{
	"id": "511b6f60-4950-42a4-8492-f7a3ab290eed",
	"created_at": "2026-04-06T00:08:43.065581Z",
	"updated_at": "2026-04-10T03:20:22.710431Z",
	"deleted_at": null,
	"sha1_hash": "649bb7a736c2a2d0c814fd9ccee8f18e3bd051d3",
	"title": "about_PowerShell_exe - PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97587,
	"plain_text": "about_PowerShell_exe - PowerShell\r\nBy sdwheeler\r\nArchived: 2026-04-05 19:28:01 UTC\r\nSHORT DESCRIPTION\r\nExplains how to use the powershell.exe command-line interface. Displays the command-line parameters and\r\ndescribes the syntax.\r\nLONG DESCRIPTION\r\nFor information about the command-line options for PowerShell 7, see about_Pwsh.\r\nSyntax\r\nPowerShell[.exe]\r\n [-PSConsoleFile \u003cfile\u003e | -Version \u003cversion\u003e]\r\n [-NoLogo]\r\n [-NoExit]\r\n [-Sta]\r\n [-Mta]\r\n [-NoProfile]\r\n [-NonInteractive]\r\n [-InputFormat {Text | XML}]\r\n [-OutputFormat {Text | XML}]\r\n [-WindowStyle \u003cstyle\u003e]\r\n [-EncodedArguments \u003cBase64EncodedArguments\u003e]\r\n [-EncodedCommand \u003cBase64EncodedCommand\u003e]\r\n [-ConfigurationName \u003cstring\u003e]\r\n [-File - | \u003cfilePath\u003e \u003cargs\u003e]\r\n [-ExecutionPolicy \u003cExecutionPolicy\u003e]\r\n [-Command - | { \u003cscript-block\u003e [-args \u003carg-array\u003e] }\r\n | { \u003cstring\u003e [\u003cCommandParameters\u003e] } ]\r\nPowerShell[.exe] -Help | -? | /?\r\nParameters\r\nAll parameters are case-insensitive.\r\n-File - | \u003cfilePath\u003e \u003cargs\u003e\r\nhttps://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand\r\nPage 1 of 6\n\nThe value of File can be - or a filepath and optional parameters. If the value of File is - , then commands are\r\nread from standard input.\r\nIf the value of File is a filepath, the script runs in the local scope (\"dot-sourced\") of the new session, so that the\r\nfunctions and variables that the script creates are available in that new session. Enter the script filepath and any\r\nparameters. File must be the last parameter in the command. All values typed after the File parameter are\r\ninterpreted as the script filepath and parameters passed to that script. For example: -File .\\Get-Script.ps1 -\r\nDomain Central\r\nTypically, the switch parameters of a script are either included or omitted. For example, the following command\r\nuses the All parameter of the Get-Script.ps1 script file: -File .\\Get-Script.ps1 -All\r\nIn rare cases, you might need to provide a Boolean value for a parameter. It isn't possible to pass an explicit\r\nboolean value for a switch parameter when running a script in this way. This limitation was removed in\r\nPowerShell 6 ( pwsh.exe ).\r\nParameters passed to the script are passed as literal strings, after interpretation by the current shell. For example, if\r\nyou are in cmd.exe and want to pass an environment variable value, you would use the cmd.exe syntax:\r\npowershell.exe -File .\\test.ps1 -TestParam %windir%\r\nIn contrast, running powershell.exe -File .\\test.ps1 -TestParam $Env:windir in cmd.exe results in the\r\nscript receiving the literal string $Env:windir because it has no special meaning to the current cmd.exe shell.\r\nThe $Env:windir style of environment variable reference can be used inside a Command parameter, since there\r\nit's interpreted as PowerShell code.\r\nSimilarly, if you want to execute the same command from a Batch script, you would use %~dp0 instead of .\\\r\nor $PSScriptRoot to represent the current execution directory: pwsh -File %~dp0test.ps1 -TestParam\r\n%windir% . If you use .\\test.ps1 instead, PowerShell throws an error because it can't find the literal path\r\n.\\test.ps1\r\nNote\r\nThe File parameter can't support scripts using a parameter that expects an array of argument values. This,\r\nunfortunately, is a limitation of how a native command gets argument values. When you call a native executable\r\n(such as powershell or pwsh ), it doesn't know what to do with an array, so it's passed as a string.\r\nIf the value of File is - , then commands are read from standard input. Running powershell -File - without\r\nredirected standard input starts a regular session. This is the same as not specifying the File parameter at all.\r\nWhen reading from standard input, the input statements are executed one statement at a time as though they were\r\ntyped at the PowerShell command prompt. If a statement doesn't parse correctly, the statement isn't executed. The\r\nprocess exit code is determined by status of the last (executed) command. With successful execution, the exit code\r\nis always 0 . When the script file terminates with an exit command, the process exit code is set to the numeric\r\nargument used with the exit command.