Solved

powershell with encoded command from windows task scheduler help

Posted on 2014-11-23
18
313 Views
Last Modified: 2015-04-16
I need a PowerShell v2.0 script that will upload files to an FTP site.

The behavior is that I need to run this once / hour via Windows Task scheduler on a Windows 2003 system (hence the PowerShell 2.0). Next year I'll probably have to move to a Windows 2012 server and so I'll appreciate a script that also runs on PowerShell v4.0

I need a script that will take a username and password as command-line parameters and upload files from a directory to an ftp site which require a username and password that are passed to it on an encoded command line just like this which works from the Windows Task scheduler on Windows 2003.

This is the tricky part. We can't have username and password sitting unencrypted in files or code. It needs to be encrypted.

I've seen examples of encrypting data in files, but I really want the data encrypted on the command line to the script so that I'm not creating and managing multiple files. I've seen the encoded command capability via a site that look like:

 powershell.exe -EncodedCommand DQAKAA0ACgAJACQAcABhAHIAYQBtAHMAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABlAG4AdgA6AFQARQBNAFAAXABwAGEAcgBhAG0AcwAuAHQAeAB0AA0ACgAJACIAUwBlAGUAIAB3AGgAaQBjAGgAIABwAGEAcgBhAG0AZQB0AGUAcgBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAGcAbwB0ADoAIAAkAHAAYQByAGEAbQBzACIADQAKAAkADQAKAA

I want to do something like this, but I can't quite figure it out.

I "don't" want scripts that take a username/password from a file that's encrypted. It has to be from the above syntax/use and that will run from the Windows 2003 Task Schedule.
0
Comment
Question by:klamerus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
18 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 40460720
First of all, PS2 script always run in PS3 and PS4, so that does not matter. There are some changes in behaviour, implying restrictions in 2.0, and for that the -version 2 parameter can be added to powershell.exe calls to keep that compatible if required (very rare).
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40460722
Can you tell why you do not want to use an encrypted file for the credentials? PSCredentials are stored as Secure String, meaning only that user having created the string can use it.

The EncodedCommand feature is intended for ease of use with special characters. It is not encryption:
   -EncodedCommand   Accepts a base-64 encoded string version of a command, Use this to
                     submit commands to PowerShell that require complex quotation marks
                     or curly braces.

Open in new window

0
 
LVL 1

Author Comment

by:klamerus
ID: 40460769
aha,

A ray of light on the encoded command.  I did not put 2 and 2 together.  My goal is that we can't have a clear text file that can be read.  It would accomplish that, but you're also saying that this can easily be reverse engineered (decoded) I think.

For us, it's not super sensitive credentials, so this would probably satisfy, but perhaps I should rethink this.

The reason I'd prefer this is that I can have a single script file that would accept 4 parameters:  username, password, directory from which to upload and FTP site to which to upload.  I could then use the same script with different command-line parameters solely through configuration of the Windows Task.  As a bonus I wouldn't have to have additional files laying around with encrypted info in them to keep track of.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 1

Author Comment

by:klamerus
ID: 40460772
Could you perhaps point to a good example of what you're describing?
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40460774
generate securepassword string
$secure = read-host "Enter Password" -assecurestring
$encrypted = convertfrom-securestring -secureString $secure  
$encrypted
 

Open in new window

implement secure password
CmdletBinding()]
Param(
  [Parameter(Mandatory=$True,Position=1)]
   [string]$ftpserver,
	
   [Parameter(Mandatory=$True)]
   [string]$username,
   [Parameter(Mandatory=$True)]
   [string]$password 
)
$secure = convertto-securestring $password 
start-process ftp.exe -ArgumentList $ftpserver $username $secure

Open in new window

0
 
LVL 1

Author Comment

by:klamerus
ID: 40460782
Can this commandlet be directly called via Windows Task Manager and if so what might that look like?
0
 
LVL 1

Author Comment

by:klamerus
ID: 40460788
We of course know what the password we need to use is (which we keep stored in a system the entire company uses for storing credentials securely).

