PowerShell Protect

Audit and block PowerShell scripts on Windows.

What's New in 2.0

Open Source

PowerShell Protect is now open source, licensed under GPL and free.

Configuration Cmdlets

Configure PowerShell Protect without writing any XML. Take advantage of the PSProtect configuration cmdlets.



Use the configurable rule system to filter which PowerShell executions are logged or blocked.

Build and test with PowerShell

Build rules using PowerShell cmdlets to easily define which scripts are logged or blocked.

Default Rules

Take advantage of zero-configuration built-in rules to detect suspicious behavior such as AMSI bypasses, Mimikatz usage, and low-level C# class usage.

Deploy XML

Deploy PowerShell Protect configurations as a single XML document via Group Policy or the file system.

Simple Install

Install the PowerShell Protect AMSI provider with a single PowerShell command.


Track script executions using various output methods.


Send HTTP requests to remote systems, such as PowerShell Universal, for additional analysis.


Log to a file locally for evaluation by local processes.


Send over TCP or UDP messages to your SIEM or other services.

Event Log

Blocked scripts are automatically logged to the Event Log without the need for configuration


Take advantage of customer formatting for audit logs to match whatever system you are sending data to.


Block scripts from executing at all based on rules or default protections.

Default Blocking

Block suspicious behavior without having to configure PowerShell Protect at all.

Custom Blocking

Block scripts based on rules defined with the PowerShell Protect configuration system.