Disable PowerShell?

[andrey 16]

Hello all!

The EmsiSoft blog https://blog.emsisoft.com/2017/11/17/fileless-malware-attacks/

informs about fileless Malvare. And that more often in the Windows registry they hit Windows PowerShell and WMI.

It is recommended that you turn off PowerShell.

But I do not understand how to do this? From the above instructions, it is unclear ...

In my computer(Windows 7x64), I do not find the ability to disable this application

Just launch it as a command line!

Please tell us more about the disable PowerShell!

Download Image

[JeremyNicoll 45]

Whenn you go to the Control Panel screen which lists installed programs - called "Add/remove programs" on XP and "Programs & Features" on later versions of Windows, you should see a list of applications you installed and probably that's all you're used to looking at there.  But as well as that, there should be an entry at the top left that lets you change which Windows features are enabled.  PowerShell isn't in the list of ordinary installed applications, but as it's a Windows feature, it can be turned off using the option at the top left. 

Does that help?  If not maybe you could post a screenshot of what your "Programs & Features" panel looks like?

[andrey 16]

Hi!

You mean this is it? components of Windows? But there is no PowerShell

Download Image

[JeremyNicoll 45]

Yes, that's the right place.   If PowerShell isn't listed (I can't read the cyrillic parts of your screenshot), maybe it's not actually been installed?   According to 

https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/07/how-do-i-install-powershell-on-windows-7-and-other-questions/

PowerShell, if you have it, will have shortcuts at  Start / All Programs / Accessories / Windows PowerShell.    Do you have those?

[GT500 495]

PowerShell comes installed by default on Windows 7, Windows 8, Windows 8.1, and Windows 10 (in fact it has superseded the Command Prompt on Windows 10).

In theory it could have already been uninstalled, or the name in the list is in Russian and possibly doesn't translate as expected.

[slopes 3]

How do you uninstall /disable powershell on windows 7?

[slopes 3]

6 hours ago, JeremyNicoll said:

Whenn you go to the Control Panel screen which lists installed programs - called "Add/remove programs" on XP and "Programs & Features" on later versions of Windows, you should see a list of applications you installed and probably that's all you're used to looking at there.  But as well as that, there should be an entry at the top left that lets you change which Windows features are enabled.  PowerShell isn't in the list of ordinary installed applications, but as it's a Windows feature, it can be turned off using the option at the top left. 

Does that help?  If not maybe you could post a screenshot of what your "Programs & Features" panel looks like?

Windows 7 doesn't list it in programs and features or in turn features off or on.I do have it in windows accessories .

[andrey 16]

5 hours ago, JeremyNicoll said:

Yes, that's the right place.   If PowerShell isn't listed (I can't read the cyrillic parts of your screenshot), maybe it's not actually been installed?   According to 

https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/07/how-do-i-install-powershell-on-windows-7-and-other-questions/

PowerShell, if you have it, will have shortcuts at  Start / All Programs / Accessories / Windows PowerShell.    Do you have those?

Yes, in the list of programs, as you indicated, have the PowerShell.

[JeremyNicoll 45]

Hmm.  A bit more googling looking for explicit instructions on how to remove Powershell from win 7 suggests it's not really possible.  Some posts suggest things like removing registry keys (which I suppose might make Windows think it's not there, but it still will be).   I've also seen suggestions that uninstalling "windows management framework 5.0" might remove PowerShell as well.  But I have no idea if that is true nor whether it's a good idea.

 

I see that @Umbra has said (in comments on the oroginal blog entry) that there's W7 advice on the net.  Perhaps he could say which advice is the right advice... and if there's disadvantages to following it?

[andrey 16]

Hi!

But I absolutely do not use PowerShell, I never run. Maybe there is no danger then?

Obviously, there is no way to remove this preinstalled program from the computer!

[slopes 3]

1 hour ago, andrey said:

Hi!

But I absolutely do not use PowerShell, I never run. Maybe there is no danger then?

Obviously, there is no way to remove this preinstalled program from the computer!

From what I understand it is still vulnerable if you don't run it.

[andrey 16]

Hi!

It is about this (vulnerability) and is reported in the blog Emsisoft!

[GT500 495]

There doesn't appear to be a way to uninstall PowerShell in Windows 7. You might be able to create an Application Rule in Emsisoft Anti-Malware to block PowerShell from running though.

On my Windows 7 computer it looks like PowerShell can run out of the following locations:

• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe

[slopes 3]

1 hour ago, GT500 said:

There doesn't appear to be a way to uninstall PowerShell in Windows 7. You might be able to create an Application Rule in Emsisoft Anti-Malware to block PowerShell from running though.

On my Windows 7 computer it looks like PowerShell can run out of the following locations:

• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe

Thanks GT500, I blocked them all.

I have read that windows 7 needs powershell for other functions?

I'll see what happens

Thanks again!

[Peter2150 43]

Powershell is a tough bird.  I've got the same four powershell exe's blocked, but that won't stop it.   Won't break anything for most users,  but  won't block it.   There is also a DLL  system.managament.autmation.dll  that  can fire off Powershell.   Not sure extactly w here in windows it, I've got it blocked with wildcards. 

I've done a lot homework on powershell malware and there are two bottom lines.

 

1.  If some can get the right script on your computer and it runs, it's game over.  They own you.

2.  The good news, is all of these infections were delivered by  email, so if you good email control your are safe

[Umbra 30]

system.management.automation.dll  is the one to block if you worry about powershell-based exploits. 

[slopes 3]

1 hour ago, Umbra said:

system.management.automation.dll  is the one to block if you worry about powershell-based exploits. 

How is this entered into a rule? I found it in C:\Windows\winsxs\msil_system.management.automation.........

Edit....Entered entire address emsisoft says file doesn't exist

 

Thanks

[Umbra 30]

You have to select "all files" in the search window.

[slopes 3]

55 minutes ago, Umbra said:

You have to select "all files" in the search window.

Yes! that worked 

thank you Umbra

[Insert Real Name 1]

Does one need to disable Powershell completely? And is this even desirable or possible on Windows versions greater than 7? On my Windows 7 machine, I started a Powershell console w/administrative privileges and ran

Set-Execution-Policy -Scope LocalMachine Restricted

which disables running PowerShell scripts execution in any context. Individual Powershell commands are still allowed, of course, so Powershell-powered malware hasn't been entirely neutered, but this is a significant protection I think.

[Umbra 30]

@Insert Real Name Yes, this is a start, but if you don't need Powershell at all, better disable it "completely".

[Amadei 0]

How much time did it take?

[Peter2150 43]

On 11/27/2017 at 6:57 PM, Umbra said:

@Insert Real Name Yes, this is a start, but if you don't need Powershell at all, better disable it "completely".

Hi Umbra

On win 7 x64 Pro   exactly how do you completely disable Powershell

[Umbra 30]

@Peter2150

1- by restricting users to use it  via Group policy 

https://community.spiceworks.com/topic/1183987-disabling-powershell-with-group-policy

2- via SRP, blocking:

• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
• system.management.automation.dll

3- by uninstalling it

windows/forum/windows_7-performance/how-to-uninstall-powershell-windows-7/c7077177-294d-4aed-8307-a1a554a56ae5?auth=1

 

i usually just do step 2, good enough for me.

 

[Peter2150 43]

Thanks Umbra.   I've also done step 2,  and I suspect your right that is good enough.

[GT500 495]

On 12/25/2017 at 6:53 AM, Amadei said:

How much time did it take?

Most of the methods for disabling PowerShell mentioned here shouldn't take more than 5-10 minutes.

[Umbra 30]

Yes because Powershell isn't dangerous by itself, and is needed sometimes by the system reason why you can't remove it (only the old version can); not saying on Win10, it will replace cmd very soon.

So since the old v2 is vulnerable and often used as an attack vector, disabling its execution is enough.

[biodegradable 1]

thanks and Umbra and Peter,i delete it also although i didnt know what is anyway xd

[slopes 3]

On 12/25/2017 at 7:07 PM, Umbra said:

@Peter2150

1- by restricting users to use it  via Group policy 

https://community.spiceworks.com/topic/1183987-disabling-powershell-with-group-policy

2- via SRP, blocking:

• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
• system.management.automation.dll

3- by uninstalling it

windows/forum/windows_7-performance/how-to-uninstall-powershell-windows-7/c7077177-294d-4aed-8307-a1a554a56ae5?auth=1

 

i usually just do step 2, good enough for me.

 

Just curious why is step 2 considered a srp? Because a password is required to change it?

[JeremyNicoll 45]

> Just curious why is step 2 considered a srp? Because a password is required to change it?

I think SRP is 'Software Restriction Policy' - as described eg at: https://technet.microsoft.com/en-gb/library/bb457006.aspx  - is that what you think it means?

[slopes 3]

38 minutes ago, JeremyNicoll said:

> Just curious why is step 2 considered a srp? Because a password is required to change it?

I think SRP is 'Software Restriction Policy' - as described eg at: https://technet.microsoft.com/en-gb/library/bb457006.aspx  - is that what you think it means?

I thought it meant Secure password based authentication, must of been a typo in my google search,  your def makes much more sense.

Thanks again for answering my stupid questions Jeremy

[Umbra 30]

5 hours ago, JeremyNicoll said:

> Just curious why is step 2 considered a srp? Because a password is required to change it?

I think SRP is 'Software Restriction Policy' - as described eg at: https://technet.microsoft.com/en-gb/library/bb457006.aspx  - is that what you think it means?

SRP is indeed Software Restriction Policy, like Windows' Applocker (available in pro version) and some other 3rd party softs.

Step 2 can be done with any default-deny type of softs (those allowing you to select a executable and block it from running) , EAM can block them too.