When a file or program has the .lnk file extension, it is called an LNK File Shortcut. This type of file works like a link that allows user to easily open another file location or an executable program (.exe) without needing to specify the full path.
Here, I create a simple example to show how a Powershell .lnk file works.
Normally, to open Powershell, you need to enter its full path.
Screen Recording 2026-05-11 160447.mp4
However, entering the full path every time can be time-consuming and inconvenient. This is where an LNK File Shortcut becomes useful.
To demonstrate this, I navigate to the folder C:\\Windows\\System32\\WindowsPowerShell\\v1.0, which contains the PowerShell executable file (powershell.exe) and create an .lnk shortcut from this executable binary.
Screen Recording 2026-05-11 161643.mp4
As you can see from the video above, the file powershell.exe - Shortcut has the .lnk file extension, which indicates that it is an LNK File Shortcut.
When I open this “PowerShell Shortcut”, it automatically launches the normal powershell.exe executable from the location C:\\Windows\\System32\\WindowsPowerShell\\v1.0.
But how does this shortcut know to run powershell.exe from the location C:\\Windows\\System32\\WindowsPowerShell\\v1.0?
To answer this question, I simply right-click on powershell.exe - Shortcut.lnk and open Properties.
Screen Recording 2026-05-11 163647.mp4
The “Target” field is the one that catches my attention.
Here is the full string shown in the “Target” field:
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
So, this powershell.exe - Shortcut.lnk runs the binary powershell.exe from the folder C:\\Windows\\System32\\WindowsPowerShell\\v1.0.
In this blog, I present my initial analysis of the sample. Let’s jump right into it, hehe!