Windows 11 Group Policy/Reg/Something Deployable RUN/EXECUTE .ps1 files by default

Good day!

Our team has been working to find a way to force Windows 11 to RUN .ps1 files by default. There is a valid function being run on approximately 3000 machines in our environment that has to run as a .ps1. This process was working with a single registry change on Windows 10, but does not work with that change on Windows 11.

We've spent hundreds of hours so far trying many different registry entries, and eventually found a combination of changes (below) that work SOME of the time. We are seeing that in some cases the permissions are changed on these registry locations, and that some of the values randomly change on the machines after Windows updates occur. We have to find a way to make this work, or we are looking at other uglier processes like making a .bat wrapper that echos the powershell to a file and then executes it, then deletes the ps1, etc. These would all be stacked ontop of another software solution that is using a generic account in Windows but impersonates the user when someone logs into the computer (username and password get passed to scripts that create the impersonated environment and other scripts clean it up on logout).

Has anyone else run into this and found a reliably working solution we can deploy via registry settings, group policy, or add to the image for these machines?

HKEY_CURRENT_USER
Key path Software\Classes\Applications\powershell.exe\shell\open\command
(Default)
Value type REG_SZ
Value data "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "%1"

HKEY_CURRENT_USER
Key path Software\Classes\Applications\powershell.exe\shell\open\command
Value name (Default)
Value type REG_SZ
Value data "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "%1"

HKEY_CURRENT_USER
Key path Software\Classes\ps1_auto_file\shell\open\command
Value name (Default)
Value type REG_SZ
Value data "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "%1"

HKEY_CURRENT_USER
Key path Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ps1\OpenWithList
Value name a
Value type REG_SZ
Value data powershell.exe

HKEY_CURRENT_USER
Key path Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ps1\OpenWithList
Value name MRUList
Value type REG_SZ
Value data a

What kind of PS script or function needs to be run, how will be it be started (and by whom), and how are results collected? That explanation is more helpful, rather than jumping into a discussion on shell keys.

PWn3R said:

Our team has been working to find a way to force Windows 11 to RUN .ps1 files by default.

Click to expand...

What do you mean by "RUN .ps1 files by default"? I'm confused because I would have expected an attempt to preset the execution policy, but I just see registry settings related to right-click open-with. Are you trying to make .PS1 files double-clickable, so that they can be run similarly to a CMD or VBS script without any prompts and without having to right-click and select "Run with PowerShell? Does the PowerShell script have to be user-initiated or can it be run on logon or via a scheduled task?

A common solution is to run the PowerShell script with a little VBScript launcher. For example:

The third party application just runs the default action in Windows. Not all the registry entries above are for right click, one of them appears to be but was the last one added that seemed to make the difference in getting this working sometimes.

The script itself is procedurally generated when the 3rd party GINA program interprets logon information. It places the username, and password for the user into a file and then executes it. Because some users contain password characters that break using net use drive mappings we created a powershell that maps the drives in the procedural code side. These drive mappings are heavily used by the users, and we were seeing multiple users per week who put characters in their password that are rejected by using net use and passing the password.

We thought about making a wrapper script in batch that contains the powershell code and writes it to a file, then executes it using the cmdline suggested above by @LesFerch -- however, in the quick testing we did, sometimes the cleanup actions did not occur correctly leaving the ps1 preserved in the temp folder containing a plain text password and username. The cleanup does not fail when it is a single shot PS1, but we are struggling to get Windows 11 to stop opening PS1 files in notepad. We may have come up with a way to get around this today, but it needs even further testing. The fact that the single simple registry entry to execute PS1 files with powershell instead of notepad does not work on Windows 10 is beyond frustrating.

Edit: The execution policy is being set using normal group policy settings for execution policy and is set to bypass on these machines. The issue is that the .ps1 file is being opened in Notepad and nothing we change seems to consistently cause it to be executed in Powershell when it is run. We are using SCCM to deploy the image and group policy to deploy all the settings for the machines, the shared account, bypass ctrl+alt+del, auto login to windows, settings for the 3rd party GINA software, etc.

You didn't use the SetUserFTA answer provided the first time you asked this question.

This action causes *.ps1 files to automatically run when called from a prompt, or Explorer. If you want to hide the PS pop-up window, then change the ftype argument to a silent wrapper VBScript which passes along command parameters.

garlin said:

You didn't use the SetUserFTA answer provided the first time you asked this question.

Code:

ftype Microsoft.PowerShellScript.1="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -ExecutionPolicy Bypass -f "%1"
SetUserFTA.exe .ps1 Microsoft.PowerShellScript.1

This action causes *.ps1 files to automatically run when called from a prompt, or Explorer. If you want to hide the PS pop-up window, then change the ftype argument to a silent wrapper VBScript which passes along command parameters.

Click to expand...

I'll take that, I deserve that response. I forgot I had even posted before. Sorry about that, and thanks for sharing. We found another solution we are testing as well. We have two avenues now. Thank you.

Circling back to this forum thread. We continue to experience issues. I tried the SetUserFTA and a PowerShell script from Github. Now we are seeing that the file associations are being reverted periodically after they applied. We had this setup to run at user logon with the program and the PS1. We have extensively checked the group policy applied to the machine, and cannot find anything that would revert this. It continues to revert to Notepad.

On a test system, re-run the FTA change and confirm it works. Now do "gpupdate /force", does that immediately revert the file association? That won't tell you where, but it will confirm it's forced by your domain policies.

