchange\Bin\exchange.format.ps1xml'

Directory: D:\Program Files\Microsoft Exchange\Bin

SignerCertificate Status Path
----------------- ------ ----
564E01066387F26C912010D06BD78D3CF1E845AB HashMismatch
exchange.format...


[PS] C:\>Get-ChildItem -Recurse cert:\ | ?{$_.Thumb
print -like "564E*"} | fl


Subject : CN=Microsoft Corporation, O=Microsoft Corporation,
L=Redmond, S=Washington, C=US
Issuer : CN=Microsoft Code Signing PCA, OU=Copyright (c) 2000
Microsoft Corp., O=Microsoft Corporation, L=Redmond, S=Washington,
C=US
Thumbprint : 564E01066387F26C912010D06BD78D3CF1E845AB
FriendlyName :
NotBefore : 04.04.2006 21:43:46
NotAfter : 04.10.2007 21:53:46
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}

Thanks for your Help. I will try to open a Ticket at Microsoft. When i
know more i will send a Message.

Best Regards
Ivo

Shay Levi

unread,
Jan 26, 2008, 9:00:13 AM1/26/08
to
Ivo

Just to clarify, what's the "Digital Signature Information" says when you
right click
C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1 > Properties

> Digital Signature Tab.
Double click the certificate in the Signature list box. I get a red X saying
that:

"A certificate was explicitly REVOKED by its issuer"

Now.. there is a hugh difference between REVOKED and EXPIRED.


PS > get-AuthenticodeSignature -filepath 'C:\Program Files\Microsoft\Exchange
Server\bin\Exchange.ps1'

Directory: C:\Program Files\Microsoft\Exchange Server\bin


SignerCertificate Status
Path
----------------- ------
----

564E01066387F26C912010D06BD78D3CF1E845AB NotTrusted
Exchange.ps1


Note that the Status is "NotTrusted". Can you confirm?


-----
Shay Levi
$cript Fanatic
http://scriptolog.blogspot.com

> Hi,

0 new messages