Unable to encrypt a .bat file.

joukiejouk
joukiejouk used Ask the Experts™
on
I have a bat file that I want to encrypt because it has my domain username and password hard coded into it. I tried to encrypt it but I keep getting the following error.

2015-07-06-9-41-37.png
What other methods can I try to keep this script protected and encrypted and to prevent other admins or hackers from viewing my credentials in the bat file?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
You could create a scheduled task and then trigger that to run, is that an option - then the credentials that you choose to run the task as are stored by Windows.  You can run an existing task from a shortcut or batch file using schtasks /run for instance.

Also if you want to hide the password from casual prying eyes you can use a technique like this one:

http://scripts.dragon-it.co.uk/links/batch-password1

Steve

Author

Commented:
If I use the method you indicated, how would I modify my script/bat file if I want to remove my domain credentials? Here is a a screenshot of how my script is currently set.

2015-07-06-10-40-30.png
Distinguished Expert 2018

Commented:
Hi.

Don't get me wrong, this is meant helpful, but the method you are looking at is plain wrong.
"other admins ort hackers" cannot be used in the same sentence. Other admins already have full control over your computer, they can do whatever they like to get hold of every file or keystroke you produce any time they like. It is not possible to lock those out unless you take their administrative rights.
Prying eyes or hackers however should not even be allowed to logon to your pc and even if they have a logon account - unless it is an administrative account, they cannot interfere with your account at all, there's simply no need to encrypt your files.
Then again, if we take it to the max, you would need to encrypt your whole machine, not only one file. Everything else but whole disk encryption is a security misconception if we look at it carefully. That is, because anyone that has physical access to your (non-encrypted) hard drive could modify your user profile, inject keyloggers and have viruses harvest all your goods.

So please think twice: what is your goal, what are you afraid of? Why would a single-file-encryption of any kind be of any help?
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Commented:
Another thing... if you are concerned enough to need a file password inaccessible then surely you should require it changed periodically.

Also if you are going to protect running the batch wanting a password say then you might aswell have it prompt for the real admin password.

Just to get a feel for what is needed, who needs to run this, is it unattended, e.g. scheduled or a handy icon for someone else to click on their desktop, or for your use with a non-admin account for instance.

Will answer your other q's about script when not getting kids to bed!

Steve

Author

Commented:
Basically I have this script setup to work with a scheduled task to reboot machines daily. The script currently use my domain admin account to run, and he scheduled task is set to use my domain admin account as well. I want to use a service account instead to initiate this scheduled task. In order to get this service account created, I must get this request approved by my IT Security Dept. They are asking me the following:

"How do we protect the script? Will it be encrypted? Where will it be located, and how do we plan to restrict access to that location?"

i guess my security department are just doing their job by asking all these questions. i am just trying to justify using a service account rather than my domain account to have the scheduled task run daily.  In viewing my script, what edits do I have to make to have the script run properly without having my credentials in there? The service account (when approved) will be used to initiate the script at a scheduled time.
Distinguished Expert 2018

Commented:
Scheduling a shutdown needs no password. Deploy a task that uses the system account instead.

Author

Commented:
This is for remote machines. I have this script set on a service that reboot 500 machines.  The script you see above is just a sample that I attached.

Author

Commented:
Correction: This is for remote machines. I have this script set on a server that reboot 500 machines once a day.  The script you see above is just a sample that I attached.

Commented:
In which case you need a domain or local account that you run the script / shutdown command task as the user it runs at IMO.

Options I would suggest are:

1. Run the script on one machine and restart the others remotely.
2. Schedule it to run on each machine

For #1 or #2 if you run the script with suitable credentials applied to the scheduled task then, and you can use shutdown built in command, no need for psshutdown:

shutdown /m \\otherpc /r /c "Scheduled restart"

That would reboot with a 30 second delay by default, shutdown -? shows you the other options.

You could soon get a bit fancier and add logging, PING the machine before to check it is up, wait until it PING's again afterwards etc.  All depends what you need to do.

Steve

Commented:
I crossed with your posts there, in which case I assume you have some sort of text file of all the machines to reboot etc.

Have you considered configuring individual scheduled tasks on the machines instead, pushed down through GPO etc.

Steve
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
I agree on that it should work with the single scheduled task, running as domain admin, not containing credentials and using shutdown. If you want to do that with a single script, this is the way to go.
However, I also agree that it is usually better to set up reboot tasks on each server. It allows for better control over the exact time to reboot.

Commented:
Can you advise please whether this solved your problem and why you have given a poor "C" grade with no feedback?

thanks

Steve

Commented:
Thankyou.

Steve

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial