Troubleshooting: IIS Powershell Module on Windows 7 RC

First thing that you need to know in regard to the IIS PowerShell Snap-in or the module when using it with Windows 7 is that you do not need to download & install the snap-in. In Windows 7 the snap-in is part of the default install of IIS. Moving on, if you want to use the snap-in with PowerShell in Windows 7 RC then you would need to import the module. Now that sounds simple. However, there is a problem. When you try to import the IIS module which is named WebAdministration you are most likely to view the error below.

PS C:\Users\admin> Import-Module WebAdministration
Process should have elevated status to access IIS configuration data.

Fair enough. We are going to access the configuration data from IIS, we would need to be on elevated privileges. Let's try with elevated privileges.

PS C:\Windows\system32> Import-Module WebAdministration
Import-Module : File C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WebAdministration\WebAdministrationAliases.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.


Huh! Now, why did this happen? Lets try and troubleshoot. Windows PowerShell has a concept called "Execution Policy". It is the execution policy that determines as to how a script runs on PowerShell. By default, the execution policy in Windows 7 RC is set at "Restricted" ... Oouch. Restricted here means you will not be able to run any script (even the ones you write yourself). Why so severe? Don't know so can't answer. But for sure we wouldn't be working with that execution policy and would have to change that.

There are several levels of Execution Policy that you can set like Restricted, All Signed, RemoteSigned and Unrestricted. But the one we are going to work with is RemoteSigned. So, what is RemoteSigned execution policy anyways? It means, if you want to configure PowerShell to run any scripts that you write yourself, but to run scripts downloaded from the Internet only if those scripts have been signed by a trusted publisher. Sounds fair enough now doesn't it.

To set RemoteSigned as the execution policy, run the following command.
> Set-ExecutionPolicy RemoteSigned

Lets try importing now.
PS C:\Windows\system32> Import-Module WebAdministration
Import-Module : The following error occurred while loading the extended type data file:
Microsoft.PowerShell, C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WebAdministration\iisprovider.types.ps1xml : File skipped because it was already present from "Microsoft.PowerShell".

No go even now :) . When we try to execute any IIS cmd-let like get-website we will get an not recognised cmd-let error. Here's how to solve the entire situation. Close the PowerShell window and re-open it with elevated privileges and enter Get-ExecutionPolicy:

> Get-ExecutionPolicy
RemoteSigned

That's good news ... no more Restricted. Lets try importing the IIS module yet again.

>Import-Module WebAdministration

No error. Success! Now lets try running some simple IIS cmd-let.

> Get-Website

Name ID State Physical Path bindings
---- -- ----- ------------- ---------
Default Web Site 1 Started %SystemDrive%\inetpub\wwwroot http *:80:

Problem Solved! However, to me this still looks like a workaround. Will let you know if and when I come across a solution to this. Till then, have fun!

2 Comments

  • See my blog for instructions for automation of this routine: blogs.iis.net/.../how-to-automate-windows-7-powershell-start-up-with-iis-module.aspx
    Sergei

  • Here is the blog how to start IIS module.
    blogs.iis.net/.../how-to-automate-windows-7-powershell-start-up-with-iis-module.aspx
    FYI, if you want to use AllSigned execution-policy instead of RemoteSigned and avoid the error message, another work-around is to sign the C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WebAdministration\WebAdministrationAliases.ps1 file as the following:
    1. Create a certificate using makecert.exe tool, which can be downloaded from Microsoft web site (www.microsoft.com/.../details.aspx) if you don’t have any certificate for signing powershell script files
    md %systemdrive%\PowershellCertificate
    makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
    makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
    2. Change the file owner for the WebAdministrationAliases.ps1 file from TrustedInstaller to local administrator and then give full permission to local administrator for the file  using Explorer.exe
    3. Sign the WebAdministrationAliases.ps1 file with the newly created certificate or other existing certificate for powershell script files
    $targetfile = "$env:windir\system32\WindowsPowerShell\v1.0\Modules\WebAdministration\webadministrationaliases.ps1"
    Set-AuthenticodeSignature $targetfile @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0] ## suposing the first certificate is the newly created one
    4. Change execution policy to “AllSigned” if the current  policy is “Restricted”
    Set-ExecutionPolicy AllSigned
    5. Import IIS module and there will be no error
    Import-module webadministration

Comments have been disabled for this content.