Doing that reverts it. There is nothing in GPO after looking line by line that would revert it. We even tried unlinking policies that are applying app association XMLs and confirming they aren't linked in a test area. Our Microsoft ticket has been escalated 14 times and is still with an engineer who is trying to tell us "just have your users click and set it by hand".

Edit: Setting default apps via XML in Windows 11 (the policy that sets Edge as the default app) without PS1 in the list seems to be making this revert.

Your MS support team has never read this article?
How to configure file associations for IT Pros

Try adding another line to your domain's XML, to prevent clobbering your settings on logon.

PWn3R said:

We have to find a way to make this work, or we are looking at other uglier processes like making a .bat wrapper that echos the powershell to a file and then executes it, then deletes the ps1, etc.

Click to expand...

Is there some reason this has to be a single file solution? If multiple files can be used then it seems having a little launcher (batch file, vbscript, jscript, etc.) would be the easiest solution. If you need a single file solution, what about wrapping it up in a self-extracting archive? Then it's just one Exe that can self-cleanup and it's still easy to maintain.

Circling back to this discussion. We used the FTA script. We tried implementing in the logon script, the file association regularly resets to notepad. Certain computers stick others reset every few minutes. It seems like .ps1 is protected by Microsoft, and it wants to reset to Notepad.

I tried setting the FTA to run as part of the login process inside the software we are using that impersonates user logon but the FTA script takes so long (~7-10 seconds) to run that it is still running when the powershell discussed below gets executed.

The script we are running is echo'd to a file by a piece of software that impersonates user logon. A service account is logged into windows to make logins "instant". Use of this software is not optional.

The powershell script has a here string in it and the plain text password of the user is inserted into the here string, converted to a secure string and used to run drive mappings as the user who logged into the computer, not the service account.

When the process fails to run, notepad opens and displays the script including username and password in plain text and the cool new notepad on Windows 11 holds tabs open of the script (which gets deleted) and keeps them cached indefinitely until manually dealt with.

We cannot use CMD because net use has character limitations when they are passed and batch files don't have here string so any number of characters breaks execution, or results in no drive mappings, or results in user account lockouts.

The fact that it gets reset implies there's an overriding GPO policy somewhere. A non-domain PC won't experience this behavior.

Now if you're admitting some PC's get reset, and others don't, then I would look up the group (or user) memberships and try tracking down what are the policy differences for them.

PWn3R said:

We cannot use CMD because net use has character limitations when they are passed and batch files don't have here string so any number of characters breaks execution, or results in no drive mappings, or results in user account lockouts.

Click to expand...

Couldn't you use Cmd just as a launcher for the PowerShell script? Then you can run PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File yourscript.ps1 without having to deal with the file association.

I see I asked this twice before and received no answer.

LesFerch said:

Couldn't you use Cmd just as a launcher for the PowerShell script? Then you can run PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File yourscript.ps1 without having to deal with the file association.

I see I asked this twice before and received no answer.

Click to expand...

he replied with this:

PWn3R said:

We cannot use CMD because net use has character limitations when they are passed and batch files don't have here string so any number of characters breaks execution, or results in no drive mappings, or results in user account lockouts.

Click to expand...

andrew129260 said:

he replied with this:

Click to expand...

Yes, I read that and interpret that to mean they cannot use Cmd (i.e. a batch file) to replace the PowerShell script. But I have yet to see an explanation why they cannot launch the PowerShell script from a batch file, VBS script, JS script, or a custom exe (which is dead simple to write).

LesFerch said:

Couldn't you use Cmd just as a launcher for the PowerShell script? Then you can run PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File yourscript.ps1 without having to deal with the file association.

I see I asked this twice before and received no answer.

Click to expand...

The script is being generated by the software that replaces the login/log off GINA on Windows. This software generates the script, writes to a file temporarily, and executes it, then deletes it. The problem that created the need for Powershell is because of using a here string to get around characters like ' or " and others that break the string and script in line. The here string does not appear to work with any type of wrapper I've done, such as creating a long string variable in batch and executing powershell passing the variable, or using a findstr | powershell - to pass in the code, described here: Batch launching PowerShell with a multiline command parameter

The software being discussed here is called Imprivata. It allows HID prox badges to be used to log users in. When they tap a badge reader the software uses complex scripts to impersonate user login.

PWn3R said:

This software generates the script, writes to a file temporarily, and executes it, then deletes it.

Click to expand...

Is it not possible to have that software execute the script via powershell.exe? It has no option other than running the PS1 file?

Unfortunately, your options are: "Run as command line" limited to one liners and the code is broken by ' or " in the string you want to execute, or "Write to a file with ____ file extension and execute" (equivalent to double click from what we've been able to figure). There are vendor specific variables that you can use to insert username and password of the person who badged into the computer (or logged in manually). Vendor says custom scripting supported but they will not assist good luck have fun.

Microsoft tickets for the PS1 reset went nowhere after literal months of punting internally at MS.

All machines with this software have identical GPOs and are in subOUs of the top level where all GPOs needed are applied.

Problem happens on Windows 11 but not on Windows 10. We used to use a registry change to set PS1 to execute with PowerShell instead of Notepad on Windows 10 but that does not work on Windows 11.

I saw that you mentioned a batch file wrapper that echoed the PowerShell command to a file, but have you tried one of the many PS1-in-a-batch-file solutions? There are versions that run in the current context as well as ones that self-elevate. I assume you only need to run in the current context, so that should be an easy solution. Here are some examples: