locked
credential file RRS feed

  • Question

  • Why do I need a credential file?  Even if I create the file with the proper username and password.

    I still need to enter the password to do a runas.  Does this mean that every administrator has to either

    be logged in as administrator to run scripts as administrator.  What about running a scrip on a remote system

    does he have to always enter the password?  On windows 7 pro I was able to use the credential file to run a script as

    administrator without having to enter the password.

    They say don't run your system always logged in as administrator.  But to unlock a bitlocked drive you need to be administrator.

    But to run a script on the bitlocked drive you need to not be administrator.  So you can't use one script to unlock the drive run your script and the relock the drive.

    RAC

    Monday, April 4, 2016 10:39 PM

Answers

  • I used the cmdlet new-eventlog -logname application -source task

    This created a new source for the application event log.  I then setup the unlockdrive task to trigger on an event log application source task eventid 1.  Then I did a write-eventlog -logname Application -source "task" -eventID 1 -entrytype Information -message "unlockdrive"

    Everytime I write this to the log it unlocks the drive.

    wieder vielen Dank

    RAC
    • Marked as answer by rac8006 Thursday, April 7, 2016 8:29 PM
    Wednesday, April 6, 2016 1:13 PM

All replies

  • You must be an admin or provide admin credentials.  Adding a password in a file serves no purpose other than giving away your password.

    Don't be a fool. Do not give away your password.


    \_(ツ)_/

    • Proposed as answer by Jason Warren Monday, April 4, 2016 11:24 PM
    • Unproposed as answer by Jason Warren Monday, April 4, 2016 11:24 PM
    • Proposed as answer by Jason Warren Monday, April 4, 2016 11:24 PM
    • Unproposed as answer by Jason Warren Monday, April 4, 2016 11:24 PM
    • Proposed as answer by jrv Tuesday, April 5, 2016 4:06 AM
    Monday, April 4, 2016 11:03 PM
  • But I asked nicely.
    Monday, April 4, 2016 11:25 PM
  • So why does the credential file allow you o save the password in a secure string?

    How do you provide admin credentials?

    RAC

    Monday, April 4, 2016 11:35 PM
  • Hi RAC,

    "secure string" is a bit of a misnomer, "Less insecure string" would be better (or at least more accurate). Basically, whenever possible run things under an account that already has the necessary privileges.

    Now, regarding your specific issue, I think the easiest way to go would be to create two tasks, one for unlocking and one for locking that bitlocked drive. Run those under the admin account with maximum privileges, you'll need to provide the credentials when registering the task.

    Then you can simply trigger the tasks, which locally requires no admin privileges.

    Of course, this solution assumes, that bitlocker, as well as unlocking and relocking content is the way to go. Examining that question however reaches far beyond the scope of this thread :)

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, April 5, 2016 1:50 AM
  • I think I understand how to create tasks and to set triggers for tasks.  But how does one cause a task to be triggered on command.  What I was able to do on windows 7 Pro.  Was to have a script that would run the unlockdrive.ps1 as admin.  Then run quicken to open a file on the unlocked drive.  When quicken finished it would then call lockdrive.ps1 as admin.  I was able to do this from one shortcut.  No prompts for credentials.  Just used the credential file that I created to allow this.

    RAC

    If the credentail file is not secure why do they continue to explain how to use it.

    Tuesday, April 5, 2016 3:35 AM
  • So why does the credential file allow you o save the password in a secure string?

    How do you provide admin credentials?

    RAC


    There is no such thing as a credential file. Where did you get that idea from?

    \_(ツ)_/

    Tuesday, April 5, 2016 4:06 AM
  • I created a task called unlockdrive.  I then did a schtasks /run /S Howard /tn unlockdrive

    and got ERROR: Access is denied.  What did I do wrong.

    RAC

    PS While in task scheduler and click run it works.  But task scheduler was run as administrator.

    PSS admin command prompt it also works.
    • Edited by rac8006 Tuesday, April 5, 2016 4:20 AM info
    Tuesday, April 5, 2016 4:08 AM
  • Why do I need a credential file?  Even if I create the file with the proper username and password.

    I still need to enter the password to do a runas.  Does this mean that every administrator has to either

    be logged in as administrator to run scripts as administrator.  What about running a scrip on a remote system

    does he have to always enter the password?  On windows 7 pro I was able to use the credential file to run a script as

    administrator without having to enter the password.

    They say don't run your system always logged in as administrator.  But to unlock a bitlocked drive you need to be administrator.

    But to run a script on the bitlocked drive you need to not be administrator.  So you can't use one script to unlock the drive run your script and the relock the drive.

    RAC


    I t takes a while to, learn things like advanced technologies.  Physics, chemistry, math and other complex things equire many years of training to master.  Be patient. You will learn at your own pace.

    \_(ツ)_/

    Tuesday, April 5, 2016 4:08 AM
  • What do you call the file that this script creates?

    $credential = get-credential  #This will ask for the user/password
    $EncryptedPW=$credential.password|ConvertFrom-SecureString
    $User=$credential.UserName
    $name = $args[0]
    $key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
    $SecurePW=$EncryptedPW|ConvertTo-SecureString
    $CredPath = Join-Path ($env:USERPROFILE) WindowsPowerShell\$name.ps1.credential
    $NewCredential = New-Object System.Management.Automation.PSCredential ($User,$SecurePW)
    write-host $NewCredential.UserName
    write-host $NewCredential.Password

    #set-content -credential $NewCredential -Path $credPath
    #$NewCredential | ConvertFrom-SecureString | Set-Content $CredPath
    $credential.Password | ConvertFrom-SecureString | Set-Content $CredPath

    Tuesday, April 5, 2016 4:18 AM
  • Thanks for the non response. But I guess I will not learn from you.

    RAC

    Tuesday, April 5, 2016 4:22 AM
  • What do you call the file that this script creates?

    I call it a text file with a string in it. The fact that it is used to save a partially encrypted string does not make it other than a text file.

    You cannot use a credential object to enter an elevated session.  You can use it to remotely authenticate a connection.  Remote connections do not require elevation.


    \_(ツ)_/

    Tuesday, April 5, 2016 4:30 AM
  • Thanks for the non response. But I guess I will not learn from you.

    RAC


    We can give you the answers.  We cannot make you understand them.  Once you have enough of the basics the understanding will come.

    \_(ツ)_/

    Tuesday, April 5, 2016 4:31 AM
  • Do me a favor.  Don't ever answer any of my questions.

    I prefer answers from people that don't think that they better than everybody else.

    RAC

    Tuesday, April 5, 2016 4:33 AM
  • I created a task called unlockdrive.  I then did a schtasks /run /S Howard /tn unlockdrive

    and got ERROR: Access is denied.  What did I do wrong.

    RAC

    PS While in task scheduler and click run it works.  But task scheduler was run as administrator.

    PSS admin command prompt it also works.

    As you can now see.  Unlocking a drive cannot be done automatically.  It would defeat the purpose of the security lock.


    \_(ツ)_/

    Tuesday, April 5, 2016 4:34 AM
  • Do me a favor.  Don't ever answer any of my questions.

    I prefer answers from people that don't think that they better than everybody else.

    RAC

    I am sorry that you feel that you cannot understand my answers.  I try to make them obvious and basic.  Perhaps you could be a little more patient and try to understand what is being proposed.   Sometimes it takes a bit of time to understand how an advanced technology works.  Don't expect too much of yourself during the early stages of learning.  Eventually the basics will become clear and you will find that it is not all that complicated.


    \_(ツ)_/

    Tuesday, April 5, 2016 4:42 AM
  • I will answer this tomorrow when I have  time to give it the response that it deserves.

    RAC

    Tuesday, April 5, 2016 4:46 AM
  • I will answer this tomorrow when I have  time to give it the response that it deserves.

    RAC

    That is alright.  We don't need an answer.  You are the one asking th question and now you have many answers to choose from.

    Primarily that you cannot use a stored credentials to bypass a UAC prompt.  No amount of debate will change that.

    Good luck.


    \_(ツ)_/

    Tuesday, April 5, 2016 4:49 AM
  • Rac8006, be so kind to tell me what that script does (syntax). Task scheduler is the correct way for a restricted user to run scripts elevated. But there's also an ACL on the task itself, so the user would need to be entitled to run it, first. Task files (with ACLs to them) are located in c:\windows\system32\tasks
    Tuesday, April 5, 2016 6:12 AM
  • I created a task called unlockdrive.  I then did a schtasks /run /S Howard /tn unlockdrive

    and got ERROR: Access is denied.  What did I do wrong.

    RAC

    PS While in task scheduler and click run it works.  But task scheduler was run as administrator.

    PSS admin command prompt it also works.

    Hi RAC,

    on the general tab of the task configuration, you can see a checkbox named "run with highest privileges" or something like that. Check that one. Just because an account has admin privileges doesn't mean it actually uses them. This checkbox tells the task scheduler to do just that for the task.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, April 5, 2016 9:10 AM
  • FWN

    That box is checked.  The task is set to run using the administrator.  I'm assuming that if I set it up to trigger

    at a specific time it will work.  But I can't cause it to run on demand unless I'm running as administrator.

    Thanks.

    RAC

    Tuesday, April 5, 2016 11:35 AM
  • Hi rac,

    ah, I should have read more carefully, you're trying to execute the task on another system. You'll need an account with local admin on the target system for that. At the same time, you do not want your current account running the local PowerShell console to have permissions beyond generic local user and no remote permissions, correct?

    In that case several options exist:

    • Set up a local task that runs under an account that has the necessary permissions to administrate the remote computer and tell it to do it.
    • Provide credentials at runtime. Either by interactively typing it or by loading a credential object from file (not recommended for security reasons, but necessary when needing alternate credentials in an unattended script). This can be somewhat tricky to do, some time back I've written a function for that and published it on Technet. It comes with a tutorial, too.

    Of course, after you have your credentials or access permissions, you'll still need to clear, how you want to access the remote system. This then determines how you need to use those credentials, but frankly, that's a topic for another discussion.

    Can't say I know how to best access bitlocker myself, since we generally don't use it.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, April 5, 2016 12:36 PM
  • FWN

    Sorry for the confusion.  I'm not trying to run this on a remote system.  In the  process of trying the schtasks /run /tn unlockdrive .  I got a requires system name message.  But today when I run the above command.  I just get ERROR access denied.  I find it frustrating that code that ran on windows 7 won't work on windows 10.

    Thanks

    RAC

    Tuesday, April 5, 2016 2:27 PM
  • But you read my suggestion? It would work.
    Tuesday, April 5, 2016 2:34 PM
  • There is no such thing as a credential file. Where did you get that idea from?


    Excuse me for referring to a file that is named <script>.ps1.credential. as a credential file.  But I got the idea from the windows powershell cookbook where they use the following code:

    $credpath = Join-Path ($env:USERPROFILE) WindowsPowerShell\$name.ps1.credential

    $credential.password | ConvertFrom-securestring | Set-Content $credpath

    RAC

    Tuesday, April 5, 2016 2:49 PM
  • Why do I need a credential file?  Even if I create the file with the proper username and password.

    I still need to enter the password to do a runas.  Does this mean that every administrator has to either

    be logged in as administrator to run scripts as administrator.  What about running a scrip on a remote system

    does he have to always enter the password?  On windows 7 pro I was able to use the credential file to run a script as

    administrator without having to enter the password.

    They say don't run your system always logged in as administrator.  But to unlock a bitlocked drive you need to be administrator.

    But to run a script on the bitlocked drive you need to not be administrator.  So you can't use one script to unlock the drive run your script and the relock the drive.

    RAC


    I t takes a while to, learn things like advanced technologies.  Physics, chemistry, math and other complex things equire many years of training to master.  Be patient. You will learn at your own pace.

    \_(ツ)_/

    You consider this an answer?  It is a statement.  No reference to the questions asked.  Sorry that I don't understand that when I google how to run a script without a prompt and get several responses on how to run a script but they don't work.  Sorry that the googled information doesn't say that it does not work on windows 10.

    Sorry that after 10 year or more of using powershell scripts I don't know as much as you.  I hope if you have kids this is not the kind of response you give them when they ask a question.

    RAC

    Tuesday, April 5, 2016 2:56 PM
  • Rac8006, be so kind to tell me what that script does (syntax). Task scheduler is the correct way for a restricted user to run scripts elevated. But there's also an ACL on the task itself, so the user would need to be entitled to run it, first. Task files (with ACLs to them) are located in c:\windows\system32\tasks

    The script is to just unlock a bitlocked drive.  Wait for Quicken to start and end then lock the drive.  The script is below.  If I run schtasks /run /tn unlockdrive.  it works if I'm using a command prompt(admin).  I'm not familiar with ACL's.  I looked at the properties of the file at c:\windows\system32\tasks\unlockdrive.  It show that the administrator has all rights.  For my user it show all the check marks grayed out.