Is there any way that these can be reverse engineered from seeing them sitting in Task Manager?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40460798
With a file, and using PsCredentials, you would write this:
ConvertTo-SecureString "Password" -AsPlainText -Force |
  ConvertFrom-SecureString | Out-File C:\Passwordfile.txt

Open in new window

for creating the file and
$cred = New-Object Management.Automation.PsCredential("Username",
  (Get-Content C:\Passwordfile.txt | ConvertTo-SecureString))

Open in new window

for using it. The file is not necessary; you can use the output of ConvertFrom-SecureString (as David showed), and paste that into a variable definition or provide it as a string parameter, to use instead of (Get-Content C:\Passwordfile.txt.

I can't recall the code for using Web requests for uploading FTP, but I would not use FTP.EXE for that (as David did). FTP.EXE cannot use secure strings or PsCredentials, and is more difficult to automate.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40460802
A Secure String cannot be decoded by anyone else than the one having created it, on the same machine. While in memory, noone has direct access to the content. So, consider it safe.
0
 
LVL 1

Author Comment

by:klamerus
ID: 40460843
Well, that sounds like a potential issue.  I have many team members and I need for them to set this up.  I can't have the encrypted string tied to a particular individual.  I need for the Task Manager to run the command to do the uploads.  Can a script running on the machine from the Task Manager decrypt the string?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40460882
In that case encoding (not encrypting) the password and optionally the user sounds best. Though - why not trigger a single task that processes a file containing all infos?
0
 
LVL 1

Author Comment

by:klamerus
ID: 40460912
We're going to have a variety of these ftp uploads on various schedules for various systems.  Several teams will support these uploads as well (all on the same server).  So, having a separate Windows task to run each script is ideal.  It also makes it easy to modify schedules, add/remove, etc.

I'm back to the original question then though of I can't find a way or example of doing this.  I'm open for either an encrypted string for just the password for each task or encoding, but I don't have any examples of doing this that I can get to run.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40460924
No matter how you do it, there is no simple way. If  you really need to create individual tasks, a setup batch should be supplied to build the task or the command.
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40463531
The simple upload core script using a Base64-encoded password is (let's call it "C:\Scripts\upload-ftp.ps1"):
param(
  [String] $SourceDir,     <# Source path - folder, filemask:  C:\FTP\Site1          #>
  [String] $FTPLocation,   <# Target path - a FTP URI:         ftp://ftp.site1.com/  #>
  [String] $UserName,      <# Plain text username for FTP                            #>
  [char[]] $Password       <# Base64 encoded password string for FTP                 #>
)

$webclient = New-Object System.Net.WebClient 
$webclient.Credentials = New-Object System.Net.NetworkCredential($UserName, (-join [Char[]] [Convert]::FromBase64String($Password)))  
 
Get-ChildItem $SourceDir | % {
    $webclient.UploadFile((New-Object System.Uri($FTPLocation+$_.Name)), $_.FullName) 
} 

Open in new window

An example call - with plain password - is
C:\Scripts\upload-ftp.ps1 c:\temp\ee\*.png ftp://ftp.site1.com/ TheBoss ([Convert]::ToBase64String([Char[]]'IncredibleSecretPassword'))

Open in new window

Of course you would create your task with the base64 string instead. Is that something you could implement?
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40463597
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40470511
I fail to see how PsFTP should help here. It is great for simplifying combined actions, but this question is about simple uploads. If anything, I would consider ftpuse at http://www.ferrobackup.com/ftpuse/,  allowing handling FTP as a network drive.
0
 
LVL 1

Author Closing Comment

by:klamerus
ID: 40725982
One thing is that this is an encoded command-line and not encrypted.   Possible mistake on my part for not being explicit on use of the word encoded vs. encrypted.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40727275
Without implementing an own "encryption" method, you won't be able to fulfill your requirements. Basic encoding is depending on something, mostly on the user or hardware, to prevent from being used by others. Base64 encoding could be combined with something secret, but that would have to be a) reversible and b) visible in PS code or "hidden" in a DLL.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot access websites - Windows 10 4 36
VMWare 101 9 101
Scripting 4 37
Perl How to parse a string containing fraction second to a DateTime Object 1 22
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question