From ea32d334bae0aa2a630424ab3ae2ee5e03cbbf16 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 24 Mar 2026 09:48:24 -0500 Subject: [PATCH 1/2] Fixes #12879 - Add note about Property wrapping in ForEach() method (#12882) * Add note about Property wrapping in ForEach() method * Fix typos and expand description of behavior --- .../About/about_Arrays.md | 61 ++++++++++++++++- .../About/about_Arrays.md | 65 +++++++++++++++++-- .../About/about_Arrays.md | 61 ++++++++++++++++- .../About/about_Arrays.md | 61 ++++++++++++++++- 4 files changed, 233 insertions(+), 15 deletions(-) diff --git a/reference/5.1/Microsoft.PowerShell.Core/About/about_Arrays.md b/reference/5.1/Microsoft.PowerShell.Core/About/about_Arrays.md index 80eacd4a0ad9..1e678aff659b 100644 --- a/reference/5.1/Microsoft.PowerShell.Core/About/about_Arrays.md +++ b/reference/5.1/Microsoft.PowerShell.Core/About/about_Arrays.md @@ -1,7 +1,7 @@ --- description: Describes arrays, which are data structures designed to store collections of items. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 no-loc: [Count, Length, LongLength, Rank, ForEach, Clear, Default, First, Last, SkipUntil, Until, Split, Tuple] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_arrays?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -583,12 +583,67 @@ every item in the collection. Wednesday, June 20, 2018 9:21:57 AM ``` +> [!NOTE] +> The `ForEach()` method wraps properties into a collection before enumeration. +> Using `ForEach()` normally returns all items in both array. However, if you +> want to access elements of the wrapped collection, you need to use two +> indices. + +Consider the following example where the object `$myObject` has a property with +single value and a property containing an array of 11 integers. + +```powershell +$myObject = [pscustomobject]@{ + singleValue = 'Hello' + arrayValue = @(0..10) +} +``` + +When you use the `ForEach()` method to access a property of the object, the +property is wrapped in a collection. + +```powershell +PS> $myObject.ForEach('singleValue').GetType().Name +Collection`1 +PS> $myObject.ForEach('singleValue')[0].GetType().Name +String +PS> $myObject.ForEach('singleValue') # Enumerate the collection object +Hello +``` + +To access the an element of the array, you need to use two indices. + +```powershell +PS> $myObject.ForEach('arrayValue').GetType().Name +Collection`1 +# A single Collection item +PS> $myObject.ForEach('arrayValue').Count +1 +# First item in the collection is an array of 11 items +PS> $myObject.ForEach('Value')[0].Count +11 +# Access the first item in the array of 11 items +PS> $myObject.ForEach('Value')[0][0] +0 +``` + +This is different than using the `ForEach()` method using with a scriptblock to +access the **Value** property of each object. + +```powershell +PS> $myObject.ForEach({$_.Value}).Count # An array of 11 items +11 +``` + +Use the scriptblock syntax to avoid the wrapping behavior when you want to +access complex property types, such as arrays or nested objects. + #### ForEach(string methodName) #### ForEach(string methodName, object[] arguments) -Lastly, `ForEach()` methods can be used to execute a method on every item in -the collection. +You can use the `ForEach()` method to execute an object's method on every item +in the collection. ```powershell ("one", "two", "three").ForEach("ToUpper") diff --git a/reference/7.4/Microsoft.PowerShell.Core/About/about_Arrays.md b/reference/7.4/Microsoft.PowerShell.Core/About/about_Arrays.md index 1305b9504f2e..363d553eeef9 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/About/about_Arrays.md +++ b/reference/7.4/Microsoft.PowerShell.Core/About/about_Arrays.md @@ -1,9 +1,9 @@ --- description: Describes arrays, which are data structures designed to store collections of items. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 no-loc: [Count, Length, LongLength, Rank, ForEach, Clear, Default, First, Last, SkipUntil, Until, Split, Tuple] -online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_arrays?view=powershell-5.1&WT.mc_id=ps-gethelp +online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_arrays?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 title: about_Arrays --- @@ -583,12 +583,67 @@ every item in the collection. Wednesday, June 20, 2018 9:21:57 AM ``` +> [!NOTE] +> The `ForEach()` method wraps properties into a collection before enumeration. +> Using `ForEach()` normally returns all items in both array. However, if you +> want to access elements of the wrapped collection, you need to use two +> indices. + +Consider the following example where the object `$myObject` has a property with +single value and a property containing an array of 11 integers. + +```powershell +$myObject = [pscustomobject]@{ + singleValue = 'Hello' + arrayValue = @(0..10) +} +``` + +When you use the `ForEach()` method to access a property of the object, the +property is wrapped in a collection. + +```powershell +PS> $myObject.ForEach('singleValue').GetType().Name +Collection`1 +PS> $myObject.ForEach('singleValue')[0].GetType().Name +String +PS> $myObject.ForEach('singleValue') # Enumerate the collection object +Hello +``` + +To access the an element of the array, you need to use two indices. + +```powershell +PS> $myObject.ForEach('arrayValue').GetType().Name +Collection`1 +# A single Collection item +PS> $myObject.ForEach('arrayValue').Count +1 +# First item in the collection is an array of 11 items +PS> $myObject.ForEach('Value')[0].Count +11 +# Access the first item in the array of 11 items +PS> $myObject.ForEach('Value')[0][0] +0 +``` + +This is different than using the `ForEach()` method using with a scriptblock to +access the **Value** property of each object. + +```powershell +PS> $myObject.ForEach({$_.Value}).Count # An array of 11 items +11 +``` + +Use the scriptblock syntax to avoid the wrapping behavior when you want to +access complex property types, such as arrays or nested objects. + #### ForEach(string methodName) #### ForEach(string methodName, object[] arguments) -Lastly, `ForEach()` methods can be used to execute a method on every item in -the collection. +You can use the `ForEach()` method to execute an object's method on every item +in the collection. ```powershell ("one", "two", "three").ForEach("ToUpper") @@ -1124,5 +1179,3 @@ LastWriteTimeUtc Property datetime LastWriteTimeUtc {get;set;} [13]: about_While.md [14]: https://wikipedia.org/wiki/Row-_and_column-major_order - - diff --git a/reference/7.5/Microsoft.PowerShell.Core/About/about_Arrays.md b/reference/7.5/Microsoft.PowerShell.Core/About/about_Arrays.md index baaf33dc56fb..e8e37855029b 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/About/about_Arrays.md +++ b/reference/7.5/Microsoft.PowerShell.Core/About/about_Arrays.md @@ -1,7 +1,7 @@ --- description: Describes arrays, which are data structures designed to store collections of items. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 no-loc: [Count, Length, LongLength, Rank, ForEach, Clear, Default, First, Last, SkipUntil, Until, Split, Tuple] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_arrays?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -583,12 +583,67 @@ every item in the collection. Wednesday, June 20, 2018 9:21:57 AM ``` +> [!NOTE] +> The `ForEach()` method wraps properties into a collection before enumeration. +> Using `ForEach()` normally returns all items in both array. However, if you +> want to access elements of the wrapped collection, you need to use two +> indices. + +Consider the following example where the object `$myObject` has a property with +single value and a property containing an array of 11 integers. + +```powershell +$myObject = [pscustomobject]@{ + singleValue = 'Hello' + arrayValue = @(0..10) +} +``` + +When you use the `ForEach()` method to access a property of the object, the +property is wrapped in a collection. + +```powershell +PS> $myObject.ForEach('singleValue').GetType().Name +Collection`1 +PS> $myObject.ForEach('singleValue')[0].GetType().Name +String +PS> $myObject.ForEach('singleValue') # Enumerate the collection object +Hello +``` + +To access the an element of the array, you need to use two indices. + +```powershell +PS> $myObject.ForEach('arrayValue').GetType().Name +Collection`1 +# A single Collection item +PS> $myObject.ForEach('arrayValue').Count +1 +# First item in the collection is an array of 11 items +PS> $myObject.ForEach('Value')[0].Count +11 +# Access the first item in the array of 11 items +PS> $myObject.ForEach('Value')[0][0] +0 +``` + +This is different than using the `ForEach()` method using with a scriptblock to +access the **Value** property of each object. + +```powershell +PS> $myObject.ForEach({$_.Value}).Count # An array of 11 items +11 +``` + +Use the scriptblock syntax to avoid the wrapping behavior when you want to +access complex property types, such as arrays or nested objects. + #### ForEach(string methodName) #### ForEach(string methodName, object[] arguments) -Lastly, `ForEach()` methods can be used to execute a method on every item in -the collection. +You can use the `ForEach()` method to execute an object's method on every item +in the collection. ```powershell ("one", "two", "three").ForEach("ToUpper") diff --git a/reference/7.6/Microsoft.PowerShell.Core/About/about_Arrays.md b/reference/7.6/Microsoft.PowerShell.Core/About/about_Arrays.md index 5c76e28654fe..e03a604f9df9 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/About/about_Arrays.md +++ b/reference/7.6/Microsoft.PowerShell.Core/About/about_Arrays.md @@ -1,7 +1,7 @@ --- description: Describes arrays, which are data structures designed to store collections of items. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 no-loc: [Count, Length, LongLength, Rank, ForEach, Clear, Default, First, Last, SkipUntil, Until, Split, Tuple] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_arrays?