PowerShell Extension v2020.3.0 breaks with AppLocker

[johlju]

We are allowing scripts and executables in the extension folder to be run in %OSDRIVE%\USERS\%USER%\.VSCODE\EXTENSIONS. The below error happens with the new version, but this does work with the previous version. As a workaround we have reverted back to the previous version for now.

Exception encountered starting EditorServices. Exception logged in D:\a\1\s\src\PowerShellEditorServices.Hosting\Commands\StartEditorServicesCommand.cs on line 247 in EndProcessing:
System.Management.Automation.CmdletInvocationException: Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator. ---> System.NotSupportedException: Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator.
   --- Slut på stackspårning för interna undantag ---
   vid System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   vid System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   vid System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   vid System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   vid System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   vid Microsoft.PowerShell.EditorServices.Hosting.EditorServicesLoader.LogPowerShellDetails()
   vid Microsoft.PowerShell.EditorServices.Hosting.EditorServicesLoader.LogHostInformation()
   vid Microsoft.PowerShell.EditorServices.Hosting.EditorServicesLoader.LoadAndRunEditorServicesAsync()
   vid Microsoft.PowerShell.EditorServices.Commands.StartEditorServicesCommand.EndProcessing()

2020-03-06 10:31:05 [NORMAL] - Visual Studio Code v1.42.1 64-bit
2020-03-06 10:31:05 [NORMAL] - PowerShell Extension v2020.3.0
2020-03-06 10:31:05 [NORMAL] - Operating System: Windows 64-bit
2020-03-06 10:31:05 [NORMAL] - Language server starting --
2020-03-06 10:31:05 [NORMAL] -     PowerShell executable: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
2020-03-06 10:31:05 [NORMAL] -     PowerShell args: -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Import-Module 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.3.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\modules' -EnableConsoleRepl -LogLevel 'Normal' -LogPath 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\logs\1583487065-bd4cd06b-756f-42c5-b413-6b485a2b237b1583487062238\EditorServices.log' -SessionDetailsPath 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\sessions\PSES-VSCode-13336-569282' -FeatureFlags @() 
2020-03-06 10:31:05 [NORMAL] -     PowerShell Editor Services args: Import-Module 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.3.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\modules' -EnableConsoleRepl -LogLevel 'Normal' -LogPath 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\logs\1583487065-bd4cd06b-756f-42c5-b413-6b485a2b237b1583487062238\EditorServices.log' -SessionDetailsPath 'c:\Users\johlju\.vscode\extensions\ms-vscode.powershell-2020.3.0\sessions\PSES-VSCode-13336-569282' -FeatureFlags @() 
2020-03-06 10:31:05 [NORMAL] - powershell.exe started.
2020-03-06 10:31:05 [NORMAL] - Waiting for session file
2020-03-06 10:33:05 [NORMAL] - Error occurred retrieving session file
2020-03-06 10:33:05 [NORMAL] - Language server startup failed.
2020-03-06 10:33:05 [ERROR] - The language service could not be started: 
2020-03-06 10:33:05 [ERROR] - Timed out waiting for session file to appear.

If you need more debug information let us know.

[rjmholt]

The PowerShell extension doesn't yet support constrained language mode. There's a fair amount more work to be done to make it possible.

Duplicate of #754.

[johlju]

Just to be clear, the prior version did work and have worked in our corporate environment. This just broke in the latest release. But understand that this is part in a larger issue as you mentioned.

[rjmholt]

the prior version did work

Ah, sorry to hear that. That's certainly unexpected that it worked.

[johlju]

We made exceptions for a very limited number of dev workstations for PowerShell development. On those we are allowing scripts and executables in the extension folder to be run in %OSDRIVE%\USERS\%USER%\.VSCODE\EXTENSIONS, but those exceptions seems not to be enough any longer since we get the "dot-sourced" error.

[rjmholt]

since we get the "dot-sourced" erro

The error comes from a C# invocation like this:

PowerShell.Create().AddScript("$PSVersionTable").Invoke()

I imagine the dot sourcing is implicit, but in some cases I think we need the execution results to happen in the invoking context. We currently use similar invocations throughout the codebase.

@daxian-dbw @PaulHigin is there any way to allow running inline scripts from C# in constrained language mode? Like being able to specify the language mode of the script being invoked?

[PaulHigin]

I don't believe anything has changed with PowerShell running under AppLocker. It should continue to run in FullLanguage mode for approved directory locations. Is it possible that the AppLocker policy changed? @TravisEz13 is more familiar with AppLocker than I, and may be able to help.

[rjmholt]

I don't believe anything has changed with PowerShell running under AppLocker

Well this is for Windows PowerShell, so I suspect it's our usage that's changed.

The question is though, is it possible to invoke PowerShell from C# in a trusted way? This is inline PowerShell script, so it doesn't live anywhere on the file system.

[PaulHigin]

No, we currently don't support signed script blocks, so any inline script is considered untrusted and will run in ConstrainedLanguage mode if AppLocker is enforcing system lock down.

[AndyH16]

We're experiencing this same error (with Applocker enabled on our network). Downgrading to 2010.1.0 and disabling extension updates works for now. It does still come up with the warning regarding dot-sourcing/language mode but doesn't cause the Terminal window to crash/close, like 2020.3.0 does.

[jotrueck]

Looks like i am also affected by this Problem. Applocker is essential for our Client and Server security concept. So we need to solve this in a secure way.

[mverbaas]

I have the same/simular issue:
Exception encountered starting EditorServices. Exception logged in D:\a\1\s\src\PowerShellEditorServices.Hosting\Commands\StartEditorServicesCommand.cs on line 247 in EndProcessing:
System.Management.Automation.CmdletInvocationException: Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator. ---> System.NotSupportedException: Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator.
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at Microsoft.PowerShell.EditorServices.Hosting.EditorServicesLoader.LogPowerShellDetails()
at Microsoft.PowerShell.EditorServices.Hosting.EditorServicesLoader.LogHostInformation()
at Microsoft.PowerShell.EditorServices.Hosting.EditorServicesLoader.LoadAndRunEditorServicesAsync()
at Microsoft.PowerShell.EditorServices.Commands.StartEditorServicesCommand.EndProcessing()

[TylerLeonhardt]

Just to get you folks unblocked here are some steps on how to rollback to the last version:
https://docs.microsoft.com/en-us/powershell/scripting/components/vscode/using-vscode?view=powershell-7#using-an-older-version-of-the-powershell-extension-for-windows-powershell-v3-and-v4

We want to do more work here to support Constrained Language Mode which will allow us to support App Locker as well. Apologies for this interruption in your dev process and thanks for your understanding!

[TylerLeonhardt]

Can those of you who are unblocked by reverting to an old version please run this in the PowerShell Integrated Console and tell me what you see:

$Host.Runspace.SessionStateProxy.LanguageMode

It will be incredibly helpful.

[mverbaas]

Can those of you who are unblocked by reverting to an old version please run this in the PowerShell Integrated Console and tell me what you see:

$Host.Runspace.SessionStateProxy.LanguageMode

It will be incredibly helpful.

The result is “FullLanguage” with mine.

[AndyH16]

Can those of you who are unblocked by reverting to an old version please run this in the PowerShell Integrated Console and tell me what you see:

$Host.Runspace.SessionStateProxy.LanguageMode

It will be incredibly helpful.

The result is “FullLanguage” with mine.

Yep, same for me, "FullLanguage".

[SeeminglyScience]

Follow up, what does the ISE give for the same result? ConstrainedLanguage or the same?

[AndyH16]

Follow up, what does the ISE give for the same result? ConstrainedLanguage or the same?

My ISE says "ConstrainedLanguage"

[johlju]

PowerShell Integrated Console i VSCode
PS C:\ > $Host.Runspace.SessionStateProxy.LanguageMode
FullLanguage

ISE
PS C:\> $Host.Runspace.SessionStateProxy.LanguageMode
ConstrainedLanguage

[TylerLeonhardt]

Can you give this a go in the PowerShell Preview extension? A fix just went out with support for ConstrainedLanguage mode.

[johlju]

The extension starts without throwing, but I cannot debug a script. Running the following script (F5) throws an error. This does work in the previous extension.