\r\nSimilar to -Command , when a script-terminating error occurs, the exit code is set to 1 . However, unlike with -\r\nCommand , when the execution is interrupted with Ctrl+C the exit code is 0 . For more information, see\r\nhttps://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand\r\nPage 2 of 6\n\n$LASTEXITCODE in about_Automatic_Variables.\r\n-Command\r\nThe value of Command can be - , a script block, or a string. If the value of Command is - , the command text\r\nis read from standard input.\r\nThe Command parameter only accepts a script block for execution when it can recognize the value passed to\r\nCommand as a ScriptBlock type. This is only possible when running powershell.exe from another PowerShell\r\nhost. The ScriptBlock type may be contained in an existing variable, returned from an expression, or parsed by\r\nthe PowerShell host as a literal script block enclosed in curly braces ( {} ), before being passed to\r\npowershell.exe .\r\npowershell -Command {Get-WinEvent -LogName Security}\r\nIn cmd.exe , there is no such thing as a script block (or ScriptBlock type), so the value passed to Command is\r\nalways a string. You can write a script block inside the string, but instead of being executed it behaves exactly as\r\nthough you typed it at a typical PowerShell prompt, printing the contents of the script block back out to you.\r\nA string passed to Command is still executed as PowerShell code, so the script block curly braces are often not\r\nrequired in the first place when running from cmd.exe . To execute an inline script block defined inside a string,\r\nthe call operator \u0026 can be used:\r\npowershell.exe -Command \"\u0026 {Get-WinEvent -LogName Security}\"\r\nIf the value of Command is a string, Command must be the last parameter for pwsh, because all arguments\r\nfollowing it are interpreted as part of the command to execute.\r\nWhen called from within an existing PowerShell session, the results are returned to the parent shell as deserialized\r\nXML objects, not live objects. For other shells, the results are returned as strings.\r\nIf the value of Command is - , the commands are read from standard input. You must redirect standard input\r\nwhen using the Command parameter with standard input. For example:\r\n@'\r\n\"in\"\r\n\"hi\" |\r\n % { \"$_ there\" }\r\n\"out\"\r\n'@ | powershell -NoProfile -Command -\r\nThis example produces the following output:\r\nhttps://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand\r\nPage 3 of 6\n\nin\r\nhi there\r\nout\r\nWhen reading from standard input, the input is parsed and executed one statement at a time, as though they were\r\ntyped at the PowerShell command prompt. If the input code doesn't parse correctly, the statement isn't executed.\r\nUnless you use the -NoExit parameter, the PowerShell session exits when there is no more input to read from\r\nstandard input.\r\nThe process exit code is determined by status of the last (executed) command within the input. The exit code is\r\n0 when $? is $true or 1 when $? is $false . If the last command is an external program or a\r\nPowerShell script that explicitly sets an exit code other than 0 or 1 , that exit code is converted to 1 for\r\nprocess exit code. Similarly, the value 1 is returned when a script-terminating (runspace-terminating) error, such\r\nas a throw or -ErrorAction Stop , occurs or when execution is interrupted with Ctrl+C.\r\nTo preserve the specific exit code, add exit $LASTEXITCODE to your command string or script block. For more\r\ninformation, see $LASTEXITCODE in about_Automatic_Variables.\r\n-ConfigurationName \u003cstring\u003e\r\nSpecifies a configuration endpoint in which PowerShell is run. This can be any endpoint registered on the local\r\nmachine including the default PowerShell remoting endpoints or a custom endpoint having specific user role\r\ncapabilities.\r\n-EncodedArguments \u003cBase64EncodedArguments\u003e\r\nAccepts a Base64-encoded string version command arguments. Use this parameter to submit arguments that\r\nrequire complex, nested quoting. The Base64 representation must be a UTF-16LE encoded string.\r\n-EncodedCommand \u003cBase64EncodedCommand\u003e\r\nAccepts a base-64-encoded string version of a command. Use this parameter to submit commands to PowerShell\r\nthat require complex quotation marks or curly braces. The string must be formatted using UTF-16LE character\r\nencoding.\r\n-ExecutionPolicy \u003cExecutionPolicy\u003e\r\nSets the default execution policy for the current session and saves it in the $Env:PSExecutionPolicyPreference\r\nenvironment variable. This parameter does not change the PowerShell execution policy that's set in the registry.\r\nFor information about PowerShell execution policies, including a list of valid values, see\r\nabout_Execution_Policies.\r\n-InputFormat {Text | XML}\r\nhttps://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand\r\nPage 4 of 6\n\nDescribes the format of data sent to PowerShell. Valid values are Text (text strings) or XML (serialized\r\nCLIXML format).\r\n-Mta\r\nStarts PowerShell using a multi-threaded apartment. This parameter is introduced in PowerShell 3.0. In\r\nPowerShell 2.0, multi-threaded apartment (MTA) is the default. In PowerShell 3.0, single-threaded apartment\r\n(STA) is the default.\r\n-NoExit\r\nDoesn't exit after running startup commands.\r\n-NonInteractive\r\nThis switch is used to create sessions that shouldn't require user input. This is useful for scripts that run in\r\nscheduled tasks or CI/CD pipelines. Any attempts to use interactive features, like Read-Host or confirmation\r\nprompts, result in statement terminating errors rather than hanging.\r\n-NoLogo\r\nHides the copyright banner at startup.\r\n-NoProfile\r\nDoesn't load the PowerShell profile.\r\n-OutputFormat {Text | XML}\r\nDetermines how output from PowerShell is formatted. Valid values are Text (text strings) or XML (serialized\r\nCLIXML format).\r\n-PSConsoleFile \u003cFilePath\u003e\r\nLoads the specified PowerShell console file. Enter the path and name of the console file. To create a console file,\r\nuse the Export-Console cmdlet in PowerShell.\r\n-Sta\r\nStarts PowerShell using a single-threaded apartment. In Windows PowerShell 2.0, multi-threaded apartment\r\n(MTA) is the default. In Windows PowerShell 3.0, single-threaded apartment (STA) is the default.\r\n-Version \u003cPowerShell Version\u003e\r\nStarts the specified version of PowerShell. Valid values are 2.0 and 3.0. The version that you specify must be\r\ninstalled on the system. If Windows PowerShell 3.0 is installed on the computer, \"3.0\" is the default version.\r\nOtherwise, \"2.0\" is the default version. For more information, see Installing PowerShell.\r\nhttps://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand\r\nPage 5 of 6\n\n-WindowStyle \u003cWindow style\u003e\r\nSets the window style for the session. Valid values are Normal , Minimized , Maximized , and Hidden .\r\n-Help, -?, /?\r\nDisplays help for powershell.exe . If you are typing a powershell.exe command in a PowerShell session,\r\nprepend the command parameters with a hyphen ( - ), not a forward slash ( / ). You can use either a hyphen or\r\nforward slash in cmd.exe .\r\nTroubleshooting note: In PowerShell 2.0, starting some programs from the PowerShell console fails with a\r\nLastExitCode of 0xc0000142.\r\nExamples\r\n# Create a new PowerShell session and load a saved console file\r\nPowerShell -PSConsoleFile sqlsnapin.psc1\r\n# Create a new PowerShell V2 session with text input, XML output, and no logo\r\nPowerShell -Version 2.0 -NoLogo -InputFormat text -OutputFormat XML\r\n# Execute a PowerShell Command in a session\r\nPowerShell -Command \"Get-EventLog -LogName Security\"\r\n# Run a script block in a session\r\nPowerShell -Command {Get-EventLog -LogName Security}\r\n# An alternate way to run a command in a new session\r\nPowerShell -Command \"\u0026 {Get-EventLog -LogName Security}\"\r\n# To use the -EncodedCommand parameter:\r\n$command = \"dir 'C:\\Program Files' \"\r\n$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)\r\n$encodedCommand = [Convert]::ToBase64String($bytes)\r\npowershell.exe -EncodedCommand $encodedCommand\r\nSource: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encode\r\ndcommand-base64encodedcommand\r\nhttps://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand"
	],
	"report_names": [
		"about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand"
	],
	"threat_actors": [],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/649bb7a736c2a2d0c814fd9ccee8f18e3bd051d3.pdf",
		"text": "https://archive.orkl.eu/649bb7a736c2a2d0c814fd9ccee8f18e3bd051d3.txt",
		"img": "https://archive.orkl.eu/649bb7a736c2a2d0c814fd9ccee8f18e3bd051d3.jpg"
	}
}