Safe way to use a password in a bat or cmd file?

I have a program I need to run several sessions of at a time so I am looking at scripting it to open and log on to each one. For the exe I have the syntax but don't want to use my password in a unencrypted format.

It would look something like this
appsRUS.exe -b servername1 -u domain\myaccount -p compootersarecool

I need to make the -p part encrypted and not use plain text in a script.
REIUSAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
This has been asked here before --- See this Question

But if you read through that thread you will see what I'm about to ask -- why are you doing this?  Because it sounds like you have come up with a solution to do something which really should be done a different way.
0
REIUSAAuthor Commented:
Thanks for the link. I am just trying to make it easier to open multiple sessions to different sites and free up about 20 minutes of my morning.

Even if I could figure out a way to do a run as on the script that would carry over to the command that would work.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
What do you mean multiple sessions to different sites?  Do you mean web sites?  Remote App login?  RDP?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

REIUSAAuthor Commented:
Using a local client .exe connecting to different application servers for each region.

The application is the vsphere client connecting to different vcenter servers across the globe.

What I am trying to do is set up a script that I can click on and it will open the exe and connect to each site individually. I have the syntax that will work with the exe just don't want to put my password in a plain text file.
0
oBdACommented:
There's no safe way in batch, sorry, You can obfuscate it, but everybody who knows a little bit about batch will be able to retrieve the password.
You can use the Powershell script below; it allows you to save the credentials as an "Alternate Data Stream" (ADS) in the file object.
The credentials in the ADS will be encrypted and can only be retrieved on the machine where it was saved, and only from the user who saved it, so it's reasonably safe.
Call the script with the argument -SaveCredential to save the credentials.
Note that some Editors (like Notepad++) remove ADS on saving, others do not (like Notepad), so you might have to re-save the password after script changes, depending on the editor.
The ADS will be copied with the script file itself as long as the target is NTFS, and will be lost otherwise.
[CmdletBinding()]
Param(
	[switch]$SaveCredential
)
$Application = "appsRUS.exe"

$ScriptItem = Get-Item -Path $MyInvocation.MyCommand.Path
$StreamName = 'MetaData'
If ($SaveCredential) {
	$gcArgs = @{'Message' = "Logon information for $($Application)"}
	$gcArgs['UserName'] = Try {([Management.Automation.PSSerializer]::Deserialize((Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue))).UserName} Catch {''}
	If ($Credential = Get-Credential @gcArgs) {
		Try {
			$LastWriteTimeUtc = $ScriptItem.LastWriteTimeUtc
			Set-Content -Path $ScriptItem.FullName -Value ([Management.Automation.PSSerializer]::Serialize($Credential)) -Stream $StreamName -ErrorAction Stop
			$ScriptItem.LastWriteTimeUtc = $LastWriteTimeUtc
		} Catch {
			Throw "Could not save credentials: $($_.Exception.Message)"
		}
	} Else {
		"No credentials were entered, logon information was not saved!" | Write-Warning
	}
	Exit
} Else {
	If ($StreamData = (Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue)) {
		Try {
			$Credential = [Management.Automation.PSSerializer]::Deserialize($StreamData)
		} Catch {
			Throw "You are not authorized to use this script."
		}
	} Else {
		Throw "File is corrupted, password information is not available."
	}
}
$Username = $Credential.UserName
$Password = $Credential.GetNetworkCredential().Password

$ServerList = @(
	'servername1'
	'servername2'
)
ForEach ($Server In $ServerList) {
	"Starting $($Application) on $($Server) ..."
	& $Application -b $Server -u $Username -p "`"$($Password)`""
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If you used the VSphere Web Client instead of the .exe then you could easily couple that with something like LastPass which would automatically fill in the credentials for you while keeping them all very secure.

Any reason that wouldn't work for you?
0
sarabandeCommented:
you should consider a solution where you only provide the update information at a share, and let the servers fetch the update theirselves. the only thing you have to do is to establish a mechanism where the servers know that a new update was available.

or, you were using a service at your computer and services at the target computers. all these services could be installed by using a special account at their own computer which cannot be used for interactive login. then do the job you want to do by sending the updates directly between the services. i would use tcp/ip or udp sockets for this.

doing so, no login, no username, no passwords were involved.

note, any script which uses a password in plain text could be interrupted exactly at the statement where the password was transfered. if using obfuscation you can't really stop experts from hacking this. this must not necessarily be an attack. it simply could be the decision of your boss while you were not available. nevertheless if a bundle of server passwords have become into wrong hands and need to be exchanged, it was you who was blamed for when you come back.

Sara
0
Brian PringleSystems Analyst II, SCM, ERPCommented:
Have you considered turning the batch file into an executable?  

http://bat2exe.net/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.