Getting Bitlocker Information

Started by bettman, May 12, 2016, 06:50:43 AM

Previous topic - Next topic

bettman

I was hoping someone could show me how to retrieve the Bitlocker recovery password using the following WMI information:

Path = \root\cimv2\security\microsoftvolumeencryption

The value can be retrieved using the GetKeyProtectorNumericalPassword method of the Win32_EncryptableVolume class.

I've looked in the WMI area of the Winbatch database and all of the scripts seem to show how to get the properties of a class but not how to execute a method of a class.

Any help would be appreciated.

td

Perhaps it is a misunderstanding of the terms or something but there are many examples of executing WMI class methods in the Tech Database.  From the script writers perspective there isn't really much difference between the two since both can have parameters.  The main difference being that you can use an assignment operator on a property when setting it.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

bettman

Given the information in my previous post, could you please show me how to write it properly so the recovery key information is retrieved?

td

As previously mentioned in another thread,  use the previous example provided as a response as a starting point:

http://forum.winbatch.com/index.php?topic=1090.msg5119#msg5119

As for the parameter values, you have to figure that out based on MSFT's documentation.  Those are unique to your system and may vary based on how the system is configured.  We have no way of telling you those bits of information.  The method's documentation can be found here:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa376439%28v=vs.85%29.aspx


The GetKeyProtects method also looks interesting:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa376441%28v=vs.85%29.aspx

The example at the bottom of the page may be of some use.

A search using your search engine of choice may find additional information or a user who has actually used this stuff may provide additional insights.

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

bettman

In looking over the example provided, the GetConversionStatus method does not require an in parameter whereas the GetKeyProtectorNumericalPassword needs the input parameter VolumeKeyProtectorID. If I'm understanding this correctly, I would need to pass that input parameter to the GetKeyProtectorNumericalPassword method in order to get the desired information. Could you please assist me with doing that?

td

Most COM Automation methods that accept [in] parameters.  An [out] parameter is the rarity and usually the one that generats a WinBatch related question, i.e., how do I pass an out parameter variable to a method.  But you already have the answer to that question via the 2013 example. 

Bitlock is a Microsoft product.   A logical place to find out about a Microsoft product is Microsoft's online documentation for the product.  Did you notice that link to a ''GetKeyProtectors' method I posted has the 'VolumeKeyProtectorID' [out] parameter that is the same name as the 'VolumeKeyProtectorID' [in] parameter  to 'GetKeyProtectorNumericalPassword'?  It took less than a minute to find that method doing a simple web search on 'GetKeyProtectorNumericalPassword' and 'VolumeKeyProtectorID'.   If this information isn't enough info to enable you to call the 'GetKeyProtectorNumericalPassword' method, I am sure a little more digging on Microsoft's site will answer any remaining questions.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

stanl

Attached is a nice Powershell breakdown of Bitlocker. WB can run PS scripts, but I haven't tested as such. I signed the script so it will run in PS w/out elevated privileges (the author posted w/out a sign).

td

Since this is a "WinBatch" forum,  a quick and dirty WinBatch example...

Code (winbatch) Select
strComputer = '.'
objWMIService = GetObject('winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\':strComputer:'\root\cimv2\security\microsoftvolumeencryption')
colItems = objWMIService.ExecQuery ('Select * from Win32_EncryptableVolume WHERE DriveLetter="I:"')
ForEach objInstance In colItems
   
   ; Check for object.
   If !objInstance Then Continue
   If ObjectTypeGet(objInstance) == "EMPTY" Then Continue

   NumericalPassword = ""
   VolumeKeyProtectorIds = 0
   objInstance.GetKeyProtectors(0,VolumeKeyProtectorIds)
   forEach VolumeKeyProtectorId in VolumeKeyProtectorIds
       
      ;  GetKeyProtectorNumericalPassword  can error on some VolumeKeyProtectorID values
      nErrorMode = ErrorMode(@Off)
      objInstance.GetKeyProtectorNumericalPassword(VolumeKeyProtectorID, NumericalPassword)
      nLastError = LastError()
      ErrorMode(nErrorMode)
      if !nLastError
         Message('Drive I ':VolumeKeyProtectorID, NumericalPassword)
      endif
   next
Next

Exit
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade