Choco: Chocolatey broken after KB4343909. dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement.

Created on 4 Jan 2019 · 6Comments · Source: chocolatey/choco

### What You Are Seeing?
The specific error message (happens for any/all packages including installation of Chocolatey):

The specified module 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1' was not loaded because no valid module file was found in any module directory.
ERROR: This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement.

This happens after the August 14th 2018 KB4343909 update from Microsoft on Windows 10. Here's a clip from the TechNet article describing the changes to default PowerShell behavior.

_"Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. After installing this update, existing modules on devices that have Device Guard enabled will intentionally fail. The exception error is “This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement.” For more information, see https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2018-8200 and https://aka.ms/PSModuleFunctionExport.""_

### What is Expected?
Script to execute, software to install, anything!

### How Did You Get This To Happen? (Steps to Reproduce)
When PowerShell runs in Constrained Language mode. Enabling AppLocker or deploying any sort of DeviceGuard policy will cause this to happen. I have not deployed any sort of DeviceGuard policy, but my AppLocker rules specifically allow scripts signed with Chocolatey certificate to run, which had been working well until this recent change by Microsoft. Below is an output of what happens when trying to run install.ps1 manually from the root of my OS volume. (downloaded from 'https://chocolatey.org/install.ps1')

### Output Log

Windows PowerShell transcript start
Start time: 20181219113212
Username:
RunAs User:
Configuration Name:
Machine: REDACTEDPC (Microsoft Windows NT 10.0.17134.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 864
PSVersion: 5.1.17134.407
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.407
BuildVersion: 10.0.17134.407
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1

Transcript started, output file is C:\Users\user\Desktop\install.txt
PS C:\Users\user> Set-ExecutionPolicy bypass
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
&Yes Yes to &All &No No to A&ll &Suspend
A
PS C:\Users\user> C:\install.ps1
Getting latest version of the Chocolatey package for download.
Getting Chocolatey from https://chocolatey.org/api/v2/package/chocolatey/0.10.11.
Extracting C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall...
Installing chocolatey on this machine
The pipeline has been stopped.
+ CategoryInfo : OperationStopped: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : PipelineStopped
The pipeline has been stopped.
+ CategoryInfo : OperationStopped: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : PipelineStopped

Import-Module : The specified module
'C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1'
was not loaded because no valid module file was found in any module directory.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:61 char:3

Import-Module $installModule -Force
~~~~~~~
- CategoryInfo : ResourceUnavailable: (C:\Users\helpde...yInstaller.psm1:String) [Import-Module],
  
  FileNotFoundException
- FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  Import-Module : The specified module
  
  'C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1'
  
  was not loaded because no valid module file was found in any module directory.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:61 char:3
Import-Module $installModule -Force
~~~~~~~
- CategoryInfo : ResourceUnavailable: (C:\Users\helpde...yInstaller.psm1:String) [Import-Module], FileNot
  
  FoundException
- FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

PS C:\Users\user> TerminatingError(Import-Module): "This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement."
Import-Module : This module uses the dot-source operator while exporting functions using wildcard characters, and this
is disallowed when the system is under application verification enforcement.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:61 char:3

Import-Module $installModule -Force
~~~~~~~
- CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
- FullyQualifiedErrorId :
  
  Modules_SystemLockDown_CannotUseDotSourceWithWildCardFunctionExport,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  Import-Module : This module uses the dot-source operator while exporting functions using wildcard characters, and this
  
  is disallowed when the system is under application verification enforcement.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:61 char:3
Import-Module $installModule -Force
~~~~~~~
- CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
- FullyQualifiedErrorId : Modules_SystemLockDown_CannotUseDotSourceWithWildCardFunctionExport,Microsoft.PowerShell
  
  .Commands.ImportModuleCommand

Install-ChocolateyEnvironmentVariable : The term 'Install-ChocolateyEnvironmentVariable' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:155 char:3