    Thanks

    Import-Module BitLocker
    $credpath = 'c:\users\Administrator\WindowsPowerShell\Bitlocker.ps1.credential'
    $credpath
    $pw = Get-Content $credpath | ConvertTo-SecureString

    write-host "password:"$pw
      Mount-VHD -Path 'F:\Hyper-V\Virtual Hard Disks\Quicken.vhd'
      unlock-Bitlocker -MountPoint Y: -Password $pw
    Start-sleep -s 30
    $p=get-process qw
    Write-host "waiting for qw"
    wait-process -id $p.id
    Write-host "qw done"
    start-sleep -s 5
      Lock-Bitlocker -MountPoint "Y:"
      Dismount-VHD 'F:\Hyper-V\Virtual Hard Disks\Quicken.vhd'

    Start-Sleep -s 10

    Tuesday, April 5, 2016 3:09 PM
  • There is no such thing as a credential file. Where did you get that idea from?


    Excuse me for referring to a file that is named <script>.ps1.credential. as a credential file.  But I got the idea from the windows powershell cookbook where they use the following code:

    $credpath = Join-Path ($env:USERPROFILE) WindowsPowerShell\$name.ps1.credential

    $credential.password | ConvertFrom-securestring | Set-Content $credpath

    RAC

    There is a much simpler way to store credentials to disk in PowerShell. The Get-Credential cmdlet generates a PSCredential object, which essentially contains two things - a username and an encrypted password string. You can then use Export-CliXml to store this object (or any PowerShell object) in an XML formatted text file:

    Get-Credential | Export-CliXml c:\scripts\Cred.xml

    Now to use this credential in a script, reverse this and use Import-CliXml:

    $Credential = Import-CliXml c:\scripts\cred.xml

    Now when your script runs you have an almost live version of the original object.

    Since the password in a PSCredential object is stored as a secure string, it is protected by the Windows Data Protection API, which is the same subsystem that is used to protect secrets in Windows, such stored credentials and keys for the Windows Encrypting File System.

    I know this doesn't solve your primary problem, but it's worth clearing up these discussions around saving passwords to disk.

    Tuesday, April 5, 2016 3:36 PM
  • Why do I need a credential file?  Even if I create the file with the proper username and password.

    You consider this an answer?  It is a statement.  No reference to the questions asked.  Sorry that I don't understand that when I google how to run a script without a prompt and get several responses on how to run a script but they don't work.  Sorry that the googled information doesn't say that it does not work on windows 10.

    Sorry that after 10 year or more of using powershell scripts I don't know as much as you.  I hope if you have kids this is not the kind of response you give them when they ask a question.

    RAC

    The first thing we teach kids is how to ask a question. They are very good at that and get good answers.

    I answered your exact question twice.  Others have also answered the question.  I will answer it again:

    You cannot use saved credentials to do a "RunAs" or to prevent a UAC challenge. 

    Since you have so many years of PowerShell experience then you already know this.  Why are you asking a question that you already know the answer to.  You cannot change the answer.


    \_(ツ)_/

    Tuesday, April 5, 2016 4:31 PM
  • There is no such thing as a credential file. Where did you get that idea from?


    Excuse me for referring to a file that is named <script>.ps1.credential. as a credential file.  But I got the idea from the windows powershell cookbook where they use the following code:

    $credpath = Join-Path ($env:USERPROFILE) WindowsPowerShell\$name.ps1.credential

    $credential.password | ConvertFrom-securestring | Set-Content $credpath

    RAC

    Ok..  Yes.  That is called a text file. The cookbook is just  showing you and example of how to save a string (password on credential object in this case) into a text file (Set-Content creates text files only) that has a "credential" extension.  The file could have any name.  The code shows how to convert the "SecureString" object into a text string that can be saved into a file.  I would save the whole credential object as XML which is more useful.  I believe you version of the cookbook is for PowerShell V1.


    \_(ツ)_/

    Tuesday, April 5, 2016 4:40 PM
  • Note

    • You can set a BitLocker-protected removable data drive to unlock automatically when you start Windows. Insert the removable drive you want to unlock automatically, tap or click More options, and then select the Automatically unlock on this PC check box. (You still need to unlock the drive a last time before auto-unlock takes effect.)

    http://windows.microsoft.com/en-US/windows-8/unlock-bitlocker-protected-drive


    \_(ツ)_/

    Tuesday, April 5, 2016 4:59 PM

  • I would save the whole credential object as XML which is more useful.  I believe you version of the cookbook is for PowerShell V1.


    \_(ツ)_/

    Actually, serializing a PSCredential with Export-Clixml didn't work with PS V2 either. While the book usually referred to as "cookbook" was written for PS3, it might just be that this habit remained and wasn't clarified at print time.


