My “getting started” series ran out of steam a bit partly because I didn’t get much feedback on them — maybe you’re not interested, or maybe it wasn’t easy enough, or was just too confusing. In any case, I want to put up at least this one last post to suggest that you get the PowerShell Code Repository set up, and to show you the final version of my profile script and how it loads the various pieces it needs, and then I’ll send you on your way.

Once you’ve got your PowerShell all installed and have set up your first profile to auto-load … you’re going to want some scripts (well, maybe you’ll want to learn more about how to use PowerShell, but go with me on this)!

One of the best places to look for scripts is the PowerShell Code Repository, and although you can browse and search on the website, you can also do it using the PoshCode module (or the version 1 compatible script). These scripts include a Get-PoshCode cmdlet which you can use with search terms to get a list of scripts and cmdlets back, or with numeric IDs to download scripts (you’ll see what I mean later on, for now, go ahead and grab the appropriate version of that script).

I’m going to assume you put it into your AutoModules folder. If you grabbed the module, it should be saved to WindowsPowerShell\AutoModules\PoshCode\PoshCode.psm1 otherwise, to WindowsPowerShell\AutoModules\PoshCode.ps1 … but you may have run into a minor problem if you load the .ps1 version ). Both the module and the script are signed, but they are signed by my self-issued code signing certificate which your computer almost certainly doesn’t trust… You can use the signature to verify that the file hasn’t been modified since I signed it, but that’s about all (and even that’s a bit of a trick). To actually use the script (module), you’ll need to sign the script yourself (see the steps and how to get a certificate in part 2).

If you’re on CTP2, this would be a good time to get my Authenticode script module to help with signing, and to learn a little about those PoshCode cmdlets …

Using PoshCode to get a module.

Create a folder in your AutoModules folder named “Authenticode” ... and then inside it, try running Get-PoshCode Authenticode … You should get a list of 3 or more versions of my script, entitled “Get/Set Signature (CTP2)”. You want the latest version, so pick the one with the biggest number for the ID, and run Get-PoshCode 464. That should download it and save it. You’ll be able to load it using Add-Module (since Add-Module in the current CTP doesn’t care about code-signing), but first you need to create a settings file (it will tell you how, if you try to load it without setting it). change the CertificateThumbprint that’s set in the first line of code in that script — set it to the thumbprint of your personal code-signing cert (which you’ve hopefully imported into your certificate store).


#requires -version 2.0
cd $ProfileDir\AutoModules
mkdir Authenticode | cd # Skip this line if you're on v1
Get-PoshCode Authenticode | ft Id, Title, Author, Description -auto
# assuming the first hit is the newest one ... hit the up arrow, and add:
Get-PoshCode "Authenticode Signature CTP2" | select -first 1 | Get-PoshCode

# Make a subdirectory for your LANGUAGE
mkdir en | cd
# And create a PowerShell Data file with my cert path ...
# I loaded my certificate into my user store, but you can use a pfx file
new-item Authenticode.psd1 -type file -value '"Cert:\CurrentUser\My\F05F583BB5EA4C90E3B9BF1BDD0B657701245BD5"'

# Load the module...
Add-Module Authenticode
 

Now you’ll be able to sign without specifying the certificate each time, and you’ll be able to pipe files in too, so you could, for instance, sign all the script files in a whole folder tree like:


ls $ProfileDir\AutoModules\* -recurse -include *.ps1,*.ps1xml | Set-AuthenticodeSignature
 

So, here’s what I do.

First of all, I don’t actually put .ps1 scripts into the AutoModules folder, I have a separate AutoScripts folder, and I dot-source scripts from there, as well as loading ps1xml format files from it. I also specifically use a series of scripts there: Aliases.ps1, Variables.ps1, and EyeCandy.ps1. I assume that the functions of the first two are obvious, the last one is a modified version of the PSCX prompt and MOTD script to modify my prompt and startup message.

On top of the PoshCode script module and the Authenticode script module I mentioned earlier, which I use for signing and resigning, and the new CTP2 version of the PowerTab script module, I also use a source build of the upcoming PSCX 1.2 release (which needs a bunch of scripts to be useful, so I just renamed their 3-line profile.ps1 to PSCX.psm1 and stuffed the whole build with all it’s sub-folders into my WindowsPowerShell\AutoModules\PSCX). I also preload my PoshHttp module for downloading files from the web, and I a couple of functions (ellipsis and Get-PerformanceHistory).

Almost everything else I use I write into scripts (I even use the in-line cmdlet syntax to get full-power parameter parsing in a script file) which I put in directories by category inside my main WindowsPowerShell\Scripts directory (in my profile directory, and add to my path so that I can just run a script named “Get-GUID.ps1” by typing Get-GUID on the command-line.

