1

I have working script that use Invoke-Expression to execute psexec in Powershell ISE

<# $password is encrypted password, need to unencrypt to pass it to psexec #>

$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
$str =  [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($bstr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr)

$enable_command = "D:\PSTools\PsExec.exe $comp -u Administrator -p $str -accepteula powershell.exe c:\share\ps_enable.ps1"

Invoke-Expression $enable_command

I don't want to use Invoke-Expression because it outputs data, including PLAINTEXT password onto Powershell ISE console. But this script with Start-Process doesn't work

<# $password is encrypted password, need to unencrypt to pass it to psexec #>

$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
$str =  [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($bstr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr)

Start-Process -FilePath D:\PSTools\PsExec.exe -ArgumentList '$comp', '-u', 'Administrator', '-p', '$str', '-accepteula', 'powershell.exe', 'c:\share\ps_enable.ps1'

How to fix?

Glowie
  • 2,271
  • 21
  • 60
  • 104

1 Answers1

1

How about just capturing the Invoke-Expression in a variable, or piping it to Out-Null?

$CmdOutput = Invoke-Expression $enable_command

or

Invoke-Expression $enable_command | Out-Null

Edit: Ok, I forgot that PSExec likes to use StdErr as a method for displaying some of it's text, and that portion would not be captured by these. What you can do is redirect StdErr to StdOut, and either pipe to Out-Null or capture it as suggested. Try this:

$CmdOutput = Invoke-Expression $enable_command 2>&1
TheMadTechnician
  • 34,906
  • 3
  • 42
  • 56
  • it displays everything? I'm not sure I understand the issue. Are you training users to run the ISE and execute this script, and don't want them to see a password that it uses? – TheMadTechnician Sep 19 '14 at 16:10
  • Ok, check my edit in the answer. I have a feeling you will be much happier with the results of that. – TheMadTechnician Sep 19 '14 at 16:17
  • I'm creating a script for our remote technicians to remotely deploy and install software on computers at their site. I want to avoid the script getting into the wrong hands and the Administrator password is leaked. – Glowie Sep 19 '14 at 16:19
  • If you are concerned about the script getting into the wrong hands this won't solve that issue. All it takes is somebody to edit it and remove the `2>&1` and the password is displayed in plain text again. Converting an encrypted password to plain text is always a security risk. Always. – TheMadTechnician Sep 19 '14 at 16:22
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/61576/discussion-between-glowie-and-themadtechnician). – Glowie Sep 19 '14 at 16:27