(#1703) Fix Chocolatey helper loading in Constrained Language Mode

[SerWax]

Description Of Changes

Avoids wildcard module exports and wildcard command lookup by loading explicitly.

Motivation and Context

As-is, choco install/uninstall fail in Constraned Language Mode.
This allows Chocolatey helpers to load correctly when PowerShell is running in Constrained Language Mode under WDAC or AppLocker enforcement, where language mode cannot be changed.

Testing

Tested replacing chocolateyInstaller.psm1 with the changed version (self signed owith our cert) in Constrained Language Mode and verified that installations/uninstallations now work without throwing.
I've added an additional change that I had forgotten to push.

Step by step:

• spin up any relatively recent version of Windows that is at least Pro. Tested on Windows Server 2025 and Windows 11 Enterprise but anything more recent than 8/2012 will behave similarly.
• run secpol.msc
• expand Application Control Policies
• select AppLocker in the navigation tree
• click on Configure rule enforcement
• tick Configured under Script Rules and leave Enforce rules in the dropdown
• select Script Rules in the navigation tree
• add a PATH rule for %temp%* and for %temp%** -> this will configure Constrained Language Mode enforcement by preventing execution of self-testing Windows scripts
• do not configure any other type of rule as they are out of scope for this test
• sc.exe config appidsvc start=auto
• Reboot
• verify that AppLocker is working by manually attempting to run a .ps1 script from %temp%
• open eventvwr.msc
• navigate to Applications and Services Logs->Microsoft -> Windows -> AppLocker -> MSI and Script
• verify that the random PSSCRIPTPOLICYTEST are being blocked (i.e. %OSDRIVE%\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\2__PSSCRIPTPOLICYTEST_SFDLHUWG.GCQ.PS1 was prevented from running., %OSDRIVE%\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\2__PSSCRIPTPOLICYTEST_Q50PQDDK.GJX.PSM1 was prevented from running.): this is the mechanism that enforces Constrained Language mode (amongst other things) and prevents anyone from changing it
• install chocolatey-2.7.2.0.msi
• choco install
• verify that it fails
• replace "C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1" with the updated version
• choco install should now complete

Operating Systems Testing

• Windows 11
• Windows Server 2025

Change Types Made

• Bug fix (non-breaking change).
• Feature / Enhancement (non-breaking change).
• Breaking change (fix or feature that could cause existing functionality to change).
• Documentation changes.
• PowerShell code changes.

Change Checklist

• Requires a change to the documentation.
• Documentation has been updated.
• Tests to cover my changes, have been added.
• All new and existing tests passed?
• PowerShell code changes: PowerShell v3 compatibility checked?
• All items are complete on the [Definition of Done](https://github.com/chocolatey/home/blob/main/definition-of-done.md).

Related Issue

Fixes #1703

[CLAassistant]

All committers have signed the CLA.

[st3phhays]

Hey @SerWax thanks for this PR!

We’ll want to spend time carefully reviewing and validating the changes, including adding automated test coverage. I’m not able to give an ETA on review at the moment, but we appreciate you submitting this and your patience while we take a look.

[corbob]

@SerWax in addition to what @st3phhays mentioned, when we get to the point of being able to review it, having reproducible testing steps will be very helpful. In particular, steps that can be taken to demonstrate the issue, and then repeated with the change to verify it's been resolved.

As a quick example, I launched Windows Sandbox and opened PowerShell. In that window I attempted to enable Constrained Language mode by setting the property: $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage". Once that was set, I could not even install Chocolatey with the normal install.ps1 script as it uses Expand-Archive which doesn't work. I assume this means there's a little bit more involved than just enabling the language mode, and that is the type of steps that would be very helpful here.

[SerWax]

@SerWax in addition to what @st3phhays mentioned, when we get to the point of being able to review it, having reproducible testing steps will be very helpful. In particular, steps that can be taken to demonstrate the issue, and then repeated with the change to verify it's been resolved.

As a quick example, I launched Windows Sandbox and opened PowerShell. In that window I attempted to enable Constrained Language mode by setting the property: $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage". Once that was set, I could not even install Chocolatey with the normal install.ps1 script as it uses Expand-Archive which doesn't work. I assume this means there's a little bit more involved than just enabling the language mode, and that is the type of steps that would be very helpful here.

Hi Cory
yes I have found that to be the case, which is why I have installed using the MSI, which doesn not incur in the same problem.
I would say that this pull request should selectively be verified regarding execution of chocolateyInstaller.psm1 and not preparation of the environment: if it were me I would test in an environment where Chocolatey is either installed by MSI or already installed, and tested specifically at the instance of choco install / choco uninstall, or any instance where chocolateyInstaller.psm1 is directly involved.

Is such instance, the issue should be easily reproducible by changing language mode to Constrained just before an install, with the official release's chocolateyInstaller.psm1 still in place, to see the error; then chocolateyInstaller.psm1 should be replaced with the updated version to verify that it now works: this is the test that I have performed.

A more comprehensive test would indeed be to have a system with Application Control properly enabled (by configuring a relatively restrictive WDAC or AppLocker that block the testing .ps1 in userspace as intended by Microsoft) so that the entire Chocolatey suite of possible operations can be verified: this would make you able to affirm that Chocolatey can work as a whole in Constrained Language Mode - but, while desirable, I would think that would be out of scope of this specific pull request.

Please let me know your preferred approach and I will prepare a testing environment if necessary.

Thank you for yor immediate interest!

[SerWax]

I've added an additional change that I had forgotten to push.

Step by step:

• spin up any relatively recent version of Windows that is at least Pro. Tested on Windows Server 2025 and Windows 11 Enterprise but anything more recent than 8/2012 will behave similarly.
• run secpol.msc
• expand Application Control Policies
• select AppLocker in the navigation tree
• click on Configure rule enforcement
• tick Configured under Script Rules and leave Enforce rules in the dropdown
• select Script Rules in the navigation tree
• add a PATH rule for %temp%* and for %temp%** -> this will configure Constrained Language Mode enforcement by preventing execution of self-testing Windows scripts
• do not configure any other type of rule as they are out of scope for this test
• sc.exe config appidsvc start=auto
• Reboot
• verify that AppLocker is working by manually attempting to run a .ps1 script from %temp%
• open eventvwr.msc
• navigate to Applications and Services Logs->Microsoft -> Windows -> AppLocker -> MSI and Script
• verify that the random PSSCRIPTPOLICYTEST are being blocked (i.e. %OSDRIVE%\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\2__PSSCRIPTPOLICYTEST_SFDLHUWG.GCQ.PS1 was prevented from running., %OSDRIVE%\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\2__PSSCRIPTPOLICYTEST_Q50PQDDK.GJX.PSM1 was prevented from running.): this is the mechanism that enforces Constrained Language mode (amongst other things) and prevents anyone from changing it
• install chocolatey-2.7.2.0.msi
• choco install
• verify that it fails
• replace "C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1" with the updated version
• choco install should now complete