We are using Windows PowerShell 5.1 if that makes any difference.

function TestFunction
{
    'Hello'
}

TestFunction

Throws:

C:\<redacted>\TestPSExtension.ps1 : Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator.
    + CategoryInfo          : InvalidOperation: (:) [TestPSExtension.ps1], NotSupportedException
    + FullyQualifiedErrorId : DotSourceNotSupported,TestPSExtension.ps1

Also, as a side note (might be a different issue). The preview extension asks to replace the PackageManagement module which throws an error too. But probably does not affect this issue.

PackageManagement\Install-Package : An error has occurred while loading script module PackageManagement because it has a different language mode than the module manifest. The manifest la
nguage mode is ConstrainedLanguage and the module language mode is FullLanguage. Ensure all module files are signed or otherwise part of your application allow list configuration.

[TylerLeonhardt]

@johlju can you open a separate issue about PackageManagement

[TylerLeonhardt]

@johlju Now about debugging... Can you share what language mode the PowerShell Integrated Console is?

Can you also attach the logs here so we can get a better idea of what's going on?

[johlju]

=====> PowerShell Preview Integrated Console v2020.4.3 <=====

PS > $Host.Runspace.SessionStateProxy.LanguageMode
ConstrainedLanguage
PS >

I have sent the logs through the provided e-mail so I didn't have to redact anything to might be necessary to help resolve this.

[TylerLeonhardt]

@johlju if you remove your policy %OSDRIVE%\USERS\%USER%\.VSCODE\EXTENSIONS thus untrusting the extension... does F5 run your script?

[johlju]

We untrusted the path but the result is the same (took a while to verify since I myself are not an local admin so needed help from a colleague).

This shows that AppLocker is enabled (path is untrusted) on the path %OSDRIVE%\USERS\%USER%\.VSCODE\EXTENSIONS. Not allowed to run .Net [math]::sqrt(9):

PS C:\Users\johlju\.vscode\extensions> .\a.ps1
a
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At C:\Users\johlju\.vscode\extensions\a.ps1:2 char:1
+ [math]::sqrt(9)
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
    PathConditions      : {C:\Users\johlju\.vscode\*}
    PathExceptions      : {}
    PublisherExceptions : {}
    HashExceptions      : {}
    Id                  : 5be9484b-057f-4107-8463-b3ac61cc7e9c
    Name                : C:\Users\johlju\.vscode\
    Description         :
    UserOrGroupSid      : S-1-1-0
    Action              : Deny

And this is what outputs when running the test script in the previous comment from within VS Code. The same error as in the issue description.

C:\<redacted>\test.ps1 : Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator.
    + CategoryInfo          : InvalidOperation: (:) [test.ps1], NotSupportedException
    + FullyQualifiedErrorId : DotSourceNotSupported,test.ps1

Also the following error is shown in the AppLocker event log when the path is untrusted:

%OSDRIVE%\USERS\johlju\.VSCODE\EXTENSIONS\MS-VSCODE.POWERSHELL-PREVIEW-2020.4.3\MODULES\POWERSHELLEDITORSERVICES.VSCODE\POWERSHELLEDITORSERVICES.VSCODE.PSD1 was prevented from running.
%OSDRIVE%\USERS\johlju\.VSCODE\EXTENSIONS\MS-VSCODE.POWERSHELL-PREVIEW-2020.4.3\MODULES\PLASTER\1.1.3\PLASTER.PSD1 was prevented from running.

[TylerLeonhardt]

I have I PR in that I think will help... I'll be doing another release next week of PowerShell Preview.

For now, if you want to rebind F5 to workbench.action.terminal.runActiveFile that should work for you.

This is also called "Run Active File in Active Terminal" in the command pallet.

[johlju]

Doing that runs the script successfully, but I cannot start script in the debugger. The breakpoints are not hit. 😕

[TylerLeonhardt]

I'm curious... @johlju can you debug in the ISE? My understanding is that debugging was not allowed in CLM

[TylerLeonhardt]

I published an update to the PowerShell Preview extension... this should allow F5 to run your code. Can you confirm?

Also I've very curious if you can debug in the ISE when under CLM.

[TylerLeonhardt]

I'm going to close this for now since the extension starts up again... but we can continue the active discussion.

[johlju]

@TylerLeonhardt I will get back to you regarding the ISE tomorrow, been a busy week.