Protecting Credentials

[hdsouza]

I need to generate the secure string for a password and save it in a file.
I could do it in powershell with:

Code Select Expand

ConvertTo-SecureString "ThisisMypassword" -AsPlainText -Force | ConvertFrom-SecureString | Out-File "C:\cred_pass.txt"

Then for normal operations, I want to read the file and decode the password

Code Select Expand

$login = "my_Login"
$MyPass = Get-Content "C:\cred_pass.txt" | ConvertTo-SecureString
$Cred_pass = New-Object System.Management.Automation.PsCredential($login,$MyPass)
$pass = $Cred_pass.GetNetworkCredential().password

Can I do the same with winbatch?

[td]

Yes, using WinBath's CLR hosting.  Powershell is mostly just a thin cover for MSFT's various dotNet Frameworks.  A quick search of  MSFT's documentation for the PSCredential class should get you started.

[stanl]

There should be a thread in this section which discussed secure strings. Below is something I posted which uses WB's CLR to run Powershell

Code (WINBATCH) Select Expand



;Winbatch 2018B - CLR - Decrypt Secure String
;needs help from Powershell
;Stan Littlefield May 4th 2019   [ May 4th be with you ]
;=================================================================================
IntControl(73,1,0,0,0)
Gosub udfs
cScript=""
text="This is a String That is about to be made secure, or I could load text"
file="c:\TEMP\test.txt"
If FileExist(file) Then FileDelete(file)
CrSecret()
CrPS()
If ! FileExist(file) Then Terminate(@TRUE,"Cannot Continue","Missing ":file)


Message("Secure String",FileGetW(file))
ClipPut("")
DcSecret()
CrPS()


Message("Decrypted",ClipGet())




Exit


:WBERRORHANDLER
oPShell=0
ErrorProcessing(0,1,0,0)
Exit
;=================================================================================


:udfs
#DefineSubRoutine CrPS()  ;Creates Powershell CLR Object
ObjectClrOption("useany", "System.Management.Automation")
objAutoPs = ObjectClrNew("System.Management.Automation.PowerShell")
oPshell = objAutoPs.Create()
oScope = ObjectType("BOOL",@TRUE)
oPshell.AddScript(cScript,oScope)
objAsync = oPshell.BeginInvoke()
oPShell.EndInvoke(objAsync)     
oPShell=0
Return(1)
#EndSubRoutine


#DefineSubroutine CrSecret()  ;Creates file with secure string
cScript='$storage = "%file%"':@CRLF
cScript :='$mysecret = "%text%"':@CRLF
cScript :='$mysecret | ':@CRLF
cScript :='  ConvertTo-SecureString -AsPlainText -Force | ':@CRLF
cScript :='  ConvertFrom-SecureString | ':@CRLF
cScript :='  Out-File -FilePath $storage ':@CRLF
Return(1)
#EndSubRoutine


#DefineSubroutine DcSecret()  ; outputs secure string as plain text
cScript='$storage = "%file%"':@CRLF
cScript :='$secureString = Get-Content -Path $storage | ConvertTo-SecureString':@CRLF
cScript :='$ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode($secureString)':@CRLF
cScript :='$mysecret = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)':@CRLF
cScript :='$mysecret | clip'
Return(1)
#EndSubRoutine


