{"id":17461,"date":"2010-08-11T00:01:00","date_gmt":"2010-08-11T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/08\/11\/masking-passwords-in-windows-powershell\/"},"modified":"2010-08-11T00:01:00","modified_gmt":"2010-08-11T00:01:00","slug":"masking-passwords-in-windows-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/masking-passwords-in-windows-powershell\/","title":{"rendered":"Masking Passwords in Windows PowerShell"},"content":{"rendered":"

 <\/p>\n

Summary<\/strong>: With Windows PowerShell cmdlets, it is easy to mask passwords used when scripting remote applications.<\/p>\n

 <\/p>\n

\"Hey, Hey, Scripting Guy! I need to be able to mask a password when running a Windows PowerShell<\/a> script. I am attempting to convert my VBScript scripts to Windows PowerShell, but I have a problem. In VBScript I would use a COM object called scriptpw.password<\/strong>. I first learned about it from the How Can I Mask Passwords Using an InputBox?<\/a> Hey, Scripting Guy! post. Unfortunately, I get an error when attempting to use this object in Windows PowerShell. I don’t get it because I thought that Windows PowerShell could create COM objects. What do I need to do to make this work?<\/p>\n

— AJ<\/p>\n

 <\/p>\n

\"Hey, Hello AJ, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. I was in Ft. Lauderdale, Florida<\/a>, teaching a VBScript class a few years ago when this happened. There was a knock on the hotel room door. I opened it, and there stood my significant other. Teresa had decided to fly down and join me for the weekend. Because she went to all the trouble to fly down and visit me, I felt compelled to see what she wanted to do for the weekend. For her, the choice was easy—go to a butterfly farm. Luckily, I had my camera with me. Butterfly farms offer myriad opportunities for taking great pictures, such as this one I snapped.<\/p>\n

\"Photo<\/a> <\/p>\n

Even though it might seem difficult to take great pictures of butterflies, it can be surprisingly easy. AJ, the same is true for masking passwords in Windows PowerShell: It is very easy when you know the trick. For example, if I need to mask the administrator password while checking on the BIOS version of a remote computer, I use the –credential<\/strong> parameter:<\/p>\n

Get-WmiObject<\/span> <\/span>-Class<\/span> <\/span>win32_bios<\/span> <\/span>-ComputerName<\/span> <\/span>hyperv<\/span> <\/span>-Credential<\/span> <\/span>nwtraders\\administrator<\/span> <\/p>\n

When the Get-WmiObject<\/strong> command runs, the dialog box appears that is shown in the following image. Note that the username is automatically filled out from the domain and username supplied when typing the command. When the Windows PowerShell Credential Request dialog box appears, the password characters are masked as you type them. <\/p>\n

\"Image<\/a> <\/p>\n

If you do not supply a username for the –credential<\/strong> parameter for the Get-WmiObject<\/strong> cmdlet, the error shown in the following image appears.<\/p>\n

\"Image<\/a> <\/p>\n

The error actually makes sense because when working interactively, you would normally supply the username to use for the command. <\/p>\n

There are 56 cmdlets that use the –credential<\/strong> parameter. They are shown here. GCM<\/strong> is an alias for the Get-Command<\/strong> cmdlet. The ?<\/strong> is an alias for the Where-Object<\/strong> cmdlet:<\/p>\n

