powershell.exe
PowerShell executable launched from CMD. Bypasses CMD-level restrictions by delegating to PowerShell runtime.
Binary Paths
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where powers*') do %i -nop -w hidden -c IEX(...)
|
Star matches 'hell.exe' |
for /f %i in ('where power?hell.exe') do %i
|
Wildcard replaces 's' |
for /f %i in ('where p*hell.exe') do %i
|
Star matches 'owers' |
for /f %i in ('dir /b C:\Windows\System32\WindowsPowerShell\v1.0\power*.exe') do %i
|
Full path dir glob |
forfiles /p C:\Windows\System32\WindowsPowerShell\v1.0 /m power*.exe /c "@file -nop -c whoami"
|
forfiles * mask finds powershell.exe in its install directory — @file expands to matched filename |
C:\Windows\System32\WINDOW~1\v1.0\POWERS~1.EXE -nop -c whoami
|
8.3 SFN — WINDOW~1 for WindowsPowerShell, POWERS~1 for powershell.exe; requires NtfsDisable8dot3NameCreation=0 |
for %i in (C:\Windows\System32\WindowsPowerShell\v1.0\power*.exe) do @%i -nop -c whoami
|
Native CMD for loop with filesystem glob — expands power*.exe in the PowerShell install directory |
for /f %i in ('where /r C:\Windows power?hell.exe') do %i -nop -c whoami
|
Recursive where search across Windows tree — finds powershell.exe in WindowsPowerShell subdirectory without spelling the full path |
set a=powers& set b=hell& call %a%%b%.exe -nop -c whoami
|
Binary name split across two SET variables — CALL resolves %a%%b%.exe=powershell.exe; name never appears as a literal string |
for /f %i in ('where power?hell.exe') do start "" /b %i -nop -c whoami
|
start /b launches powershell.exe as a detached background process — changes parent process attribution in event logs |
Pattern Tester
$
Try typing powershell.exe or a full path like C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
YARA Rule
Auto-generated detection rule for powershell.exe