    There's no place like 127.0.0.1

    Tuesday, April 5, 2016 9:23 PM
  • I am pretty sure that the original "Cookbook" was written for V1 and released with updates for V2.  The rest were likely written, as you note, at V3.

    CliXml has been available ,since V1.

    The online documentation has recently been stripped of all references to V1 as it is no longer supported.  I also see that V2 references have disappeared since it is no longer supported natively.  With the release of WS2016 we should see support for V3 disappear.


    \_(ツ)_/

    Tuesday, April 5, 2016 10:07 PM
  • I am pretty sure that the original "Cookbook" was written for V1 and released with updates for V2.  The rest were likely written, as you note, at V3.

    CliXml has been available ,since V1.

    The online documentation has recently been stripped of all references to V1 as it is no longer supported.  I also see that V2 references have disappeared since it is no longer supported natively.  With the release of WS2016 we should see support for V3 disappear.


    \_(ツ)_/

    Good to know about the cookbook history, have only seen the V3 version so far. Yes I'm aware that Clixml has been around from the start. Haven't been able to serialize and deserialize a PSCredential Object under PowerShell V2 and Windows v6.1 yet though. The Password was always broken, upgrading WMF to 3+ fixes that though.

    There's no place like 127.0.0.1

    Tuesday, April 5, 2016 10:12 PM
  • I see that using the method that you described.  I can run a command prompt(admin) and run a command that requires administration.  Then I can load the credentials for a user and run a command as that user.  But how do I get back to the administrator now that I've changed the $credential?  Also it appears that on windows 10 you can no longer load the administrator credentials and run a command as administrator.

    RAC

    Tuesday, April 5, 2016 10:19 PM
  • FWN

    The unlockdrive file that is in the tasks folder does not allow the ordinary user to start the task.

    RAC

    Tuesday, April 5, 2016 10:21 PM
  • Good to know about the cookbook history, have only seen the V3 version so far. Yes I'm aware that Clixml has been around from the start. Haven't been able to serialize and deserialize a PSCredential Object under PowerShell V2 and Windows v6.1 yet though. The Password was always broken, upgrading WMF to 3+ fixes that though.

    There's no place like 127.0.0.1

    It is not likely that XP has the correct Net Framework version. Later I will crank up a copy of XP to see what it has.

    Running V@ on WS2008R2 produces this for password:

          <S N="Password">System.Security.SecureString</S>

    I am pretty sure that indicates that the serializer for the secure string class does not exist in V2 and earlier.


    \_(ツ)_/

    Tuesday, April 5, 2016 10:24 PM

  • It is not likely that XP has the correct Net Framework version. Later I will crank up a copy of XP to see what it has.

    Running V@ on WS2008R2 produces this for password:

          <S N="Password">System.Security.SecureString</S>

    I am pretty sure that indicates that the serializer for the secure string class does not exist in V2 and earlier.


    \_(ツ)_/

    Aye, that's the conclusion I reached myself when I gave up on it and did it the old way. Don't know how you jumped to XP, though I'm sure you're right in that it won't work there as well.

    Edit: Might be an interesting to see, whether this can be retrofitted though. Maybe with a custom pstypeserializer + Updating the typedata of securestring to use it ... *hmmm* bears thinking upon. Or maybe not, rather update remaining 6.1 systems to WMF5 I guess.


    There's no place like 127.0.0.1


    • Edited by FWN Tuesday, April 5, 2016 11:38 PM
    Tuesday, April 5, 2016 11:34 PM
  • FWN

    Thanks for the information about tasks.  I was finally able to figure out how to get the task to run on demand from a standard user account.  I can now unlock my bitlock drive  without having to enter a password.  It is just a pain to have to rewrite your code every time Microsoft ships a new version of windows.

    again thanks

    RAC

    Wednesday, April 6, 2016 1:46 AM
  • Hi Rac,

    glad to have been of assistance. What was necessary to allow the task to be triggered?

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Wednesday, April 6, 2016 6:48 AM
  • I used the cmdlet new-eventlog -logname application -source task

    This created a new source for the application event log.  I then setup the unlockdrive task to trigger on an event log application source task eventid 1.  Then I did a write-eventlog -logname Application -source "task" -eventID 1 -entrytype Information -message "unlockdrive"

    Everytime I write this to the log it unlocks the drive.

    wieder vielen Dank

    RAC
    • Marked as answer by rac8006 Thursday, April 7, 2016 8:29 PM
    Wednesday, April 6, 2016 1:13 PM