1

I'm a complete rookie to programming. I will say so much off the bat: please go easy on me. I simply want to know what happens on a system-wide level when I run a script through the PowerShell ISE program. If I run something in an IDE, I have always assumed that no system calls are made, meaning the script isn't communicating with the kernel or making actual changes to the OS. To the contrary, the script is simply being run in a sandboxed environment, as a test run for lack of better terms. I use the term sandboxed loosely here.

If I am on the mark here regarding how an IDE works, does PowerShell also work the same way. If I am incorrect overall with all of my observations, please correct me. I'm just a tad bit beyond the phase of a script kiddie. I can write simple Bash scripts and execute PowerShell commands but I am miles behind the talent of a developer or full-time programmer. Looking for an answer from a veteran to a rookie here.

Linux Overthrow
  • 11
  • 1
  • 1
    Running on PowerShell ISE still allows the app to make actual changes to the OS. – Martheen Jan 02 '22 at 14:44
  • As an aside: The PowerShell ISE is [no longer actively developed](https://docs.microsoft.com/en-us/powershell/scripting/components/ise/introducing-the-windows-powershell-ise#support) and [there are reasons not to use it](https://stackoverflow.com/a/57134096/45375) (bottom section), notably not being able to run PowerShell (Core) 6+. The actively developed, cross-platform editor that offers the best PowerShell development experience is [Visual Studio Code](https://code.visualstudio.com/) with its [PowerShell extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell). – mklement0 Jan 02 '22 at 16:28

1 Answers1

2

The PowerShell ISE is called an Integrated Scripting Environment. It can be thought of as a stripped down Visual Studio or maybe instead an enlightened Notepad with a paired PowerShell console.

In any case, and maybe someone will chime in with the true history of the ISE here, the PowerShell console is just as effective and powerful as the Linux Bash Shell, or the Windows Command Prompt.

Commands you run in PowerShell use underlying Windows APIs or dotnet namespaces which can absolutely change the system.

For instance, you can start and stop services or even disable them, if you've got the permissions and are running as an administrator. That's definitely changing the underlying system.

Set-Service -Name Spooler -StartupType Disabled

You can also change registry keys you definitely should not be touching.

#Disable Windows Update
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name AU -Type DWord -Value "NoAutoUpdate"

Having permission to do these things depeneds on what your account can do. If you're running as a standard Windows user without admin rights, these calls will fail.

If you run the ISE or PowerShell without 'Run As Administrator', these calls will fail.

However, if you are an admin, and run PowerShell or the ISE as an Admin, you have effectively taken both safeties off and can now freely ventilate your foot.

Same goes for if you're running with a powerful Active Directory or Azure account. Only use those credentials when you need them, or your inevitable accidents will be truly remarkable, swift and terrible.

mklement0
  • 382,024
  • 64
  • 607
  • 775
FoxDeploy
  • 12,569
  • 2
  • 33
  • 48
  • Most excellent answer, my friend. I suspect you have extensive experience as a programmer or system administrator, yes? I think you've covered all of the bases here but I'll leave this open in the case that others prefer to chime in. – Linux Overthrow Jan 02 '22 at 16:53
  • Let's just say I learned the hard way not to use my Domain Administrator account when learning to script. I thought my code was perfect so I ran it, and then the help desk calls immediately started coming in. – FoxDeploy Jan 03 '22 at 14:27
  • As opposed to PowerShell ISE, what happens on a system-wide level when I run a command VS Code? I am still learning about all of the different editors, IDEs etc. – Linux Overthrow Jan 15 '22 at 19:32
  • ... I should have done the common-sense thing by simply testing code. I created a directory in VS Code. The same document showed up in my system so it looks like it has the same effect as running a program in the default shell. – Linux Overthrow Jan 15 '22 at 19:41
  • VS Code can make changes to the system. Really any app that you run as yourself can do the same things you can do to the computer when you run them. – FoxDeploy Jan 16 '22 at 03:21
  • Right, I think that's common sense - especially if you run something with admin privileges. For a program to work, it has to make system calls. However, I have always just assumed that given the main point of an IDE is to develop and test software, by default, the IDEs don't make changes. If there's uncertainty as to whether or not a script is harmful, surely there should be a way to test it. Would you would just use the debugging function for this? A developer could run Windows Sandbox or chroot on Linux, but neither of those sandboxes are quite like a real production environment. – Linux Overthrow Jan 17 '22 at 05:41
  • If I were to write a new method in a C# console app in Visual Studio which enumerated through a directory then deleted each file, one by one, and ran it in debug mode within VS, it will absolutely delete every file. I like the assumption of safety that you're presuming here, but it largely doesn't exist. – FoxDeploy Jan 18 '22 at 14:48
  • PowerShell does offer the `-WhatIf` standard switch which shows you what 'would have happened if' you ran this cmdlet. – FoxDeploy Jan 18 '22 at 14:49
  • You're welcome, everyone was uncertain at one point, and I can understand why you thought it would work the way you thought. For me, I ran a powerful command against Active Directory with the -WhatIf switch enabled, and misread the results, so I ran the command anyway. I ended up emptying 40 something critical AD Security groups, including groups which allowed people to enter the building, use their phones or leave the parking deck. – FoxDeploy Jan 19 '22 at 03:14
  • The help desk phone lines instantly started ringing as people couldn't enter the building, or use their Skype Enabled phones on their desks, or log back in once they logged off. It ended up needing a four hour Microsoft support call to be guided through an Authoritative AD Forest recovery from backup tapes. – FoxDeploy Jan 19 '22 at 15:08