PS<\/span> <\/span>C:\\><\/span> <\/span>gcm<\/span> <\/span>-type<\/span> <\/span>cmdlet<\/span> <\/span>|<\/span> <\/span>?<\/span> <\/span>{<\/span> <\/span>$_<\/span>.parameters.keys<\/span> <\/span>-match<\/span> ‘credential’<\/span>}<\/span> <\/span>|<\/span> <\/span>Format-Wide<\/span>
<\/span>name<\/span> <\/span>-AutoSize<\/span>
<\/span>Add-Computer<\/span> <\/span>Add-Content<\/span> <\/span>Clear-Content<\/span>
<\/span>Clear-Item<\/span> <\/span>Clear-ItemProperty<\/span> <\/span>Connect-WSMan<\/span>
<\/span>Copy-Item<\/span> <\/span>Copy-ItemProperty<\/span> <\/span>Enter-PSSession<\/span>
<\/span>Get-Content<\/span> <\/span>Get-Credential<\/span> <\/span>Get-HotFix<\/span>
<\/span>Get-Item<\/span> <\/span>Get-ItemProperty<\/span> <\/span>Get-WinEvent<\/span>
<\/span>Get-WmiObject<\/span> <\/span>Get-WSManInstance<\/span> <\/span>Invoke-Command<\/span>
<\/span>Invoke-Item<\/span> <\/span>Invoke-WmiMethod<\/span> <\/span>Invoke-WSManAction<\/span>
<\/span>Join-Path<\/span> <\/span>Move-Item<\/span> <\/span>Move-ItemProperty<\/span>
<\/span>New-Item<\/span> <\/span>New-ItemProperty<\/span> <\/span>New-PSDrive<\/span>
<\/span>New-PSSession<\/span> <\/span>New-PSSessionOption<\/span> <\/span>New-Service<\/span>
<\/span>New-WebServiceProxy<\/span> <\/span>New-WSManInstance<\/span> <\/span>New-WSManSessionOption<\/span>
<\/span>Register-WmiEvent<\/span> <\/span>Remove-Computer<\/span> <\/span>Remove-Item<\/span>
<\/span>Remove-ItemProperty<\/span> <\/span>Remove-WmiObject<\/span> <\/span>Remove-WSManInstance<\/span>
<\/span>Rename-Item<\/span> <\/span>Rename-ItemProperty<\/span> <\/span>Resolve-Path<\/span>
<\/span>Restart-Computer<\/span> <\/span>Send-MailMessage<\/span> <\/span>Set-Content<\/span>
<\/span>Set-Item<\/span> <\/span>Set-ItemProperty<\/span> <\/span>Set-WmiInstance<\/span>
<\/span>Set-WSManInstance<\/span> <\/span>Split-Path<\/span> <\/span>Start-Job<\/span>
<\/span>Start-Process<\/span> <\/span>Stop-Computer<\/span> <\/span>Test-Connection<\/span>
<\/span>Test-Path<\/span> <\/span>Test-WSMan<\/span>
<\/span>PS<\/span> <\/span>C:\\><\/span> <\/span>gcm<\/span> <\/span>-type<\/span> <\/span>cmdlet<\/span> <\/span>|<\/span> <\/span>?<\/span> <\/span>{<\/span> <\/span>$_<\/span>.parameters.keys<\/span> <\/span>-match<\/span> ‘credential’<\/span>}<\/span> <\/span>|<\/span> <\/span>measure<\/span>
<\/span>Count<\/span> <\/span>:<\/span> <\/span>56<\/span>
<\/span>Average<\/span> <\/span>:<\/span>
<\/span>Sum<\/span>&nb\nsp;<\/span>:<\/span>
<\/span>Maximum<\/span> <\/span>:<\/span>
<\/span>Minimum<\/span> <\/span>:<\/span>
<\/span>Property<\/span> <\/span>:<\/span>
<\/span>PS<\/span> <\/span>C:\\><\/span> <\/p>\n

Unfortunately, most of the 56 cmdlets that accept the credential parameter may not work the way you envision. For example, the Get-Item<\/strong> cmdlet accepts credential, but it is not implemented for any of the default providers except for the wsMan<\/strong> drive. This is shown here: <\/p>\n