Install-ChocolateyEnvironmentVariable -variableName "$chocInstallVa ...
~~~~~~~~~
- CategoryInfo : ObjectNotFound: (Install-ChocolateyEnvironmentVariable:String) [],
  
  CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
  
  Install-ChocolateyEnvironmentVariable : The term 'Install-ChocolateyEnvironmentVariable' is not recognized as the name
  
  of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
  
  verify that the path is correct and try again.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:155 char:3
Install-ChocolateyEnvironmentVariable -variableName "$chocInstallVa ...
~~~~~~~~~
- CategoryInfo : ObjectNotFound: (Install-ChocolateyEnvironmentVariable:String) [], CommandNotFoundExcept
  
  ion
- FullyQualifiedErrorId : CommandNotFoundException

Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:156 char:7

if (Test-ProcessAdminRights) {
~~~~~~~
- CategoryInfo : ObjectNotFound: (Test-ProcessAdminRights:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
  
  Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function,
  
  script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
  
  correct and try again.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:156 char:7
if (Test-ProcessAdminRights) {
~~~~~~~
- CategoryInfo : ObjectNotFound: (Test-ProcessAdminRights:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException

Creating ChocolateyInstall as an environment variable (targeting 'User')
Setting ChocolateyInstall to 'C:\ProgramData\chocolatey'
WARNING: It's very likely you will need to close and reopen your shell
before you can use choco.
Install-ChocolateyEnvironmentVariable : The term 'Install-ChocolateyEnvironmentVariable' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:167 char:3

Install-ChocolateyEnvironmentVariable -variableName "$chocInstallVa ...
~~~~~~~~~
- CategoryInfo : ObjectNotFound: (Install-ChocolateyEnvironmentVariable:String) [],
  
  CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
  
  Install-ChocolateyEnvironmentVariable : The term 'Install-ChocolateyEnvironmentVariable' is not recognized as the name
  
  of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
  
  verify that the path is correct and try again.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:167 char:3
Install-ChocolateyEnvironmentVariable -variableName "$chocInstallVa ...
~~~~~~~~~
- CategoryInfo : ObjectNotFound: (Install-ChocolateyEnvironmentVariable:String) [], CommandNotFoundExcept
  
  ion
- FullyQualifiedErrorId : CommandNotFoundException

if (!(Test-ProcessAdminRights)) {
~~~~~~~
- CategoryInfo : ObjectNotFound: (Test-ProcessAdminRights:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
  
  Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function,
  
  script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
  
  correct and try again.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:211 char:9
if (!(Test-ProcessAdminRights)) {
~~~~~~~
- CategoryInfo : ObjectNotFound: (Test-ProcessAdminRights:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException

Restricting write permissions to Administrators
We are setting up the Chocolatey package repository.
The packages themselves go to 'C:\ProgramData\chocolatey\lib'
(i.e. C:\ProgramData\chocolatey\lib\yourPackageName).
A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin'
and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.

Creating Chocolatey folders if they do not already exist.
WARNING: You can safely ignore errors related to missing log files when
upgrading from a version of Chocolatey less than 0.9.9.
'Batch file could not be found' is also safe to ignore.
'The system cannot find the file specified' - also safe.
Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:511 char:7

if (Test-ProcessAdminRights) {
~~~~~~~
- CategoryInfo : ObjectNotFound: (Test-ProcessAdminRights:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
  
  Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function,
  
  script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
  
  correct and try again.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:511 char:7
if (Test-ProcessAdminRights) {
~~~~~~~
- CategoryInfo : ObjectNotFound: (Test-ProcessAdminRights:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException

Install-ChocolateyPath : The term 'Install-ChocolateyPath' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:518 char:3

