Can PowerShell be used to call IFileOperation for UAC bypass? How?

Yes, PowerShell can directly call IFileOperation because powershell.exe is itself a trusted file. An attacker first compiles a COM component in C# that wraps IFileOperation, then loads it in PowerShell using either Assembly.LoadFile or in-memory loading. Since PowerShell is trusted, no UAC prompt appears, allowing file copying to privileged directories. This method leverages the same principle as bypassing AppLocker via scripting, as discussed in Testing and Analysis of Bypassing AppLocker Using LUA Scripts.