Hello,

You can use legacy executable with PowerShell, you just need to take specific actions if you use complex arguments. Indeed, if you use “ipconfig.exe” it will work as expected:

You can also use some simple argument like “IpConfig /all”, it will work. When you start playing with more complex arguments like the ones needed for icacls.exe, it will fail :

The PowerShell engine seems to don’t understand the required syntax for IcaCls.exe. To get it work, you have several options.

Use Legacy Executable with PowerShell

–% Operator

The easiest one is the –% operator, you need to place it just after your executable :

icacls.exe --% test /grant Administrators:(D,WDAC)

cmd /c

The old-school one :

cmd /c "icacls.exe test /grant Administrators:(D,WDAC)"

Start-Process

The PowerShell way :

Start-Process -FilePath icacls.exe -ArgumentList 'test /grant Administrators:(D,WDAC)' -NoNewWindow

Invoke-Command

The use of Invoke-Command is handful for remote execution with the -ComputerName parameter :

Invoke-Command -ScriptBlock {icacls.exe "c:temptest /grant Administrators:(D,WDAC)"}

Invoke-Expression

This is the risky one, this cmdlet is susceptible to be used for code injection.

$Path = 'C:temptest'

Invoke-Expression -Command "icacls.exe $Path /grant 'Administrators:(D,WDAC)'"

As you can see, the cmdlet can take variable into the command to execute, this is why it’s a security risk.

Error Handling

You have some basic error handling available when using those methods, this is not as great as a “try/catch”, but it can help :

if($?){'Last OK'}else{'Last KO'}

Conclusion

Those examples are just a few of the many possible ways to use legacy executable with PowerShell. I think the easiest one is the –% operator. The basic error handling provided by the $? operator can help to keep track of the legacy executable result codes.