Install-ChocolateyPath -pathToInstall "$chocolateyExePath" -pathTyp ...
~~~~~~
- CategoryInfo : ObjectNotFound: (Install-ChocolateyPath:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
  
  Install-ChocolateyPath : The term 'Install-ChocolateyPath' is not recognized as the name of a cmdlet, function, script
  
  file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
  
  and try again.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:518 char:3
Install-ChocolateyPath -pathToInstall "$chocolateyExePath" -pathTyp ...
~~~~~~
- CategoryInfo : ObjectNotFound: (Install-ChocolateyPath:String) [], CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException

The pipeline has been stopped.
+ CategoryInfo : OperationStopped: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : PipelineStopped
The pipeline has been stopped.
+ CategoryInfo : OperationStopped: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : PipelineStopped

Import-Module : The specified module 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1' was not loaded
because no valid module file was found in any module directory.
At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:120 char:3

Import-Module "$realModule" -Force
~~~~~~~~~~
- CategoryInfo : ResourceUnavailable: (C:\ProgramData...yInstaller.psm1:String) [Import-Module],
  
  FileNotFoundException
- FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  Import-Module : The specified module 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1' was not loaded
  
  because no valid module file was found in any module directory.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:120 char:3
Import-Module "$realModule" -Force
~~~~~~~~~~
- CategoryInfo : ResourceUnavailable: (C:\ProgramData...yInstaller.psm1:String) [Import-Module], FileNot
  
  FoundException
- FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Import-Module "$realModule" -Force
~~~~~~~~~~
- CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
- FullyQualifiedErrorId :
  
  Modules_SystemLockDown_CannotUseDotSourceWithWildCardFunctionExport,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  Import-Module : This module uses the dot-source operator while exporting functions using wildcard characters, and this
  
  is disallowed when the system is under application verification enforcement.
  
  At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:120 char:3
Import-Module "$realModule" -Force
~~~~~~~~~~
- CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
- FullyQualifiedErrorId : Modules_SystemLockDown_CannotUseDotSourceWithWildCardFunctionExport,Microsoft.PowerShell
  
  .Commands.ImportModuleCommand

WARNING: Not setting tab completion: Profile file does not exist at '\user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'.
Chocolatey (choco.exe) is now ready.
You can call choco from anywhere, command line or powershell by typing choco.
Run choco /? for a list of functions.
You may need to shut down and restart powershell and/or consoles
first prior to using choco.
Ensuring chocolatey commands are on the path
Ensuring chocolatey.nupkg is in the lib folder
PS C:\Users\user> Stop-Transcript

Windows PowerShell transcript end
End time: 20181219113236

Full Log Output

~~~sh PLACE LOG CONTENT HERE - WE NEED _ALL_ DETAILED OUTPUT BASED ON THE ABOVE TO BE ABLE TO PROVIDE SUPPORT (YOU WILL FIND THAT IN THE $env:ChocolateyInstall\logs\chocolatey.log between the `=====`) ~~~

0 - Backlog Enhancement Security

Source

Degrader

👍1

Most helpful comment

I believe just Pro and Enterprise?

@ferventcoder @Degrader Device Guard is only supported in Windows 10 Enterprise / Education and Windows Server 2016+.

pauby on 18 Jan 2019

👍3

All 6 comments

@Degrader I assume I can turn on Device Guard in any version of Windows 10?

ferventcoder on 18 Jan 2019

@ferventcoder I believe just Pro and Enterprise? The issue can be replicated by placing PowerShell in constrained language mode

PS C:> $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Degrader on 18 Jan 2019

I believe just Pro and Enterprise?

@ferventcoder @Degrader Device Guard is only supported in Windows 10 Enterprise / Education and Windows Server 2016+.

pauby on 18 Jan 2019

👍3

@pauby thank you! I forget they actually put some distance between their professional and enterprise/education offerings this time round.

We are currently using Windows 10 Education

Degrader on 18 Jan 2019

Has this been downgraded?

joboboking on 31 Jan 2020

Whilst this issue was reported a year ago I was running choco ok fine however it's just started for me as well.
OS Name Microsoft Windows 10 Pro
Version 10.0.17763 Build 17763