Microsoft released a document explaining why signed PowerShell Cmdlets are slow

by ·

Developers or enterprise IT administrators who often use Powershell may have found that some commands are executed very quickly but some are slow to execute. Judging by experience alone, it is hard to imagine why some commands are executed very slowly, so developers often post in the Microsoft community to ask questions. Recently, Microsoft has written a new document to explain this problem. Simply put, if the developer’s network connection is poor, the execution of the command will encounter slow problems.

PowerShell Core

Microsoft said that all security-contained Powershell cmdlet commands must be connected to the Microsoft server authentication certificate when executed. Although it is only about 50KB to request a trusted certificate list downloaded by the server, if the user has an abnormal situation on the network, the file cannot be downloaded normally. Of course, based on the actual situation, when the list of trusted certificates cannot be downloaded, it will be downgraded to local authentication, that is, the latest verification list is discarded from the server. This process can last for tens of seconds or minutes, which is why developers may experience delays in executing problems when executing signed commands.

The certificate library link that needs to be downloaded online is as follows:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

If the network connection of the developer’s environment is very poor or even no network, then you can consider using Group Policy to prohibit network verification for each run.

The configuration path is as follows:

  1. Under the Computer Configuration node in Local Group Policy Editor, double-click Policies.
  2. Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies.
  3. In the details pane, double-click Certificate Path Validation Settings.
  4. Select the Network Retrieval tab, select the Define these policy settings check box, and then clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
  5. Select OK, and then close Local Group Policy Editor.

After this setting, the Microsoft Root Certificate Trust Library will not be able to perform automatic updates, so that the Powershell cmdlet command will not be verified when it is executed.

Via: bleepingcomputer

Tags: