About Home Explore Projects
Bypassing AppLocker policies for PowerShell on Windows

What are AppLocker Policies on Windows?

Following the Microsoft's Definition:"AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers"

So AppLocker on windows should basically give admins granular control over what programs can be run on the system. (In this writeup we are only going to talk about one of the scenarios where AppLocker policies are configured to block PowerShell by preventing the execution of "powershell.exe")

AppLocker Policy Blocking PowerShell:

1.) AppLocker Policies can be configured to block execution of programs such as Command Prompt (cmd.exe) and PowerShell (powershell.exe) to prevent users from having command shell access on the system.
2.) Most AppLocker policies configured for Blocking powershell block the execution of "powershell.exe".
3.) Blocking just powershell.exe via AppLocker policies will not prevent users from executing system commands via PowerShell.

What is powershell.exe?

1.) powershell.exe itself loads and uses "System.Management.Automation.dll" to interpret and execute PowerShell commands and scripts.
2.) powershell.exe is just the host, at its core it uses the ".NET" assembly "System.Management.Automation.dll".
3.) This means even if powershell.exe is blocked, if we can interact with "System.Management.Automation.dll", we can execute powershell commands.
4.) we will assume here that the AppLocker policies have been configured in a way that allow execution of custom compiled EXEs from some directory paths.
5.) Usually these are paths like "C:\Users\Public".

How can we abuse this?:

Custom C# Program to interact with "System.Management.Automation.dll" (Note that the code we use here is POC level and can be extended as required):

1.) We can write a custom C# program.
2.) That will directly use "System.Management.Automation.dll" to execute PowerShell commands.

3.) A simple C# program to achieve this is given below (raw code: here):

Compiling the C# code:

#) Make sure that .NET SDK is installed on the system (https://dotnet.microsoft.com/download), compilation can be done using the commands below:

dotnet new console -n Powerapp # This will create new project and its directory cd Powerapp # switch to the project directory notepad.exe Program.cs # Replace the code inside this file with our C# code dotnet publish -c Release -r win-x64 --self-contained true /p:PublishSingleFile=true /p:IncludeAllContentForSelfExtract=true /p:PublishTrimmed=false # Compile the C# code into a single EXE file # The EXE file can be found in .\bin\Release\netX.0\win-x64\publish\ directory

The standalone EXE can now be transferred and executed on systems to execute PowerShell commands, even when PowerShell.exe is blocked for execution (Example Below).

© 2025 Vrikodar