TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Vasily Gusev
When:
4 Sep 2011 4:29 AM
Last revision by
Chen V
(MVP, Microsoft Community Contributor)
When:
8 Jan 2015 3:07 AM
Revisions:
24
Comments:
26
Options
Subscribe to Article (RSS)
Share this
Engage!
Wiki Ninjas Blog
(
Announcements
)
Wiki Ninjas on Twitter
TechNet Wiki Discussion Forum
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
Working with Passwords, Secure Strings and Credentials in Windows PowerShell
Working with Passwords, