Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1347
  • Last Modified:

Hiding password in batch....

Hi, im making a .bat file to help people start programs with administrator rights!
My problem is that for this program to work i have to write the administrator password to the file. And this creates a huge security risk... anyone can open it an get the password. I've made it to .com and .exe but the password still shows, some one said i could hardcore the password in to the .vbs file that makes it all possible, but I don't know how to...
I've searched the net for 3 day now... nothing! Pleas Help! Thanks!!!
Here is the bach side of the program:
@echo off

ECHO --------------------
ECHO 1 - notepad
ECHO 2 - cmd
ECHO 3 - explorer
ECHO 4 - info
ECHO 5 - exit
ECHO --------------------
ECHO 1, 2, 3, 4 eller 5?
cscript c:\RunAs\vbrunas.vbs administrator qweasdzxcget96e notepad
goto start
cscript c:\RunAs\vbrunas.vbs administrator qweasdzxcget96e cmd
goto start
cscript c:\RunAs\vbrunas.vbs administrator qweasdzxcget96e explorer
goto start

Here is the .vbs script

On Error Resume Next
Dim WshShell, oArgs, FSO

Set oArgs = wscript.Arguments

If InStr(oArgs(0), "?") <> 0 Then
wscript.echo vbCrLf & "Du måste strata X med X.bat, annars funkar det inte!!! Om problem:" & vbCrLf
End If

If oArgs.Count < 3 Then
wscript.echo vbCrLf & "! Usage Error !" & vbCrLf
End If

sUser = oArgs(0)
sPass = oArgs(1) & vbCrLf
sCmd = oArgs(2)

Set WshShell = CreateObject("WScript.Shell")
Set WshEnv = WshShell.Environment("Process")
WinPath = WshEnv("SystemRoot") & "\System32\runas.exe"
Set FSO = CreateObject("Scripting.FileSystemObject")

If FSO.FileExists(WinPath) Then
'wscript.echo winpath & " " & "verified"
wscript.echo "!! ERROR !!" & vbCrLf & "kan inte hitta eller verifiera " & WinPath & "." & vbCrLf & "detta funkar endast i 2000 och kanske i XP"
Set WshShell = Nothing
Set WshEnv = Nothing
Set oArgs = Nothing
Set FSO = Nothing
End If

rc=WshShell.Run("runas /user:" & sUser & " " & CHR(34) & sCmd & CHR(34), 2, FALSE)
Wscript.Sleep 30 'need to give time for window to open.
WshShell.AppActivate(WinPath) 'make sure we grab the right window to send password to
WshShell.SendKeys sPass 'send the password to the waiting window.

Set WshShell = Nothing
Set oArgs = Nothing
Set WshEnv = Nothing
Set FSO = Nothing


'* Usage Subroutine *
Sub Usage()
On Error Resume Next
msg = "Kontakta Niklas Liljestrand, om du vill ha hjälp!"

wscript.echo msg


End Sub
  • 4
  • 3
  • 3
  • +1
1 Solution
There must be something specific about the software that needs admin rights ... a folder or a file...
most likely not full system access...
would it not be easier to find this and set the permission specific to allow the software to run for the user or users group that needs it?

Have solved a few problems with software this way and does not cross security as long as you don't get crazy with the rights.....
create a group.. give it the specific rights for the software needed
add the users that need it....

How many different software packages do you need to run?
if there is a reason... that this won't work.. I know of a solution that will work for the casual user although a person that really wants to dig may be able to get past it...
I will check back.. if you need it, I will post it....  but recommend the above method
DisLikeMeAuthor Commented:
The problem is that all users have unicue usernames and passwords and belong to a group with low rights, they all hav their own user mapps on the server... and to accses some files they have to log out and in with the other account that is for all users localy on the machines. This program would make it possible for the users to stay in their own account and still have admin rights to some programs...  We are using win2000 server so making some files execute only without read rights is not possible... Pleas help! Tanks!
how about assigning execute and read rights to the needed files?  not to the folders  
we have some software that our standard users can not run.. but by tweaking rights via policies they can run them as a power or admin user

let them have read and execute without write priviledge..

back to what you were looking at.. instead of VB script .. how about a full compile to an exe?
the password would not be visible.

other languages, even going back to Qbasic with the ablitiy to compile to stand alone EXE have a shell command that would let you do exactly what you are wanting...
would look like a BAT file running and would have the security.  I use it in a couple of un-attended applications ... it is quick and easy to right in.  I normaly don't use it when interaction is required because of the DOS interface.. but would be better than a batch file more configurable and secure against most casual users.... (would have to open EXE) to get password....
if you need some lines of code.. let me know and what you want to use VB or QB or ?  
for maintenance I would use something simple and quick that you have or could get cheap
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

DisLikeMeAuthor Commented:
Converted the .bat file to .exe and to .com but the password is still in clear text... so what im looking fore is some way to hide the text in the .bat .co. or .exe file, or scripting the password in to the .vbs file... in a way wich would take much effort to crack! Thanks!
Do the machines have .NET framework installed?

It would be really easy to write a VB.NET console mode application that would do that.

No need for licenses or anything. If you have the .NET framework installed, you can compile it yourself, so when the password changes, all you do is chance the source code, compile it, and copy the updated one to the machines.

I am talking about a 10 lines of code program.
Matter of fact, I could post the code here if you have .net framework on the machines or was willing to install it.
are you saying in clear text while the software is running?  or by browsing somewhere ?  not sure how it could be clear text if impeded in EXE..

if you are speaking of while it is running.. that is just a matter of masking the output......
May I clarify this?
"Converted the .bat file to .exe and to .com but the password is still in clear text..."

Where in particular? in the batch pop-up? In the script?
But I assumed that what was Im thinking is not the real problem, but in some cases, you can just right click the particular batch if its on the user desktop as shortcut. And in the properties menu, point to programs tab and just put a check in the "Close on exit" check box.

You can either make a very simple application which calls the batch file you have created . .You can even rename your batch file to .sys or .dat and  rename it again to .bat when your application runs. With this you can hide the batchfile itself somewhere which only the application can locate the exact location.

Its really risky to create a plain batch file which is by default being accessed by the users on their desktops.
Unlike you have  created an application which you can deploy together with the batchfile. This application will also served as the default shortcut on users desktop which actually hides the call for your .bat file.

I can provide you some codes for this if you wish too. .
Hope I could help.

PhoenixRic ;-)
Another approach..... I had not thought of, even though I use it evey day...
In a stand alone  .exe.. not a script.
this can be done with almost any language.. qb7 or VB6 would do just fine have used both to do it
Set up the code so that when an option from the menu is selected
it will create a batch file to do what you want
shell to the batch file  
          turn off the echo
          pipe all output to >nul
when they close the program the batch ran control will return to the exe
If using VB when you shell the exe will continue to run.. put a wait step long enough for the software to launch  this may need to be a matter of testing for the slowest connection or machine to make sure they all have time to launch the software.
and then delete the batch file.
the exe will return to the menu.
even though the password is visible for a short time in the batch file, if they know where it is
I don't think that in the XX second wait they would be able to open and find the info...
granted a determinined hack might.. but not a normal user.  to help slow down anyone for the xx wait
have the batch file created in an obscure location
     if they know where it is they can unhide it.. but that is why the obscure... could be way down in program files under one of
microsofts folders
I have a computer that runs unattended this way with passwords to servers... when the computer is not running the software.. all the information is encoded into the exe... to the point that to change it.. I have to go to source and change it and re-compile

In qb7 the batch file will exist as long as the program is running... so may want to change attributes to  hidden while it is running
Yes its a wise approach as I've first mentioned. . . Anyway I dont think you have some more questions on your previous post. . Is that idea is what you're working right now? Stil need some help specifically in programatically hiding file attributes?

By the way have you tried converting your vbscript to vb standard exe? or qbasic?
Did tried to used policies software such tweakui or poledit?

We have lots of options. You can even load users rights and priveledges for needed application for the first time they log in to the network. You can have a snapshot of their user name and password then save it to a .ini file. to be read by your application lets say in VB then loads the necessary user priveledges.

Your good enough in coding as I analyzed the codes, but I think you really get want to stick with same approach(Which is not applicable for this situation). You must think of another way appropriate for multi-user environment like youre working in. . Not risking confidential user identifications.

PhoenixRic ;-)
DisLikeMeAuthor Commented:
The clear text wich Im speaking of, is if you open the file in ex. notepad!
I thought you had abandoned the question.

I´ll see if I can post the C# .Net version here.

Please confirm you do have the .Net framework installed on the machine or is willing to install it. (Considering sooner rather than latter you will have to do it in order to run the newest applications)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now