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -590,12 +590,67 @@ every item in the collection. Wednesday, June 20, 2018 9:21:57 AM ``` +> [!NOTE] +> The `ForEach()` method wraps properties into a collection before enumeration. +> Using `ForEach()` normally returns all items in both array. However, if you +> want to access elements of the wrapped collection, you need to use two +> indices. + +Consider the following example where the object `$myObject` has a property with +single value and a property containing an array of 11 integers. + +```powershell +$myObject = [pscustomobject]@{ + singleValue = 'Hello' + arrayValue = @(0..10) +} +``` + +When you use the `ForEach()` method to access a property of the object, the +property is wrapped in a collection. + +```powershell +PS> $myObject.ForEach('singleValue').GetType().Name +Collection`1 +PS> $myObject.ForEach('singleValue')[0].GetType().Name +String +PS> $myObject.ForEach('singleValue') # Enumerate the collection object +Hello +``` + +To access the an element of the array, you need to use two indices. + +```powershell +PS> $myObject.ForEach('arrayValue').GetType().Name +Collection`1 +# A single Collection item +PS> $myObject.ForEach('arrayValue').Count +1 +# First item in the collection is an array of 11 items +PS> $myObject.ForEach('Value')[0].Count +11 +# Access the first item in the array of 11 items +PS> $myObject.ForEach('Value')[0][0] +0 +``` + +This is different than using the `ForEach()` method using with a scriptblock to +access the **Value** property of each object. + +```powershell +PS> $myObject.ForEach({$_.Value}).Count # An array of 11 items +11 +``` + +Use the scriptblock syntax to avoid the wrapping behavior when you want to +access complex property types, such as arrays or nested objects. + #### ForEach(string methodName) #### ForEach(string methodName, object[] arguments) -Lastly, `ForEach()` methods can be used to execute a method on every item in -the collection. +You can use the `ForEach()` method to execute an object's method on every item +in the collection. ```powershell ("one", "two", "three").ForEach("ToUpper") From b9ffc8967095940ed8679945b42d8a96f861b799 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 24 Mar 2026 13:08:52 -0500 Subject: [PATCH 2/2] Add note about untrusted data (#12885) * Add note about untrusted data * Copy missed alert --- .../About/about_Operators.md | 12 ++++++-- .../Invoke-Command.md | 12 +++++++- .../Invoke-Item.md | 15 ++++++++-- .../Show-EventLog.md | 28 +++++++++---------- .../Start-Process.md | 12 +++++++- .../About/about_Operators.md | 12 ++++++-- .../Invoke-Command.md | 14 ++++++++-- .../Invoke-Item.md | 22 +++++++++++---- .../Start-Process.md | 16 +++++++++-- .../About/about_Operators.md | 12 ++++++-- .../Invoke-Command.md | 14 ++++++++-- .../Invoke-Item.md | 17 ++++++++--- .../Start-Process.md | 16 +++++++++-- .../About/about_Operators.md | 12 ++++++-- .../Invoke-Command.md | 14 ++++++++-- .../Invoke-Item.md | 22 +++++++++++---- .../Start-Process.md | 16 +++++++++-- 17 files changed, 203 insertions(+), 63 deletions(-) diff --git a/reference/5.1/Microsoft.PowerShell.Core/About/about_Operators.md b/reference/5.1/Microsoft.PowerShell.Core/About/about_Operators.md index 3f785a5b4cb5..5449f73cc648 100644 --- a/reference/5.1/Microsoft.PowerShell.Core/About/about_Operators.md +++ b/reference/5.1/Microsoft.PowerShell.Core/About/about_Operators.md @@ -1,7 +1,7 @@ --- description: Describes the operators that are supported by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_operators?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 title: about_Operators @@ -301,7 +301,7 @@ At line:1 char:2 + FullyQualifiedErrorId : CommandNotFoundException ``` -The [Invoke-Expression][26] cmdlet can execute code that causes parsing errors +The [Invoke-Expression][27] cmdlet can execute code that causes parsing errors when using the call operator. ```powershell @@ -343,6 +343,11 @@ Hello World! For more about scriptblocks, see [about_Script_Blocks][21]. +> [!IMPORTANT] +> Using this operator with untrusted data is a security risk. Only use trusted +> data with this operator. For more information, see +> [Validate All Inputs][26]. + ### Cast operator `[ ]` Converts or limits objects to the specified type. If the objects can't be @@ -644,4 +649,5 @@ properties and methods of an object, use the Static parameter of the [22]: about_Split.md [23]: about_Type_Operators.md [24]: about_Variables.md -[26]: xref:Microsoft.PowerShell.Utility.Invoke-Expression +[26]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ +[27]: xref:Microsoft.PowerShell.Utility.Invoke-Expression diff --git a/reference/5.1/Microsoft.PowerShell.Core/Invoke-Command.md b/reference/5.1/Microsoft.PowerShell.Core/Invoke-Command.md index 889743662fa2..c9f9a386fed0 100644 --- a/reference/5.1/Microsoft.PowerShell.Core/Invoke-Command.md +++ b/reference/5.1/Microsoft.PowerShell.Core/Invoke-Command.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -706,6 +706,11 @@ passed by position from the array value supplied to **ArgumentList**. This is kn splatting. For more information about the behavior of **ArgumentList**, see [about_Splatting](about/about_Splatting.md#splatting-with-arrays). +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.Object[] Parameter Sets: (All) @@ -1002,6 +1007,11 @@ the values of parameters in the script. When you use this parameter, PowerShell converts the contents of the specified script file to a scriptblock, transmits the scriptblock to the remote computer, and runs it on the remote computer. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: FilePathRunspace, FilePathComputerName, FilePathUri, FilePathVMId, FilePathVMName, FilePathContainerId diff --git a/reference/5.1/Microsoft.PowerShell.Management/Invoke-Item.md b/reference/5.1/Microsoft.PowerShell.Management/Invoke-Item.md index b93590fdacee..6923a2f9670a 100644 --- a/reference/5.1/Microsoft.PowerShell.Management/Invoke-Item.md +++ b/reference/5.1/Microsoft.PowerShell.Management/Invoke-Item.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 12/12/2022 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/invoke-item?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -151,6 +151,11 @@ as escape sequences. For more information, see [about_Quoting_Rules](../Microsoft.Powershell.Core/About/about_Quoting_Rules.md). +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String[] Parameter Sets: LiteralPath @@ -166,7 +171,11 @@ Accept wildcard characters: False ### -Path Specifies the path to the selected item. -Wildcard characters are permitted. + +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ```yaml Type: System.String[] @@ -236,7 +245,7 @@ Accept wildcard characters: False This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see -[about_CommonParameters](../Microsoft.PowerShell.Core/About/about_CommonParameters.md). +[about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216). ## INPUTS diff --git a/reference/5.1/Microsoft.PowerShell.Management/Show-EventLog.md b/reference/5.1/Microsoft.PowerShell.Management/Show-EventLog.md index 02ee44948c3b..697a8110adb6 100644 --- a/reference/5.1/Microsoft.PowerShell.Management/Show-EventLog.md +++ b/reference/5.1/Microsoft.PowerShell.Management/Show-EventLog.md @@ -24,12 +24,8 @@ Show-EventLog [[-ComputerName] ] [] The `Show-EventLog` cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer. -To open Event Viewer on Windows Vista and later versions of the Windows operating system, the -current user must be a member of the Administrators group on the local computer. - -The cmdlets that contain the **EventLog** noun (the **EventLog** cmdlets) work only on classic event -logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later -versions of the Windows operating system, use the `Get-WinEvent` cmdlet. +The cmdlets that contain the **EventLog** noun work only on classic event logs. To get events from +logs that use the Windows Event Log technology, use the `Get-WinEvent` cmdlet. ## EXAMPLES @@ -54,12 +50,13 @@ This command opens Event Viewer and displays in it the classic event logs on the ### -ComputerName Specifies a remote computer. `Show-EventLog` displays the event logs from the specified computer in -Event Viewer on the local computer. The default is the local computer. - -Type the NetBIOS name, an IP address, or a fully qualified domain name of a remote computer. +Event Viewer on the local computer. The default is the local computer. When you use this parameter, +the command runs `eventvwr.exe` and passes the value of this parameter. -This parameter does not rely on Windows PowerShell remoting. You can use the **ComputerName** -parameter even if your computer is not configured to run remote commands. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ```yaml Type: System.String @@ -77,26 +74,27 @@ Accept wildcard characters: False This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, --WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216). +-WarningAction, and -WarningVariable. For more information, see +[about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216). ## INPUTS ### None -You cannot pipe input to this cmdlet. +You can't pipe input to this cmdlet. ## OUTPUTS ### None -This cmdlet does not generate any output. +This cmdlet doesn't generate any output. ## NOTES - The Windows PowerShell command prompt returns as soon as Event Viewer opens. You can work in the current session while Event Viewer is open. - Because this cmdlet requires a user interface, it does not work on Server Core installations of + Because this cmdlet requires a user interface, it doesn't work on Server Core installations of Windows Server. ## RELATED LINKS diff --git a/reference/5.1/Microsoft.PowerShell.Management/Start-Process.md b/reference/5.1/Microsoft.PowerShell.Management/Start-Process.md index 4d815b05dcad..73d3b5ff9e1f 100644 --- a/reference/5.1/Microsoft.PowerShell.Management/Start-Process.md +++ b/reference/5.1/Microsoft.PowerShell.Management/Start-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 11/01/2023 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/start-process?