Here’s the profile script off my laptop as an example — I basically use the same profile on all my PCs, and make changes to the “Variables” scripts on each PC to differentiate them. In fact, I have a sub-directory of my “WindowsPowerShell\Scripts” called “Work” which I even keep around at home (although I practically never use those scripts at home — they’re mostly for resetting servers and doing db queries, and only work from home when my VPN connection is up). Let me know if you have any questions. ;)

Incidentally, I use “RemoteSigned for my Execution Policy — I wish there were a way to require signing for just my profile, because then this system would basically protect me from tampering with my auto-run scripts. However, I’m actually comfortable not worrying about it any more than I worry about viruses replacing the executable for Notepad++ on my thumbdrive or something — I do realize that this profile script could be simplified a lot if I replaced the signature checking with just using the “AllSigned” policy … but there’s two major problems with that:

  1. I’m a PowerShell-ed developer — I spend a lot of time editing scripts and running them, and re-signing scripts that I’m working on (even though it’s just a matter of typing “sign” before I run a script) becomes an annoyance, such that if I were working in that environment, I’d inevitably have a “Sign-and-Run” script, which would really make me less secure, rather than more — for the average user, I do think that if you’re not writing scripts yourself on a daily basis, you should consider using AllSigned.
  2. PowerShell 2 CTP2 doesn’t check signatures on modules, so even if I have it set to all-signed, it will load script modules and will let you dot-source any script using the add-module command, so I’d have to avoid modules altogether to really be 100% secure.

# Set the profile directory first, so we can refer to it for the rest of the script...
Set-Variable ProfileDir  (Split-Path $MyInvocation.MyCommand.Path -Parent) -Scope Global -Option AllScope

cd $ProfileDir
# I have a JOIN function I need for massaging path variables ...
function join {
   param    ( [string]$sep, [string]$append, [string]$prepend )
   begin    { $ofs = $sep; [string[]]$items =  @($prepend.split($sep)) }
   process  { $items += $_ }
   end      { $items += @($append.split($sep)); return "$($items -ne '')" }
}

## If we're on version two, we HAVE to set the PsPackagePath (it doesn't matter on v1)
$ENV:PSPACKAGEPATH = "$ProfileDir\AutoModules;$ProfileDir\Modules" #| join ";" -append $ENV:PSPACKAGEPATH
## We also want to add our scripts directory to the path
$ENV:PATH = Get-ChildItem $ProfileDir\Script[s],$ProfileDir\Scripts\*  | ? { $_.PsIsContainer } | % { $_.FullName } | Join ";" -append $ENV:PATH

## Now, preload any module in AutoModules that is signed ...
###################################################################################################
#####  NOTE:   There's a bug which prevents signing or checking psm1 files
#####          We work around that bug by using this module called "Authenticode" which
#####          Wraps the Get/Set cmdlets in scripts that check psm1 by renaming them to ps1
Add-Module Authenticode
#####          Now we can check signatures on .psm1 files ...
#####          As long as they're in locations where we can rename them without problems
## One last exception case:
## If PSCX is available, load that FIRST, because others may depend on it.
Add-Module PSCX -EA "SilentlyContinue"

## Now automatically Add-Module the module subfolders ....
Write-Host "AutoLoad Modules: " -Fore Cyan -NoNewLine
$AutoModuleErrors = @()
ForEach( $module in (Get-ChildItem $ProfileDir\AutoModules | ? { $_.PsIsContainer })) {
   # Write-Host "Test-Module $($module.Name) " -fore Yellow
   switch (ls "$($module.FullName)\*" -include "$($module.Name).psd1",
                                               "$($module.Name).ps1",
                                               "$($module.Name).psm1",
                                               "$($module.Name).dll" |
                                              sort {
                                                switch( [IO.Path]::GetExtension($_.Name) ) {
                                                   ".psd1" { 0 }
                                                   ".ps1"  { 1 }
                                                   ".psm1" { 2 }
                                                   ".dll"  { 3 }
                                                }
                                              } | Select -First 1 |
                                             Get-AuthenticodeSignature)
   {
      ## If they're signed and valid, Add-Module
      {  Test-Signature $_ } {
         Add-Module $module.Name
         Write-Host "$($module.Name) " -fore Cyan -NoNewLine
         continue
      }
      ## Otherwise, write an error, we don't want this to fail silently
      default {
         $Global:AutoModuleErrors += @("" | Select @{n="Name";e={$module.Name}},
                                                   @{n="Path";e={$_.Path}},
                                                   @{n="Error";e={$_.Status}},
                                                   @{n="StatusMessage";e={$_.StatusMessage}})
         Write-Host "$($module.Name) " -fore Red -NoNewLine
      }
   }
}
Write-Host

## And then, preload any script in AutoScripts that is signed ...
###################################################################################################
Write-Host "AutoLoad Scripts: " -Fore Green -NoNewLine
switch (Get-ChildItem $ProfileDir\AutoScripts\*.ps* -include *.ps1,*.ps1xml | Get-AuthenticodeSignature) {
   ## If they're signed and valid, load them based on type
   { Test-Signature $_ } {
      $Path = $_.Path
      switch ([IO.Path]::GetExtension($Path)) {
         ".ps1"    {
            Add-Module $Path
            Write-Host "$([IO.Path]::GetFileNameWithoutExtension($Path)) " -Fore Green -NoNewLine
         }
         ".ps1xml" { Update-TypeData -PrependPath $Path }
      }
      continue
   }
   ## Otherwise, write an error, we don't want this to fail silently
   default {
      $Name = $([IO.Path]::GetFileNameWithoutExtension($_.Path))
      $Global:AutoModuleErrors += @($_ | Select @{n="Name";e={$Name}},
                                                @{n="Error";e={$_.Status}},
                                                @{n="StatusMessage";e={$_.StatusMessage}},
                                                @{n="Path";e={$_.Path}})
      Write-Host "$Name " -fore Red -NoNewLine
   }
}
Write-Host
# Write out the error messages if we missed loading any modules
if($AutoModuleErrors) {
   $AutoModuleErrors | Format-Table * -auto | Out-Host
}