Insert password in a script
brucine Posted messages 24865 Registration date Status Member Last intervention -
10 answers
-
Hello,
It's not possible within the script itself, since it's the script opening that asks for the credentials.
The theory would thus suggest calling the script with a second command like:
runas /user:user_name /pass:12345 "mon.cmd"
which does not work, as security continues to prompt for the password; a workaround is to save it once and for all at the first use:
runas /user:user_name /savecred "mon.cmd"
There is no other solution other than using a third-party utility; for example, one can try with PsExec:
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec -
Okay, thanks
Indeed, I saw the solution with pstools, but that requires installing it on all the machines in the network, and the fleet involved is substantial
I can't save the password either because it would need to be done for each machine and each user profile
Is there no option where we can retrieve the password placed in another file, and a command comes to copy-paste it when requested? A sort of robot that types for us? -
Hello
if you work in the AD field, it would be enough to do this through GPO...
No more worries...
--
Chouba, Moderator / My job is so secret that I don't even know what I do. -
Indeed, it is well done to deploy pstools on all machines.
Here are my commands:
xcopy /s "\\monserv\pstools" "%windir%\system32\pstools\" /Y
setx path /m "%path%;%windir%\system32\pstools"
It works well using psexec, but there is indeed a small detail I would like to improve. The password remains accessible in the batch, so it's not very secure since it's the domain admin password.
Indeed, here is the batch command intended to block a program via firewall:
psexec -accepteula -u mondomaine\admin -p mypassword -d cmd.exe /c \\monserv\cmd\vblockbrowsers.bat
Is there a way to mask the password or make it less visible? Or should I make the .bat a hidden file, but any user can easily show hidden files?
Thanks.-
Good evening,
The solution might be to convert the bat to an exe?
The catch is, of course, if it needs to address multiple machines, there would need to be a different exe for each machine and each password.
Other sources, like here, suggest embedding the bat in a password-protected zip archive or encrypting it (CERTUTIL, base64 encoder...), I haven't tested any of this since the bat needs to remain functional in its processed state.
This is probably the case with the zip solution (just decompress on the fly, but manually via the command line since scheduling the batch or creating a second one for that purpose would lose its appeal: the second password would be visible).
https://www.developpez.net/forums/d1297398/general-developpement/programmation-systeme/windows/scripts-batch/outils-cryptage-sous-windows/
-
-
Yes, indeed there is the option to convert to .exe that I tested and which is interesting.
I think I'm also going to try a very simple method: placing the .bat file in a user-invisible drive, the C: drive simply since it is hidden from users (via the registry key nodrives and noviewondrives).
Hoping that the execution can go well. -
The problem with converting to .exe assumes that the password cannot under any circumstances be changed. This is not recommended in terms of security.
--
Chouba, Moderator / My job is so secret that I don’t even know what I do. -
ok. but converting to .exe seems to be the only option so that no one can see the admin password
I'm encountering a strange issue, when I run the command that calls a .bat it works well but if I insert the command into psexec it requires administrator rights
command is ok but requires 2 files
psexec -accepteula -u mondomaine\admin -p mypassword -d cmd.exe /c \\monserv\cmd\vblockbrowsers.bat
command not ok
psexec -accepteula -u mondomaine\admin -p mypassword -d cmd.exe /c (^netsh advfirewall firewall add rule name="chrome" dir=in action=block program="C:\program files\google\chrome\application\chrome.exe" enable=yes profile=any ^)
if a user runs this batch it indicates "the requested operation requires elevation"
-
Hello,
I'm not sure I understand the question. Is the script not intended to be run by the user on one of the target machines?
The issue may lie in both PSEXEC and NETSH: in both cases, you need to have the admin$ administrative share enabled on the target machine.
In the latter, most NETSH commands require elevation which might be achievable through the -h switch of PSEXEC and otherwise generally goes through PowerShell:
https://ss64.com/ps/syntax-elevate.html
Moreover, NETSH prohibits the use of a username and password locally, and requires that not only file and printer sharing is active on the network, but also that the remote registry access service is enabled.
Hello, I'm coming back to this elevation issue with psexec. Even when adding -h to the command, I get the message "could not start psexesvc service on A01-1" > A01-1 being the name of the machine
I then have the operation requested requires elevation. Yet everything is fine as admin, the command runs well
psexec -accepteula -u mondomaine\admin -p mypassword -h -d cmd.exe /c (^netsh advfirewall firewall add rule name="chrome" dir=in action=block program="C:\program files\google\chrome\application\chrome.exe" enable=yes profile=any ^)
It remains mysterious. The only way to avoid the elevation problem is to have a second .bat file that psexec comes to launch
I fear there is indeed no clear solution; it’s the serpent biting its own tail: Psexec runs the required commands at an administrator level with the /h switch, but it itself needs to be run as an administrator, which will work perfectly at the command line but not in a scheduled task.
There are a number of complex solutions, such as this one:
https://stackoverflow.com/questions/7044985/how-can-i-auto-elevate-my-batch-file-so-that-it-requests-from-uac-administratorAnd a number of other ideas by Googling something like "psexec batch scheduled task elevation" or "batch elevate to administrator", I’ll let you shop around to see if you find inspiration...
-
-
Hello
I maintain the GPO solution ... in a domain, these are their purposes.
-
I am further clarifying my objective to hide the admin password as GPO does not seem to be considered in this case.
The idea is that at a specific moment, a user (teacher) sends a command to another user’s workstation (student) via remote control software. Two commands are planned, one to block the browser and the other to unblock it. The scripts integrating psexec are preconfigured in the application, invisible to the user. However, they are not completely inaccessible to the latter since the scripts are stored on a shared drive. So, even if hidden well, if the user finds the batch file, they could reactivate the browser. Because even by hiding the drive with the registry via the "nodrives" key, the drive must remain accessible for the user, so "noviewondrive" cannot be considered a priori.
That is why, even if the script is detected at worst, the admin password must not be recoverable.
-
Hello,
Psexec has a switch -s that allows using the "NT AUTHORITY\SYSTEM" account
This account is the most powerful of all accounts and is not subject to UAC.
-
Hello,
Yes, I saw that too, but whether the switch is h or s, I'm not sure of the result in scheduled tasks: apparently it's not the psexec command that fails to execute due to lack of rights on the target, but the fact that we get rejected as soon as psexec is read; the psexec service is not started because we need administrative rights for that, which happens when we run a batch by choosing to run as administrator beforehand.
-