Avatar of joukiejouk
joukiejouk
 asked on

Unable to encrypt a .bat file.

I have a bat file that I want to encrypt because it has my domain username and password hard coded into it. I tried to encrypt it but I keep getting the following error.

2015-07-06-9-41-37.png
What other methods can I try to keep this script protected and encrypted and to prevent other admins or hackers from viewing my credentials in the bat file?
Windows BatchEncryptionWindows Server 2008

Avatar of undefined
Last Comment
Steve Knight

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Steve Knight

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
joukiejouk

ASKER
If I use the method you indicated, how would I modify my script/bat file if I want to remove my domain credentials? Here is a a screenshot of how my script is currently set.

2015-07-06-10-40-30.png
McKnife

Hi.

Don't get me wrong, this is meant helpful, but the method you are looking at is plain wrong.
"other admins ort hackers" cannot be used in the same sentence. Other admins already have full control over your computer, they can do whatever they like to get hold of every file or keystroke you produce any time they like. It is not possible to lock those out unless you take their administrative rights.
Prying eyes or hackers however should not even be allowed to logon to your pc and even if they have a logon account - unless it is an administrative account, they cannot interfere with your account at all, there's simply no need to encrypt your files.
Then again, if we take it to the max, you would need to encrypt your whole machine, not only one file. Everything else but whole disk encryption is a security misconception if we look at it carefully. That is, because anyone that has physical access to your (non-encrypted) hard drive could modify your user profile, inject keyloggers and have viruses harvest all your goods.

So please think twice: what is your goal, what are you afraid of? Why would a single-file-encryption of any kind be of any help?
Steve Knight

Another thing... if you are concerned enough to need a file password inaccessible then surely you should require it changed periodically.

Also if you are going to protect running the batch wanting a password say then you might aswell have it prompt for the real admin password.

Just to get a feel for what is needed, who needs to run this, is it unattended, e.g. scheduled or a handy icon for someone else to click on their desktop, or for your use with a non-admin account for instance.

Will answer your other q's about script when not getting kids to bed!

Steve
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
joukiejouk

ASKER
Basically I have this script setup to work with a scheduled task to reboot machines daily. The script currently use my domain admin account to run, and he scheduled task is set to use my domain admin account as well. I want to use a service account instead to initiate this scheduled task. In order to get this service account created, I must get this request approved by my IT Security Dept. They are asking me the following:

"How do we protect the script? Will it be encrypted? Where will it be located, and how do we plan to restrict access to that location?"

i guess my security department are just doing their job by asking all these questions. i am just trying to justify using a service account rather than my domain account to have the scheduled task run daily.  In viewing my script, what edits do I have to make to have the script run properly without having my credentials in there? The service account (when approved) will be used to initiate the script at a scheduled time.
McKnife

Scheduling a shutdown needs no password. Deploy a task that uses the system account instead.
joukiejouk

ASKER
This is for remote machines. I have this script set on a service that reboot 500 machines.  The script you see above is just a sample that I attached.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
joukiejouk

ASKER
Correction: This is for remote machines. I have this script set on a server that reboot 500 machines once a day.  The script you see above is just a sample that I attached.
Steve Knight

In which case you need a domain or local account that you run the script / shutdown command task as the user it runs at IMO.

Options I would suggest are:

1. Run the script on one machine and restart the others remotely.
2. Schedule it to run on each machine

For #1 or #2 if you run the script with suitable credentials applied to the scheduled task then, and you can use shutdown built in command, no need for psshutdown:

shutdown /m \\otherpc /r /c "Scheduled restart"

That would reboot with a 30 second delay by default, shutdown -? shows you the other options.

You could soon get a bit fancier and add logging, PING the machine before to check it is up, wait until it PING's again afterwards etc.  All depends what you need to do.

Steve
Steve Knight

I crossed with your posts there, in which case I assume you have some sort of text file of all the machines to reboot etc.

Have you considered configuring individual scheduled tasks on the machines instead, pushed down through GPO etc.

Steve
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Qlemo

I agree on that it should work with the single scheduled task, running as domain admin, not containing credentials and using shutdown. If you want to do that with a single script, this is the way to go.
However, I also agree that it is usually better to set up reboot tasks on each server. It allows for better control over the exact time to reboot.
Steve Knight

Can you advise please whether this solved your problem and why you have given a poor "C" grade with no feedback?

thanks

Steve
Steve Knight

Thankyou.

Steve
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.