Safe way to use a password in a bat or cmd file?

I have a program I need to run several sessions of at a time so I am looking at scripting it to open and log on to each one. For the exe I have the syntax but don't want to use my password in a unencrypted format.

It would look something like this
appsRUS.exe -b servername1 -u domain\myaccount -p compootersarecool

I need to make the -p part encrypted and not use plain text in a script.
Who is Participating?
oBdAConnect With a Mentor Commented:
There's no safe way in batch, sorry, You can obfuscate it, but everybody who knows a little bit about batch will be able to retrieve the password.
You can use the Powershell script below; it allows you to save the credentials as an "Alternate Data Stream" (ADS) in the file object.
The credentials in the ADS will be encrypted and can only be retrieved on the machine where it was saved, and only from the user who saved it, so it's reasonably safe.
Call the script with the argument -SaveCredential to save the credentials.
Note that some Editors (like Notepad++) remove ADS on saving, others do not (like Notepad), so you might have to re-save the password after script changes, depending on the editor.
The ADS will be copied with the script file itself as long as the target is NTFS, and will be lost otherwise.
$Application = "appsRUS.exe"

$ScriptItem = Get-Item -Path $MyInvocation.MyCommand.Path
$StreamName = 'MetaData'
If ($SaveCredential) {
	$gcArgs = @{'Message' = "Logon information for $($Application)"}
	$gcArgs['UserName'] = Try {([Management.Automation.PSSerializer]::Deserialize((Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue))).UserName} Catch {''}
	If ($Credential = Get-Credential @gcArgs) {
		Try {
			$LastWriteTimeUtc = $ScriptItem.LastWriteTimeUtc
			Set-Content -Path $ScriptItem.FullName -Value ([Management.Automation.PSSerializer]::Serialize($Credential)) -Stream $StreamName -ErrorAction Stop
			$ScriptItem.LastWriteTimeUtc = $LastWriteTimeUtc
		} Catch {
			Throw "Could not save credentials: $($_.Exception.Message)"
	} Else {
		"No credentials were entered, logon information was not saved!" | Write-Warning
} Else {
	If ($StreamData = (Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue)) {
		Try {
			$Credential = [Management.Automation.PSSerializer]::Deserialize($StreamData)
		} Catch {
			Throw "You are not authorized to use this script."
	} Else {
		Throw "File is corrupted, password information is not available."
$Username = $Credential.UserName
$Password = $Credential.GetNetworkCredential().Password

$ServerList = @(
ForEach ($Server In $ServerList) {
	"Starting $($Application) on $($Server) ..."
	& $Application -b $Server -u $Username -p "`"$($Password)`""

Open in new window

Jeffrey Kane - TechSoEasyConnect With a Mentor Principal ConsultantCommented:
This has been asked here before --- See this Question

But if you read through that thread you will see what I'm about to ask -- why are you doing this?  Because it sounds like you have come up with a solution to do something which really should be done a different way.
REIUSAAuthor Commented:
Thanks for the link. I am just trying to make it easier to open multiple sessions to different sites and free up about 20 minutes of my morning.

Even if I could figure out a way to do a run as on the script that would carry over to the command that would work.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
What do you mean multiple sessions to different sites?  Do you mean web sites?  Remote App login?  RDP?
REIUSAAuthor Commented:
Using a local client .exe connecting to different application servers for each region.

The application is the vsphere client connecting to different vcenter servers across the globe.

What I am trying to do is set up a script that I can click on and it will open the exe and connect to each site individually. I have the syntax that will work with the exe just don't want to put my password in a plain text file.
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If you used the VSphere Web Client instead of the .exe then you could easily couple that with something like LastPass which would automatically fill in the credentials for you while keeping them all very secure.

Any reason that wouldn't work for you?
sarabandeConnect With a Mentor Commented:
you should consider a solution where you only provide the update information at a share, and let the servers fetch the update theirselves. the only thing you have to do is to establish a mechanism where the servers know that a new update was available.

or, you were using a service at your computer and services at the target computers. all these services could be installed by using a special account at their own computer which cannot be used for interactive login. then do the job you want to do by sending the updates directly between the services. i would use tcp/ip or udp sockets for this.

doing so, no login, no username, no passwords were involved.

note, any script which uses a password in plain text could be interrupted exactly at the statement where the password was transfered. if using obfuscation you can't really stop experts from hacking this. this must not necessarily be an attack. it simply could be the decision of your boss while you were not available. nevertheless if a bundle of server passwords have become into wrong hands and need to be exchanged, it was you who was blamed for when you come back.

Brian PringleSystems Analyst II, SCM, ERPCommented:
Have you considered turning the batch file into an executable?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.