PowerShell script integrity modes and custom encryption prior to version 7
Note
This page describes how to run PowerShell scripts in low and medium integrity mode for Snow Inventory Agent for Windows version 6.14.5 or earlier. It also describes how to encrypt custom created PowerShell scripts with a custom encryption key. The corresponding functionality for the latest version of the agent is described in Running PowerShell scripts as part of the scanning process.
Be aware of the vulnerabilities CVE-2023-7169 and CVE-2024-1149, affecting Snow Inventory Agent for Windows version 6.14.5 or earlier. For more information, refer to Inventory Agent Security Update on Snow Globe.
The file extension of a script file decides in which integrity mode it runs.
.ps1: PowerShell scripts with this file extension are not encrypted and they are run in low integrity mode. The low integrity mode prevents these PowerShell scripts from potentially harming the system. In this mode, the scripts and child processes cannot modify the underlying system.
.snow-ps1: PowerShell scripts with this file extension are encrypted and they are run in medium integrity mode.
For details regarding Windows integrity modes, refer to the following MSDN article: https://msdn.microsoft.com/en-us/library/bb625957.aspx
Custom encryption and decryption of PowerShell scripts
To make it possible for users to run PowerShell scripts that are not written by Snow Software in medium integrity mode, a unique custom encryption key can be used instead of the default encryption key. The custom encryption key overwrites the default key.
To generate a custom encryption key, use the psencrypt.exe tool. The tool is available for download via the following support article on Snow Community: https://community.snowsoftware.com/s/article/PSEncrypt-tool. Note that you must first sign in to Snow Community to be able to access the article via the link.
psencrypt.exe keygen
To enable encryption with a custom encryption key, use the configuration option powershell.encryption_key in SystemSettings:
<SystemSettings>
<Setting key="powershell.encryption_key" value="[value of custom encryption key]"/>
</SystemSettings>To encrypt scripts with the custom encryption key:
Use the psencrypt.exe tool:
psencrypt.exe encrypt <path_to_target_script> <path_to_output_file>
When asked for input, enter the custom encryption key.
Note
Scripts created by Snow Software and customers can both be encrypted by using a custom encryption key.
Note
When the agent is configured to use a custom encryption key it will not execute the default scripts provided by Snow Software. To execute these scripts, they must be encrypted a second time, using the custom encryption key:
psencrypt.exe encrypt <Snow Software standard script>.snow-ps1 <re-encrypted Snow Software script>.snow-ps1
To decrypt scripts with the custom encryption key:
Use the psencrypt.exe tool:
psencrypt.exe decrypt <path_to_target_script> <path_to_output_file>
When asked for input, enter the custom encryption key.