PS<\/span> <\/span>C:\\><\/span> <\/span>Get-PSProvider<\/span>
<\/span>Name<\/span> <\/span>Capabilities<\/span> <\/span>Drives<\/span>
<\/span>—-<\/span> <\/span>————<\/span> <\/span>——<\/span>
<\/span>WSMan<\/span> <\/span>Credentials<\/span> <\/span>{WSMan}<\/span>
<\/span>Alias<\/span> <\/span>ShouldProcess<\/span> <\/span>{Alias}<\/span>
<\/span>Environment<\/span> <\/span>ShouldProcess<\/span> <\/span>{Env}<\/span>
<\/span>FileSystem<\/span> <\/span>Filter,<\/span> <\/span>ShouldProcess<\/span> <\/span>{C,<\/span> <\/span>E,<\/span> <\/span>D}<\/span>
<\/span>Function<\/span> <\/span>ShouldProcess<\/span> <\/span>{Function}<\/span>
<\/span>Registry<\/span> <\/span>ShouldProcess,<\/span> <\/span>Transactions<\/span> <\/span>{HKLM,<\/span> <\/span>HKCU}<\/span>
<\/span>Variable<\/span> <\/span>ShouldProcess<\/span> <\/span>{Variable}<\/span>
<\/span>Certificate<\/span> <\/span>ShouldProcess<\/span> <\/span>{cert}<\/span>
<\/span>PS<\/span> <\/span>C:\\><\/span> <\/p>\n

This means that you cannot supply credentials for the Get-Item<\/strong> cmdlet when connecting to registry or to a file system drive—two of the more common scenarios. <\/p>\n

If you would like the user to type full credentials for your script (both a user name and a password), you can use the Get-Credential<\/strong> cmdlet. This is shown in the ShutdownComputer.ps1 script.<\/p>\n

ShutdownComputer.ps1<\/strong><\/p>\n

$credential<\/span> <\/span>=<\/span> <\/span>Get-Credential<\/span> <\/p>\n

<\/span>Stop-Computer<\/span> <\/span>-ComputerName<\/span> <\/span>win7-c1<\/span> <\/span>-Credential<\/span> <\/span>$credential<\/span> <\/p>\n

 <\/p>\n

When the script runs, the dialog box appears that is shown in the following image.<\/p>\n

\"Image<\/a> <\/p>\n

If you only want to obtain the password, you can use the Read-Host<\/strong> cmdlet with the –asSecureString<\/strong> parameter. By default, when using the Read-Host<\/strong> cmdlet, it does not mask data supplied via the command line. But when the –asSecureString<\/strong> parameter is used, it masks the password. This is shown in the following image.<\/p>\n

\"Image<\/a> <\/p>\n

Because both of these methods, Get-Credential<\/strong> and Read-Host<\/strong>, return an instance of the System.Security.SecureString<\/a> .NET Framework object, it is important to test your script to ensure that the target application will accept a SecureString<\/strong> for the password. This is especially true for old COM interfaces. Most .NET Framework interfaces will accept the SecureString<\/strong>. This is important from a security concern because a SecureString<\/strong> is encrypted. <\/p>\n

AJ, that is all there is to using Windows PowerShell to mask passwords when running scripts. Running Windows PowerShell Scripts Week will continue tomorrow when we will talk about pausing a script to wait for user interaction. <\/p>\n

We invite you to follow us on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to us at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

 <\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

  Summary: With Windows PowerShell cmdlets, it is easy to mask passwords used when scripting remote applications.   Hey, Scripting Guy! I need to be able to mask a password when running a Windows PowerShell script. I am attempting to convert my VBScript scripts to Windows PowerShell, but I have a problem. In VBScript I […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[51,171,2,3,4,45],"class_list":["post-17461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-getting-started","tag-masking-passwords","tag-running","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"

  Summary: With Windows PowerShell cmdlets, it is easy to mask passwords used when scripting remote applications.   Hey, Scripting Guy! I need to be able to mask a password when running a Windows PowerShell script. I am attempting to convert my VBScript scripts to Windows PowerShell, but I have a problem. In VBScript I […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=17461"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17461\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=17461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=17461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=17461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}