#DefineSubroutine ErrorProcessing(deleteIni,showerr,logfile,Err_Array)
If Vartype(Err_Array) ==256
   WbError = Err_Array[0]
   wberrorhandlerline = Err_Array[1] 
   wberrorhandleroffset = Err_Array[2]   
   wberrorhandlerassignment = Err_Array[3] 
   wberrorhandlerfile = Err_Array[4]
   wberrortextstring = Err_Array[5] 
   wberroradditionalinfo = Err_Array[6] 
   wberrorinsegment = Err_Array[7]   
Else
   WbError = LastError()
Endif
WbTextcode = WbError
If WbError==1668||WbError==2669||WbError==3670
   WbError = ItemExtract(1,IntControl(34,-1,0,0,0),":")
   WbTextcode = -1
EndIf
WbErrorString = IntControl(34,WbTextcode,0,0,0)
WbErrorDateTime = TimeYmdHms()
If deleteIni
   WbErrorFile = StrCat(ShortCutDir( 'AppData', 0, 0 ),'\WinBatch\Settings\')
   If ! DirExist(WbErrorFile) Then WbErrorFile = DirWindows(0)
   WbErrorFile = StrCat(WbErrorFile,"WWWBATCH.INI")
   FileDelete(WbErrorFile)
   ;IniWritePvt(WbErrorDateTime,"CurrentScript",WbErrorHandlerFile      ,WbErrorFile)
   IniWritePvt(WbErrorDateTime,"ErrorValue"   ,WbError                 ,WbErrorFile)
   IniWritePvt(WbErrorDateTime,"ErrorString"  ,WbErrorString           ,WbErrorFile)
   IniWritePvt(WbErrorDateTime,"ScriptLine"   ,WbErrorHandlerLine      ,WbErrorFile)
   IniWritePvt(WbErrorDateTime,"ScriptOffset" ,WbErrorHandlerOffset    ,WbErrorFile)
   IniWritePvt(WbErrorDateTime,"VarAssignment",WbErrorHandlerAssignment,WbErrorFile)
   IniWritePvt(WbErrorDateTime,"VarInSegment" ,WbErrorInSegment,WbErrorFile)
   IniWritePvt("","","",WbErrorFile)
Endif 
WbErrorMsgText = StrCat(WbErrorDateTime,@CRLF)
WbErrorMsgText = StrCat(WbErrorMsgText,"Current Script: ",WbErrorHandlerFile,@CRLF)
WbErrorMsgText = StrCat(WbErrorMsgText,"Error# [",WbError,"]",@CRLF)
WbErrorMsgText = StrCat(WbErrorMsgText,"Error Text: ",wberrortextstring,@CRLF)
WbErrorMsgText = StrCat(WbErrorMsgText,"[Extended Information] ",wberroradditionalinfo,@CRLF,@CRLF)
WbErrorMsgText = StrCat(WbErrorMsgText,"On Line:",@CRLF,WbErrorHandlerLine,@CRLF)
;WbErrorMsgText = StrCat(WbErrorMsgText,"Offset: ",WbErrorHandlerOffset,@CRLF)
If (WbErrorHandlerAssignment>"") Then %WbErrorHandlerAssignment% = "UNKNOWN"
WbErrorMsgText = StrCat(WbErrorMsgText,"Assignment/Variable: ",WbErrorHandlerAssignment,@CRLF)
If (WbErrorInSegment>"") Then WbErrorMsgText = StrCat(WbErrorMsgText,"In UDF/UDS: ",WbErrorInSegment,@CRLF)
If logfile
   cSep = StrCat(StrFill("=",50),@CRLF)
   cLogFile = StrCat(dirscript(),"log.err")
   If ! FileExist(cLogFile) Then FilePut(cLogFile,StrCat("Error Log",@CRLF,cSep))
   FilePut(cLogFile,StrCat(FileGet(cLogFile),WbErrorMsgText,cSep))
   display(2,"An Error Occured",StrCat("written to ",cLogFile))
Else
   If showerr
      WbErrorMsgText = StrCat(WbErrorMsgText,"[THIS ERROR NOT WRITTEN TO LOG FILE]",@CRLF)
      Message("An Error Was Encountered",WbErrorMsgText)
   Endif
Endif
Return(1)
#EndSubroutine


Return
;=================================================================================




[hdsouza]

Thanks Stan. This is great.

[td]

You can skip the whole PowerShell business using the classes in the System.Security.Cryptography dotNet Framework namespace.  I am not seeing much on the namespace in the WinBatch Tech Database. The oversight should be corrected when time permits.

Here is a link to a topic with an example on this forum:

https://forum.winbatch.com/index.php?topic=1973.msg10043#msg10043