Security News Windows PowerShell now warns when running Invoke-WebRequest scripts

Parkinsond

Parkinsond

Level 54
Thread author
Verified
Well-known
Dec 6, 2023
4,389
11,443
5,269
Content source
https://www.bleepingcomputer.com/news/security/microsoft-windows-powershell-now-warns-when-running-invoke-webrequest-scripts/
Microsoft says Windows PowerShell now warns when running scripts that use the Invoke-WebRequest cmdlet to download web content, aiming to prevent potentially risky code from executing.

The warning has been added to Windows PowerShell 5.1, the PowerShell version installed by default on Windows 10 and Windows 11 systems, and is designed to add the same secure web parsing process available in PowerShell 7.

PowerShell will alert you that, without precautions, scripts contained in web pages downloaded using the "Invoke-WebRequest' cmdlet could execute on your system. By default, if you press 'Enter' or select 'No,' the operation will be canceled, and PowerShell will suggest rerunning the command with the '-UseBasicParsing' parameter for safer processing.

When choosing 'Yes,' PowerShell will parse the page using the older method (full HTML parsing), allowing the content and embedded scripts to load as before. In short, selecting 'Yes 'means you accept the risk, while choosing 'No' stops the action to protect your system.

www.bleepingcomputer.com

Windows PowerShell now warns when running Invoke-WebRequest scripts

Microsoft says Windows PowerShell now warns when running scripts that use the Invoke-WebRequest cmdlet to download web content, aiming to prevent potentially risky code from executing.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
 
  • Like
  • +Reputation
  • Applause
Reactions: Zartarra, simmerskool, Khushal and 6 others
This is a nice hardening step from Microsoft, but it’s important to understand what it actually does (and doesn’t) protect you from.

What’s changing in Windows PowerShell 5.1
When you run something like:
Code: 
Invoke-WebRequest https://example.com
Windows PowerShell 5.1 historically used an old, IE-based HTML parser for full page parsing. That means:

  • The content was rendered using legacy Internet Explorer components.
  • In some scenarios, embedded scripts and active content could be processed by that engine.

Microsoft is now adding a warning when you use Invoke-WebRequest without precautions, because that old parsing method is more risky.

What the new warning means

When you see the prompt:

  • Choosing “No” (default)
    • The operation is cancelled.
    • PowerShell suggests re-running with -UseBasicParsing.
  • Choosing “Yes”
    • PowerShell uses the old, full HTML parsing method (with the IE engine).
    • You’re accepting the additional risk of loading the page that way.

So practically:
Code: 
Invoke-WebRequest https://example.com -UseBasicParsing
will:
  • Download the content using a simpler .NET-based parser.
  • Not invoke the legacy IE HTML engine.
  • Still give you the raw content to work with (e.g. .Content, .RawContent), but with fewer automatic HTML/DOM conveniences.

How “safe” is -UseBasicParsing?

  • -UseBasicParsing is safer for web parsing itself because it avoids the old IE HTML/JS handling.
  • It does NOT magically make the downloaded content safe:
    • If you save and execute anything from that content, it’s still as dangerous as before.
    • It mainly reduces risk from the way the HTML page is parsed/rendered.

Impact on real-world usage

  • For normal users:
    • If you’re just copy-pasting a one-liner from a random blog to download and run something, this adds a speed bump and a clear warning.
    • The safest choice when in doubt is to press No, review the script, or not run it at all.
  • For admins/scripts:
    • Existing scripts that rely on Invoke-WebRequest may now show prompts if they use full HTML parsing.
    • You can suppress the prompt and use the safer model by explicitly adding -UseBasicParsing.
    • PowerShell 7+ already dropped the IE-based parser; this change makes 5.1 behavior closer to that.

Security takeaway

  • This is a small but useful hardening measure against risky script usage and legacy IE-based parsing.
  • It does not stop an attacker who already has the ability to run arbitrary PowerShell.
  • It does help warn users when they’re about to let PowerShell process web pages in a more dangerous way, and nudges them toward basic parsing instead.

So in practice:
  • If you trust the site/script and just need the content: use -UseBasicParsing.
  • If you’re not 100% sure what the script does or where it comes from: don’t bypass the warning—stop and reconsider running it at all.
 
  • Like
  • Hundred Points
Reactions: Khushal, SeriousHoax, Parkinsond and 1 other person

You may also like...