Strange anti-malware exception in C# code executing a PowerShell script

Question

I have powershell code in my C# application that works great. It executes a script using the code snippet below.

using (PowerShell powerShell = PowerShell.Create())
    {
        powerShell.AddScript(@"D:\C.ps1");

        Collection<PSObject> output = powerShell.Invoke();
    }

Like I said, it works. However, recently I wanted to add a Windows Form to the script. The very first thing I did was add the following line to the top of the script and nothing else. Without doing anything else, I just ran the C# app that executes the previously working script to make sure that loading of the assembly does what it's supposed too.

[void][System.Reflection.Assembly]::Load('System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a')

Immediately I get the strange following exception.

System.Exception {System.EntryPointNotFoundException}

Unable to find an entry point named 'AmsiNotifyOperation' in DLL 'amsi.dll'

I've search online for days and found nothing like this. I can't even get started adding my new script code because of this exception for the assembly load line.

Oh, very important, When I run that script with that new line from the Powershell ISE app, the command line, or several other powershell script tools I have. THE PROBLEM DOESN'T HAPPEN.

Anyone got any ideas?

Here is the nuget packages that the code is using, and the stack trace.

Nuget packages:

System.Management.Automation

Microsoft.Powershell.SDK

Stack: Source "System.Management.Automation" at System.Management.Automation.AmsiUtils.AmsiNativeMethods.AmsiNotifyOperation(IntPtr amsiContext, IntPtr buffer, UInt32 length, String contentName, AMSI_RESULT& result) at System.Management.Automation.AmsiUtils.WinReportContent(String name, String content)

TargetSite {Int32 AmsiNotifyOperation(IntPtr, IntPtr, UInt32, System.String, AMSI_RESULT ByRef)}

Answer 1

I'm not sure if the following will solve all your problems - notably with respect to the AMSI (Antimalware Scan Interface) errors - but the following steps worked for me:

• The PowerShell SDK itself does not include the WinForms assemblies as part of its Microsoft.PowerShell.SDK NuGet package (which is the NuGet package for PowerShell (Core) 7+).

  • Note that this is the only package needed to host PowerShell (Core) in a .NET application - do not also include the System.Management.Automation package, whose direct use is recommended against.

  • See also: Choosing the right PowerShell NuGet package for your .NET project

• Therefore, you need to make sure that your .NET application comes with the WinForms assemblies:

  • The simplest approach is to initialize your .NET SDK project as follows (which targets .NET (Core) rather than .NET Framework, just like your own attempt):

    dotnet new winforms
    

    • You can then remove the unneeded Form1.cs and Form1.cs.designer files (which you would only need if you want to interact with WinForms from C#), and replace the startup code in Program.cs

• Then, in your PowerShell script file (.ps1), load the WinForms assemblies as follows, which should use the ones that come bundled with your .NET application:

  # Loads the WinForm assembly/ies, produces no output if successful.
  Add-Type -AssemblyName System.Windows.Forms
  

  • Optionally place statements such as using namespace System.Windows.Forms at the start of your script, to allow you to refer to the Form class as just [Form] rather than as [System.Windows.Forms.Form], for instance.

    • Note: Replacing the Add-Type call with using assembly System.Windows.Forms is called for too, but, regrettably, up to at least PowerShell (Core) 7.3.6 (unlike in Windows PowerShell), attempting to do so is broken - see GitHub issue #11856.

  • A simple test to see if loading succeeded is to execute the following PowerShell statement in your script, after the Add-Type call:

     # Create as sample form and shows it modally.
     [System.Windows.Forms.Form]::new().ShowDialog()
    

• As an aside:

  • Unless you need to execute a piece of PowerShell code, it is better to use the .AddCommand() rather than the .AddScript() SDK method:

     powerShell.AddCommand(@"D:\C.ps1");
    

  • See this answer for an explanation.

Answer 2

@mklement0 Thanks for your detailed answer. It definitely put me on the right path. I'm marking your answer as the solution.

So as you suggested, first I had to find a way to bring in the Forms dll's into the project. The problem is that this is a .Net MAUI application. I couldn't think of a good way to do that. But I thought about it and decided to create a second project that was just a Windows forms class and use it as a dependency for the first project. That pulled in the Forms dll's into the first project. The problem is that this pulls them in for the Android, IOS, Mac OS platfroms too. So I modified the MAUI .csproj file to prevent that. It worked. Then I removed everything from the script file and only added the first line you suggested, so that I could test things out. Then I added the second line. More on that later on in my replay See the code below.

SECOND PROJECT:

public class DependencyClass
{
  public Form DoNothing()
  {
   var form = new System.Windows.Forms.Form();
   return form;
  }
}

MAUI PROJECT FILE MODIFICATION:

<ItemGroup Condition="$(TargetFramework.Contains('-windows')) != false "> 
  <ProjectReference Include="..\WinFormsLibrary\WinFormsLibrary.csproj" />
</ItemGroup>

CHANGE TO MAUI PROJECT PSHELL CODE:

      . (code)
      .
      .
var doNothingClass = new WinFormsLibrary.DependencyClass();
var doNothingForm = p.Test();
      .
      . (code)
      .
      .
powerShell.AddScript(@"D:\test.ps1") // Will change to AddCommand
      .
      .
      . (code)
      .

So, after I added the first line,

Add-Type -AssemblyName System.Windows.Forms

the script ran fine.

After I added the second line,

[System.Windows.Forms.Form]::new().ShowDialog()

if failed with the AMSI Exception

I had a hunch that if I just ignored the exception in a FirstChanceException handler that the code would execute. It worked and the form was displayed!

I'm leaving some related changes and detail out of the conversation to try to keep this short.

If you know a better way to bring in the needed dll's let me know.

I have to add code to the second class project for every dll I need in the Maui project. e.g.
new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter() for the resource file stuff, and etc stuff.

As far the exception is concerned, I have no idea. But it doesn't seem to prevent anything from working.

Cheers K. L. Carter Sr.