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -203,6 +203,11 @@ program on the computer. This parameter is required. If you specify only a filename, use the **WorkingDirectory** parameter to specify the path. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All) @@ -418,6 +423,11 @@ Specifies the location that the new process should start in. The default is the executable file or document being started. Wildcards aren't supported. The path must not contain characters that would be interpreted as wildcards. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All) diff --git a/reference/7.4/Microsoft.PowerShell.Core/About/about_Operators.md b/reference/7.4/Microsoft.PowerShell.Core/About/about_Operators.md index 657726be9617..66b9e293fb42 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/About/about_Operators.md +++ b/reference/7.4/Microsoft.PowerShell.Core/About/about_Operators.md @@ -1,7 +1,7 @@ --- description: Describes the operators that are supported by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_operators?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 title: about_Operators @@ -273,7 +273,7 @@ the name, or if a path was included, verify that the path is correct and try again. ``` -The [Invoke-Expression][26] cmdlet can execute code that causes parsing errors +The [Invoke-Expression][27] cmdlet can execute code that causes parsing errors when using the call operator. ```powershell @@ -311,6 +311,11 @@ Hello World! For more about scriptblocks, see [about_Script_Blocks][21]. +> [!IMPORTANT] +> Using this operator with untrusted data is a security risk. Only use trusted +> data with this operator. For more information, see +> [Validate All Inputs][26]. + ### Background operator `&` Runs the pipeline before it in the background, in a PowerShell job. This @@ -897,4 +902,5 @@ ${a}?[0] [23]: about_Type_Operators.md [24]: about_Variables.md [25]: about_Variables.md#variable-names-that-include-special-characters -[26]: xref:Microsoft.PowerShell.Utility.Invoke-Expression +[26]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ +[27]: xref:Microsoft.PowerShell.Utility.Invoke-Expression diff --git a/reference/7.4/Microsoft.PowerShell.Core/Invoke-Command.md b/reference/7.4/Microsoft.PowerShell.Core/Invoke-Command.md index fa87689a9c64..973bb5c65682 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/Invoke-Command.md +++ b/reference/7.4/Microsoft.PowerShell.Core/Invoke-Command.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -811,6 +811,11 @@ passed by position from the array value supplied to **ArgumentList**. This is kn splatting. For more information about the behavior of **ArgumentList**, see [about_Splatting](about/about_Splatting.md#splatting-with-arrays). +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.Object[] Parameter Sets: (All) @@ -1130,6 +1135,11 @@ the values of parameters in the script. When you use this parameter, PowerShell converts the contents of the specified script file to a scriptblock, transmits the scriptblock to the remote computer, and runs it on the remote computer. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: FilePathRunspace, FilePathComputerName, FilePathUri, FilePathVMId, FilePathVMName, FilePathContainerId, FilePathSSHHost, FilePathSSHHostHash @@ -1403,7 +1413,7 @@ remote computer. > [!NOTE] > Parameters for the scriptblock can only be passed in from **ArgumentList** by position. Switch -> parameters cannot be passed by position. If you need a parameter that behaves like a +> parameters can't be passed by position. If you need a parameter that behaves like a > **SwitchParameter** type, use a **Boolean** type instead. ```yaml diff --git a/reference/7.4/Microsoft.PowerShell.Management/Invoke-Item.md b/reference/7.4/Microsoft.PowerShell.Management/Invoke-Item.md index 7816bccee2d3..b4a8f899f705 100644 --- a/reference/7.4/Microsoft.PowerShell.Management/Invoke-Item.md +++ b/reference/7.4/Microsoft.PowerShell.Management/Invoke-Item.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 12/12/2022 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/invoke-item?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -144,12 +144,18 @@ Accept wildcard characters: True ### -LiteralPath -Specifies a path to one or more locations. The value of **LiteralPath** is used exactly as it is +Specifies a path to one or more locations. The value of **LiteralPath** is used exactly as it's typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell PowerShell not to interpret any characters as escape sequences. -For more information, see [about_Quoting_Rules](../Microsoft.Powershell.Core/About/about_Quoting_Rules.md). +For more information, see +[about_Quoting_Rules](../Microsoft.Powershell.Core/About/about_Quoting_Rules.md). + +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ```yaml Type: System.String[] @@ -165,8 +171,12 @@ Accept wildcard characters: False ### -Path -Specifies the path to the selected item. -Wildcard characters are permitted. +Specifies the path to the selected item. Wildcard characters are permitted. + +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ```yaml Type: System.String[] @@ -218,7 +228,7 @@ Accept wildcard characters: False This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see -[about_CommonParameters](../Microsoft.PowerShell.Core/About/about_CommonParameters.md). +[about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216). ## INPUTS diff --git a/reference/7.4/Microsoft.PowerShell.Management/Start-Process.md b/reference/7.4/Microsoft.PowerShell.Management/Start-Process.md index f7391e75351a..c83da93bd2df 100644 --- a/reference/7.4/Microsoft.PowerShell.Management/Start-Process.md +++ b/reference/7.4/Microsoft.PowerShell.Management/Start-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 11/01/2023 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/start-process?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -274,9 +274,14 @@ Specifies the optional path and filename of the program that runs in the process an executable file or of a document, such as a `.txt` or `.doc` file, that's associated with a program on the computer. This parameter is required. -If you specify only a filename that does not correspond to a system command, use the +If you specify only a filename that doesn't correspond to a system command, use the **WorkingDirectory** parameter to specify the path. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All) @@ -502,12 +507,17 @@ Accept wildcard characters: False Specifies the location that the new process should start in. When not specified, the cmdlet defaults to the fully-qualified location specified in the -**FilePath** parameter. If the value of the **FilePath** parameter is not fully-qualified, it +**FilePath** parameter. If the value of the **FilePath** parameter isn't fully-qualified, it defaults to the current working directory of the calling process. Wildcards aren't supported. The path must not contain characters that would be interpreted as wildcards. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All) diff --git a/reference/7.5/Microsoft.PowerShell.Core/About/about_Operators.md b/reference/7.5/Microsoft.PowerShell.Core/About/about_Operators.md index df2722cd0c65..29a7a8e462f0 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/About/about_Operators.md +++ b/reference/7.5/Microsoft.PowerShell.Core/About/about_Operators.md @@ -1,7 +1,7 @@ --- description: Describes the operators that are supported by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_operators?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 title: about_Operators @@ -273,7 +273,7 @@ the name, or if a path was included, verify that the path is correct and try again. ``` -The [Invoke-Expression][26] cmdlet can execute code that causes parsing errors +The [Invoke-Expression][27] cmdlet can execute code that causes parsing errors when using the call operator. ```powershell @@ -311,6 +311,11 @@ Hello World! For more about scriptblocks, see [about_Script_Blocks][21]. +> [!IMPORTANT] +> Using this operator with untrusted data is a security risk. Only use trusted +> data with this operator. For more information, see +> [Validate All Inputs][26]. + ### Background operator `&` Runs the pipeline before it in the background, in a PowerShell job. This @@ -897,4 +902,5 @@ ${a}?[0] [23]: about_Type_Operators.md [24]: about_Variables.md [25]: about_Variables.md#variable-names-that-include-special-characters -[26]: xref:Microsoft.PowerShell.Utility.Invoke-Expression +[26]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ +[27]: xref:Microsoft.PowerShell.Utility.Invoke-Expression diff --git a/reference/7.5/Microsoft.PowerShell.Core/Invoke-Command.md b/reference/7.5/Microsoft.PowerShell.Core/Invoke-Command.md index 9ed45a56c841..1ec923b630b0 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/Invoke-Command.md +++ b/reference/7.5/Microsoft.PowerShell.Core/Invoke-Command.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -811,6 +811,11 @@ passed by position from the array value supplied to **ArgumentList**. This is kn splatting. For more information about the behavior of **ArgumentList**, see [about_Splatting](about/about_Splatting.md#splatting-with-arrays). +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.Object[] Parameter Sets: (All) @@ -1130,6 +1135,11 @@ the values of parameters in the script. When you use this parameter, PowerShell converts the contents of the specified script file to a scriptblock, transmits the scriptblock to the remote computer, and runs it on the remote computer. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: FilePathRunspace, FilePathComputerName, FilePathUri, FilePathVMId, FilePathVMName, FilePathContainerId, FilePathSSHHost, FilePathSSHHostHash @@ -1403,7 +1413,7 @@ remote computer. > [!NOTE] > Parameters for the scriptblock can only be passed in from **ArgumentList** by position. Switch -> parameters cannot be passed by position. If you need a parameter that behaves like a +> parameters can't be passed by position. If you need a parameter that behaves like a > **SwitchParameter** type, use a **Boolean** type instead. ```yaml diff --git a/reference/7.5/Microsoft.PowerShell.Management/Invoke-Item.md b/reference/7.5/Microsoft.PowerShell.Management/Invoke-Item.md index d44ce5c801b7..822bf63d5283 100644 --- a/reference/7.5/Microsoft.PowerShell.Management/Invoke-Item.md +++ b/reference/7.5/Microsoft.PowerShell.Management/Invoke-Item.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 12/12/2022 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/invoke-item?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -144,7 +144,7 @@ Accept wildcard characters: True ### -LiteralPath -Specifies a path to one or more locations. The value of **LiteralPath** is used exactly as it is +Specifies a path to one or more locations. The value of **LiteralPath** is used exactly as it's typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell PowerShell not to interpret any characters as escape sequences. @@ -152,6 +152,11 @@ as escape sequences. For more information, see [about_Quoting_Rules](../Microsoft.Powershell.Core/About/about_Quoting_Rules.md). +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String[] Parameter Sets: LiteralPath @@ -166,8 +171,12 @@ Accept wildcard characters: False ### -Path -Specifies the path to the selected item. -Wildcard characters are permitted. +Specifies the path to the selected item. Wildcard characters are permitted. + +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ```yaml Type: System.String[] diff --git a/reference/7.5/Microsoft.PowerShell.Management/Start-Process.md b/reference/7.5/Microsoft.PowerShell.Management/Start-Process.md index ceb1062f9902..a4db9abab17a 100644 --- a/reference/7.5/Microsoft.PowerShell.Management/Start-Process.md +++ b/reference/7.5/Microsoft.PowerShell.Management/Start-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 11/01/2023 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/start-process?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -274,9 +274,14 @@ Specifies the optional path and filename of the program that runs in the process an executable file or of a document, such as a `.txt` or `.doc` file, that's associated with a program on the computer. This parameter is required. -If you specify only a filename that does not correspond to a system command, use the +If you specify only a filename that doesn't correspond to a system command, use the **WorkingDirectory** parameter to specify the path. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All) @@ -502,12 +507,17 @@ Accept wildcard characters: False Specifies the location that the new process should start in. When not specified, the cmdlet defaults to the fully-qualified location specified in the -**FilePath** parameter. If the value of the **FilePath** parameter is not fully-qualified, it +**FilePath** parameter. If the value of the **FilePath** parameter isn't fully-qualified, it defaults to the current working directory of the calling process. Wildcards aren't supported. The path must not contain characters that would be interpreted as wildcards. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All) diff --git a/reference/7.6/Microsoft.PowerShell.Core/About/about_Operators.md b/reference/7.6/Microsoft.PowerShell.Core/About/about_Operators.md index f6ca9ac0780c..d4dd1351f13e 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/About/about_Operators.md +++ b/reference/7.6/Microsoft.PowerShell.Core/About/about_Operators.md @@ -1,7 +1,7 @@ --- description: Describes the operators that are supported by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_operators?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 title: about_Operators @@ -273,7 +273,7 @@ the name, or if a path was included, verify that the path is correct and try again. ``` -The [Invoke-Expression][26] cmdlet can execute code that causes parsing errors +The [Invoke-Expression][27] cmdlet can execute code that causes parsing errors when using the call operator. ```powershell @@ -311,6 +311,11 @@ Hello World! For more about scriptblocks, see [about_Script_Blocks][21]. +> [!IMPORTANT] +> Using this operator with untrusted data is a security risk. Only use trusted +> data with this operator. For more information, see +> [Validate All Inputs][26]. + ### Background operator `&` Runs the pipeline before it in the background, in a PowerShell job. This @@ -897,4 +902,5 @@ ${a}?[0] [23]: about_Type_Operators.md [24]: about_Variables.md [25]: about_Variables.md#variable-names-that-include-special-characters -[26]: xref:Microsoft.PowerShell.Utility.Invoke-Expression +[26]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ +[27]: xref:Microsoft.PowerShell.Utility.Invoke-Expression diff --git a/reference/7.6/Microsoft.PowerShell.Core/Invoke-Command.md b/reference/7.6/Microsoft.PowerShell.Core/Invoke-Command.md index 217f55cdfb4c..9b148966daa1 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/Invoke-Command.md +++ b/reference/7.6/Microsoft.PowerShell.Core/Invoke-Command.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 01/18/2026 +ms.date: 03/24/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -811,6 +811,11 @@ passed by position from the array value supplied to **ArgumentList**. This is kn splatting. For more information about the behavior of **ArgumentList**, see [about_Splatting](about/about_Splatting.md#splatting-with-arrays). +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.Object[] Parameter Sets: (All) @@ -1130,6 +1135,11 @@ the values of parameters in the script. When you use this parameter, PowerShell converts the contents of the specified script file to a scriptblock, transmits the scriptblock to the remote computer, and runs it on the remote computer. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: FilePathRunspace, FilePathComputerName, FilePathUri, FilePathVMId, FilePathVMName, FilePathContainerId, FilePathSSHHost, FilePathSSHHostHash @@ -1403,7 +1413,7 @@ remote computer. > [!NOTE] > Parameters for the scriptblock can only be passed in from **ArgumentList** by position. Switch -> parameters cannot be passed by position. If you need a parameter that behaves like a +> parameters can't be passed by position. If you need a parameter that behaves like a > **SwitchParameter** type, use a **Boolean** type instead. ```yaml diff --git a/reference/7.6/Microsoft.PowerShell.Management/Invoke-Item.md b/reference/7.6/Microsoft.PowerShell.Management/Invoke-Item.md index dbbc1ededc5d..064353983652 100644 --- a/reference/7.6/Microsoft.PowerShell.Management/Invoke-Item.md +++ b/reference/7.6/Microsoft.PowerShell.Management/Invoke-Item.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 12/12/2022 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/invoke-item?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -144,12 +144,18 @@ Accept wildcard characters: True ### -LiteralPath -Specifies a path to one or more locations. The value of **LiteralPath** is used exactly as it is +Specifies a path to one or more locations. The value of **LiteralPath** is used exactly as it's typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell PowerShell not to interpret any characters as escape sequences. -For more information, see [about_Quoting_Rules](../Microsoft.Powershell.Core/About/about_Quoting_Rules.md). +For more information, see +[about_Quoting_Rules](../Microsoft.Powershell.Core/About/about_Quoting_Rules.md). + +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ```yaml Type: System.String[] @@ -165,8 +171,12 @@ Accept wildcard characters: False ### -Path -Specifies the path to the selected item. -Wildcard characters are permitted. +Specifies the path to the selected item. Wildcard characters are permitted. + +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ```yaml Type: System.String[] @@ -218,7 +228,7 @@ Accept wildcard characters: False This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see -[about_CommonParameters](../Microsoft.PowerShell.Core/About/about_CommonParameters.md). +[about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216). ## INPUTS diff --git a/reference/7.6/Microsoft.PowerShell.Management/Start-Process.md b/reference/7.6/Microsoft.PowerShell.Management/Start-Process.md index eaeb772357b0..b53bb8a889a6 100644 --- a/reference/7.6/Microsoft.PowerShell.Management/Start-Process.md +++ b/reference/7.6/Microsoft.PowerShell.Management/Start-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 11/01/2023 +ms.date: 03/11/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/start-process?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 aliases: @@ -274,9 +274,14 @@ Specifies the optional path and filename of the program that runs in the process an executable file or of a document, such as a `.txt` or `.doc` file, that's associated with a program on the computer. This parameter is required. -If you specify only a filename that does not correspond to a system command, use the +If you specify only a filename that doesn't correspond to a system command, use the **WorkingDirectory** parameter to specify the path. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All) @@ -502,12 +507,17 @@ Accept wildcard characters: False Specifies the location that the new process should start in. When not specified, the cmdlet defaults to the fully-qualified location specified in the -**FilePath** parameter. If the value of the **FilePath** parameter is not fully-qualified, it +**FilePath** parameter. If the value of the **FilePath** parameter isn't fully-qualified, it defaults to the current working directory of the calling process. Wildcards aren't supported. The path must not contain characters that would be interpreted as wildcards. +> [!IMPORTANT] +> Using this parameter with untrusted data is a security risk. Only use trusted data with this +> parameter. For more information, see +> [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). + ```yaml Type: System.String Parameter Sets: (All)