1

I have a CMD file from which I have to run a Powershell script passing in username and password: i.e: PowerShell -File "%1" -Computer "%2" -Username "%3" -Password "%4". Is there anyway to send a SecureString password from the CMD to the powershell script?

Let me add a few more points to make my predicament clearer: So whenever I execute this CMD file containing the above said Powershell command, I am passing in the values for all the parameters(%1% to %4%) on the command line. Now when I pass these arguments, they are passed in as clear text and everything is logged into the Events Monitor with ID 4688 with Advanced Auditing enabled. What I want is the password to not be visible in this case.

Jay Bhardwaj
  • 65
  • 2
  • 6

1 Answers1

5

No. SecureString is a Powershell construct that has no meaning in the legacy cmd/batch environment.

If you don't want the password to be visible, you need to find another way of passing it than directly in the command (which likely means modifying your Powershell script to not accept a plain text password parameter).

The most common thing I've seen people do is export a PSCredential object to a file using Export-CliXml and then import it to a variable prior to calling the script's function (via Import-CliXml), and pass the variable to the function. The caveat to this approach is that the exported file is not portable. The encryption in the XML is tied to both the user and machine that did the export.

Edit: Here's how you could change your CMD script to accommodate passing the PSCredential. I'll assume relative paths here just to keep things shorter.

Before your script kicks off, you need to export the credential to a file.

# interactively prompt for the credential
$cred = get-credential

# export the credential object to a file
$cred | Export-Clixml .\mycred.xml

Now in your CMD script, you basically change how your calling Powershell from using -File to using -Command so that you can import the credential file back to a variable before passing it to the script.

powershell.exe -C "$cred = Import-Clixml .\mycred.xml; .\%1 -Computer %2 -Credential $cred"
Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Agreed that Powershell has all the constructs to secure a password but my issue that I have to invoke the Powershell through a CMD script passing the Password as an argument but whenever the Powershell process is created it gets logged in Windows Events Log where the password is present in clear text. My CMD is receiving the password in cleartext but that is not an issue as it is not logged anywhere neither is it visible. I can make my Powershell script accept PSCredential but how will I create it in the CMD script? – Jay Bhardwaj Oct 09 '17 at 20:10
  • See my edit above for how this might work. – Ryan Bolger Oct 09 '17 at 21:00