Run a bat file as Domain Admin using PsExec.exe? but encrypt/hide password
Below is how I would run the command normally, but I don't want to display the password in written text. Is there a way of hiding it?
Thanks for your help.
PsExec.exe /accepteula -u DOMAIN\UserName -p PASSWORD \\SERVER\Script.bat
Thanks for your help.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
What exactly is it you're trying to do? if you want to install something that requires administrative permissions, you can use a GPO with a computer startup(! -- not a logon) script.
Then there are tons of batch to exe converters; just google for "bat to exe compiler" (minus the quotes); I can't recommend one in particular, sorry. For a simple script like this, they might work, but in general, I don't trust them.
Then there's AutoIt, an easy to learn script language that can create stand-alone exe files, as console application or GUI, and in 32bit or 64bit: https://www.autoitscript.com/site/autoit/downloads/
If the users running the script aren't tech savvy, you can "hide" the password in an alternate data stream. The script must be stored on NTFS (so if copied to a FAT32 volume, the ADS will be lost).
You can add the password to the script by calling it with Whatever.cmd /ads "TopSecret".
Whatever.cmd /ads will tell you whether the script contains the password.
Any other call will extract the password from the script and currently echo out the psexec command.
Then there are tons of batch to exe converters; just google for "bat to exe compiler" (minus the quotes); I can't recommend one in particular, sorry. For a simple script like this, they might work, but in general, I don't trust them.
Then there's AutoIt, an easy to learn script language that can create stand-alone exe files, as console application or GUI, and in 32bit or 64bit: https://www.autoitscript.com/site/autoit/downloads/
If the users running the script aren't tech savvy, you can "hide" the password in an alternate data stream. The script must be stored on NTFS (so if copied to a FAT32 volume, the ADS will be lost).
You can add the password to the script by calling it with Whatever.cmd /ads "TopSecret".
Whatever.cmd /ads will tell you whether the script contains the password.
Any other call will extract the password from the script and currently echo out the psexec command.
@echo off
setlocal
set ADS=
(for /f "usebackq delims=" %%a in ("%~f0:ADS") do set ADS=%%a) 2>NUL
if /i "%~1"=="/ads" (
if "%~2"=="" (
if defined ADS (
echo ADS valid.
exit /b 0
) else (
echo No ADS found.
exit /b 1
)
) else (
>"%~f0:ADS" echo "%~2"
exit /b 0
)
)
if not defined ADS exit /b 1
ECHO PsExec.exe -accepteula -u DOMAIN\UserName -p %ADS% \\SERVER\Script.bat
Hi oBdA
Where do you define the password in the script?
It would be perfect if I can get that working.
Thank you
Where do you define the password in the script?
It would be perfect if I can get that working.
Thank you
You don't define in the script itself, that's the point, after all.
Just save the script as it is as Whatever.cmd.
Then run (from an open command prompt in the script's folder):
Whatever.cmd /ads "TopSecret"
This will add an Alternate Data Stream called "ADS" with the password to the script file; enclose the password in double quotes.
Note that depending on the program you use to edit the script after the ADS has been added, saving the file may or may not remove the ADS from the file. Windows Notepad for example keeps the ADS when saving, Notepad++ removes it. You can just call the script with "/ads" to verify that the ADS is still present:
Whatever.cmd /ads
which should return "ADS valid."
If it doesn't, you can just add it again.
Now run
Whatever.cmd
and you should see the psexec command line generated:
PsExec.exe -accepteula -u DOMAIN\UserName -p "TopSecret" \\SERVER\Script.bat
Just save the script as it is as Whatever.cmd.
Then run (from an open command prompt in the script's folder):
Whatever.cmd /ads "TopSecret"
This will add an Alternate Data Stream called "ADS" with the password to the script file; enclose the password in double quotes.
Note that depending on the program you use to edit the script after the ADS has been added, saving the file may or may not remove the ADS from the file. Windows Notepad for example keeps the ADS when saving, Notepad++ removes it. You can just call the script with "/ads" to verify that the ADS is still present:
Whatever.cmd /ads
which should return "ADS valid."
If it doesn't, you can just add it again.
Now run
Whatever.cmd
and you should see the psexec command line generated:
PsExec.exe -accepteula -u DOMAIN\UserName -p "TopSecret" \\SERVER\Script.bat
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Batch
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Excel 2007 Inter… 218 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
http://www.joeware.net/freetools/tools/cpau/index.htm
Another is Bat2Exe.
A much better solution is Powerbroker by beyondtrust. But it isn't free.
Although I assume NOT using the -P password option is not what you want.