Unable to encrypt a .bat file.

I have a bat file that I want to encrypt because it has my domain username and password hard coded into it. I tried to encrypt it but I keep getting the following error.

What other methods can I try to keep this script protected and encrypted and to prevent other admins or hackers from viewing my credentials in the bat file?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve KnightIT ConsultancyCommented:
You could create a scheduled task and then trigger that to run, is that an option - then the credentials that you choose to run the task as are stored by Windows.  You can run an existing task from a shortcut or batch file using schtasks /run for instance.

Also if you want to hide the password from casual prying eyes you can use a technique like this one:



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
joukiejoukAuthor Commented:
If I use the method you indicated, how would I modify my script/bat file if I want to remove my domain credentials? Here is a a screenshot of how my script is currently set.


Don't get me wrong, this is meant helpful, but the method you are looking at is plain wrong.
"other admins ort hackers" cannot be used in the same sentence. Other admins already have full control over your computer, they can do whatever they like to get hold of every file or keystroke you produce any time they like. It is not possible to lock those out unless you take their administrative rights.
Prying eyes or hackers however should not even be allowed to logon to your pc and even if they have a logon account - unless it is an administrative account, they cannot interfere with your account at all, there's simply no need to encrypt your files.
Then again, if we take it to the max, you would need to encrypt your whole machine, not only one file. Everything else but whole disk encryption is a security misconception if we look at it carefully. That is, because anyone that has physical access to your (non-encrypted) hard drive could modify your user profile, inject keyloggers and have viruses harvest all your goods.

So please think twice: what is your goal, what are you afraid of? Why would a single-file-encryption of any kind be of any help?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Steve KnightIT ConsultancyCommented:
Another thing... if you are concerned enough to need a file password inaccessible then surely you should require it changed periodically.

Also if you are going to protect running the batch wanting a password say then you might aswell have it prompt for the real admin password.

Just to get a feel for what is needed, who needs to run this, is it unattended, e.g. scheduled or a handy icon for someone else to click on their desktop, or for your use with a non-admin account for instance.

Will answer your other q's about script when not getting kids to bed!

joukiejoukAuthor Commented:
Basically I have this script setup to work with a scheduled task to reboot machines daily. The script currently use my domain admin account to run, and he scheduled task is set to use my domain admin account as well. I want to use a service account instead to initiate this scheduled task. In order to get this service account created, I must get this request approved by my IT Security Dept. They are asking me the following:

"How do we protect the script? Will it be encrypted? Where will it be located, and how do we plan to restrict access to that location?"

i guess my security department are just doing their job by asking all these questions. i am just trying to justify using a service account rather than my domain account to have the scheduled task run daily.  In viewing my script, what edits do I have to make to have the script run properly without having my credentials in there? The service account (when approved) will be used to initiate the script at a scheduled time.
Scheduling a shutdown needs no password. Deploy a task that uses the system account instead.
joukiejoukAuthor Commented:
This is for remote machines. I have this script set on a service that reboot 500 machines.  The script you see above is just a sample that I attached.
joukiejoukAuthor Commented:
Correction: This is for remote machines. I have this script set on a server that reboot 500 machines once a day.  The script you see above is just a sample that I attached.
Steve KnightIT ConsultancyCommented:
In which case you need a domain or local account that you run the script / shutdown command task as the user it runs at IMO.

Options I would suggest are:

1. Run the script on one machine and restart the others remotely.
2. Schedule it to run on each machine

For #1 or #2 if you run the script with suitable credentials applied to the scheduled task then, and you can use shutdown built in command, no need for psshutdown:

shutdown /m \\otherpc /r /c "Scheduled restart"

That would reboot with a 30 second delay by default, shutdown -? shows you the other options.

You could soon get a bit fancier and add logging, PING the machine before to check it is up, wait until it PING's again afterwards etc.  All depends what you need to do.

Steve KnightIT ConsultancyCommented:
I crossed with your posts there, in which case I assume you have some sort of text file of all the machines to reboot etc.

Have you considered configuring individual scheduled tasks on the machines instead, pushed down through GPO etc.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I agree on that it should work with the single scheduled task, running as domain admin, not containing credentials and using shutdown. If you want to do that with a single script, this is the way to go.
However, I also agree that it is usually better to set up reboot tasks on each server. It allows for better control over the exact time to reboot.
Steve KnightIT ConsultancyCommented:
Can you advise please whether this solved your problem and why you have given a poor "C" grade with no feedback?


Steve KnightIT ConsultancyCommented:

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Batch

From novice to tech pro — start learning today.