Solved

Safe way to use a password in a bat or cmd file?

Posted on 2016-07-26
8
55 Views
Last Modified: 2016-08-02
I have a program I need to run several sessions of at a time so I am looking at scripting it to open and log on to each one. For the exe I have the syntax but don't want to use my password in a unencrypted format.

It would look something like this
appsRUS.exe -b servername1 -u domain\myaccount -p compootersarecool

I need to make the -p part encrypted and not use plain text in a script.
0
Comment
Question by:REIUSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 125 total points
ID: 41729674
This has been asked here before --- See this Question

But if you read through that thread you will see what I'm about to ask -- why are you doing this?  Because it sounds like you have come up with a solution to do something which really should be done a different way.
0
 

Author Comment

by:REIUSA
ID: 41729689
Thanks for the link. I am just trying to make it easier to open multiple sessions to different sites and free up about 20 minutes of my morning.

Even if I could figure out a way to do a run as on the script that would carry over to the command that would work.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41729706
What do you mean multiple sessions to different sites?  Do you mean web sites?  Remote App login?  RDP?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:REIUSA
ID: 41729733
Using a local client .exe connecting to different application servers for each region.

The application is the vsphere client connecting to different vcenter servers across the globe.

What I am trying to do is set up a script that I can click on and it will open the exe and connect to each site individually. I have the syntax that will work with the exe just don't want to put my password in a plain text file.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 250 total points
ID: 41729743
There's no safe way in batch, sorry, You can obfuscate it, but everybody who knows a little bit about batch will be able to retrieve the password.
You can use the Powershell script below; it allows you to save the credentials as an "Alternate Data Stream" (ADS) in the file object.
The credentials in the ADS will be encrypted and can only be retrieved on the machine where it was saved, and only from the user who saved it, so it's reasonably safe.
Call the script with the argument -SaveCredential to save the credentials.
Note that some Editors (like Notepad++) remove ADS on saving, others do not (like Notepad), so you might have to re-save the password after script changes, depending on the editor.
The ADS will be copied with the script file itself as long as the target is NTFS, and will be lost otherwise.
[CmdletBinding()]
Param(
	[switch]$SaveCredential
)
$Application = "appsRUS.exe"

$ScriptItem = Get-Item -Path $MyInvocation.MyCommand.Path
$StreamName = 'MetaData'
If ($SaveCredential) {
	$gcArgs = @{'Message' = "Logon information for $($Application)"}
	$gcArgs['UserName'] = Try {([Management.Automation.PSSerializer]::Deserialize((Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue))).UserName} Catch {''}
	If ($Credential = Get-Credential @gcArgs) {
		Try {
			$LastWriteTimeUtc = $ScriptItem.LastWriteTimeUtc
			Set-Content -Path $ScriptItem.FullName -Value ([Management.Automation.PSSerializer]::Serialize($Credential)) -Stream $StreamName -ErrorAction Stop
			$ScriptItem.LastWriteTimeUtc = $LastWriteTimeUtc
		} Catch {
			Throw "Could not save credentials: $($_.Exception.Message)"
		}
	} Else {
		"No credentials were entered, logon information was not saved!" | Write-Warning
	}
	Exit
} Else {
	If ($StreamData = (Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue)) {
		Try {
			$Credential = [Management.Automation.PSSerializer]::Deserialize($StreamData)
		} Catch {
			Throw "You are not authorized to use this script."
		}
	} Else {
		Throw "File is corrupted, password information is not available."
	}
}
$Username = $Credential.UserName
$Password = $Credential.GetNetworkCredential().Password

$ServerList = @(
	'servername1'
	'servername2'
)
ForEach ($Server In $ServerList) {
	"Starting $($Application) on $($Server) ..."
	& $Application -b $Server -u $Username -p "`"$($Password)`""
}

Open in new window

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41729766
If you used the VSphere Web Client instead of the .exe then you could easily couple that with something like LastPass which would automatically fill in the credentials for you while keeping them all very secure.

Any reason that wouldn't work for you?
0
 
LVL 34

Assisted Solution

by:sarabande
sarabande earned 125 total points
ID: 41729793
you should consider a solution where you only provide the update information at a share, and let the servers fetch the update theirselves. the only thing you have to do is to establish a mechanism where the servers know that a new update was available.

or, you were using a service at your computer and services at the target computers. all these services could be installed by using a special account at their own computer which cannot be used for interactive login. then do the job you want to do by sending the updates directly between the services. i would use tcp/ip or udp sockets for this.

doing so, no login, no username, no passwords were involved.

note, any script which uses a password in plain text could be interrupted exactly at the statement where the password was transfered. if using obfuscation you can't really stop experts from hacking this. this must not necessarily be an attack. it simply could be the decision of your boss while you were not available. nevertheless if a bundle of server passwords have become into wrong hands and need to be exchanged, it was you who was blamed for when you come back.

Sara
0
 
LVL 16

Expert Comment

by:Brian Pringle
ID: 41729924
Have you considered turning the batch file into an executable?  

http://bat2exe.net/
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question