how to change PowerShell mode to fulllanguage mode from constrained mode?
Solution 1
The lock down policy isn't available in PowerShell v2. You can check if you have a Group Policy applied to your machine by running from an administrative command prompt:
gpresult /v
You can search the output for PowerShell to find PowerShell related group policies that may be applied to the system by a system administrator.
You can check if
$Env:__PSLockdownPolicy
If configured, a setting of 8 = Full language mode. This could be configured in registry HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment__PSLockdownPolicy
If you can't find what is locking down PowerShell launch ProcMon and set a filter:
- Operation is RegQueryValue Include
- Process Name is PowerShell.exe Include
- Process Name is PowerShell_Ise.exe Include
- Result is SUCCESS
And launch PowerShell, you can look through the keys that are loaded, and check the details column for what the value is set to. Through this approach you can identify anything registry configuration locking down PowerShell. If the lock down is applied by group policy you can delete the key to temporarily enable it, but once group policy re-applies the setting will come back, if it is not changed from administration level.
Solution 2
I was having issues with this too, but in my case I was the administrator that had set this policy to test, and couldn't get it removed. I found out that when I was using it in conjunction with AppLocker Script Rules, that it was setting it to ConstrainedLanguage, because of this:
Since version 5, PowerShell recognizes automatically whether it should switch to Constrained Language mode based on script rules. To do so, it creates a module and a script (with a name following the pattern __PSSCRIPTPOLICYTEST_LQU1DAME.3DD.PS1) under $env:temp and tries to execute them. If AppLocker or another tool blocks this attempt, PowerShell starts in Constrained Language mode.
Source: https://4sysops.com/archives/mitigating-powershell-risks-with-constrained-language-mode/
HappyFreddie
Updated on June 06, 2020Comments
-
HappyFreddie almost 4 years
I open the PS or PSISE, they are both constrianedlanguage mode which I do not expect.
I don't know why it's ConstrainedLanguage. Two days ago it's just the PSISE is in constrainedmode and the PS is fulllanguage mode. Now after I restart my computer, both of them is constrainedmode and it's so bothering me because I really need to use the full mode..
I've tried to start PS as admin, not working. Tried to create a new environment variable __PSLockdownPolicy and set it to 1 or 0, still not working.
I tried "powershell.exe -version 2", and it's fulllanguage but the version 2 is too low that I cannot use some advanced module.
PS C:\windows\system32> $ExecutionContext.SessionState.LanguageMode ConstrainedLanguage PS C:\windows\system32> $ExecutionContext.SessionState.LanguageMode = 'fulllanguage' Cannot set property. Property setting is supported only on core types in this language mode. At line:1 char:1 + $ExecutionContext.SessionState.LanguageMode = 'fulllanguage' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : PropertySetterNotSupportedInConstrainedLanguageI expect I can open the PS in fulllanguage mode. Thanks for all your help!
-
HappyFreddie over 4 yearsIt turns out it is my administrator set the language mode to constrained mode. There's nothing to do with my computer or system. Thanks for your help anyway:)
-
Malcolm McCaffery over 4 yearsYes this is why I said to check gpresult as it will show you if administrator is configuring this. If you have local admin you can change the policy at least temporarily through registry editor but it will reapply every few hours and may be considered a violation of your company policy. Technically exemptions can be created for the policy but up to your administrators.
