- \n
- %windir%\\system32\\Windows\u00adPowerShell\\v1.0\\profile.ps1<\/strong>\n
- \n
- This is for all users of the computer and for all shells.<\/li>\n<\/ul>\n<\/li>\n
- %windir%\\system32\\Windows\u00adPowerShell\\v1.0\\Microsoft.Power\u00adShell_profile.ps1<\/strong>\n
- \n
- This is for all users of the computer, but it is only for the Microsoft.PowerShell shell.<\/li>\n<\/ul>\n<\/li>\n
- %UserProfile%\\Documents\\Windows\u00adPowerShell\\profile.ps1<\/strong>\n
- \n
- This is for the current user only and all shells.<\/li>\n<\/ul>\n<\/li>\n
- %UserProfile%\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1<\/strong>\n
- \n
- This is for the current user only and only for the Microsoft.PowerShell shell.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
You can test it by running the following commands (obviously file writing restrictions apply depending on the OS and the user privileges):<\/p>\n
md %UserProfile%\\Documents\\WindowsPowerShell\\\r\nmd %windir%\\system32\\WindowsPowerShell\r\nmd %windir%\\system32\\WindowsPowerShell\\v1.0\\\r\n\r\necho echo profile1 >%windir%\\system32\\WindowsPowerShell\\v1.0\\profile.ps1\r\necho echo profile2 >%windir%\\system32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1\r\necho echo profile3 >%UserProfile%\\Documents\\WindowsPowerShell\\profile.ps1\r\necho echo profile4 >%UserProfile%\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1\r\n<\/pre>\n
and then run PowerShell.<\/p>\n
Btw. If you are wondering what these commands are doing – first 3 ensure the respective directories exist; the next 4 ones create dummy profile files with a simple command ‘echo xyz’, where xyz is a number of the profile. When executed for testing purposes they will simply show you which profile has been loaded by PowerShell. In a real-case scenario these would be replaced with an instruction to launch malware or could be any PowerShell command.<\/p>\n
Anyway, back to the test. You will most likely be surprised to see that PowerShell does not load these profiles without a fight i.e. you may see a couple of error messages.<\/p>\n
This is because by default the OS policy prevents executing PowerShell scripts (including the profile scripts) and one has to enable them first as documented here<\/a>.<\/p>\n
The Windows Registry values guarding this policy are stored under respective hkcu\/hklm branches:<\/p>\n
software\\policies\\microsoft\\windows\\powershell\\<\/pre>\n
EnableScripts (REG_DWORD)\r\n ExecutionPolicy (REG_SZ)<\/pre>\n
One can enforce then script execution by running the following commands (hklm may replace hkcu):<\/p>\n
reg add hkcu\\Software\\Policies\\Microsoft\\Windows\\PowerShell \/f \/v EnableScripts \/t reg_dword \/d 1\r\nreg add hkcu\\Software\\Policies\\Microsoft\\Windows\\PowerShell \/f \/v ExecutionPolicy \/t reg_sz \/d Unrestricted\r\n<\/pre>\n
Launching PowerShell now will show the following:<\/p>\n
![\"powershell_profile\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/powershell_profile.png\")
<\/a><\/p>\nYou can download a batch file that I used to test the commands here<\/a>.<\/p>\n
Tested on Windows 8.1 and Windows 7.<\/p>\n","protected":false},"excerpt":{"rendered":"
Documenting various persistence mechanisms would not be complete without mentioning these that could be based on legitimate and fully-documented system features. One such mechanism we are going to talk about is called ‘custom Power Shell profile’. It is a distant … Continue reading
- This is for the current user only and only for the Microsoft.PowerShell shell.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n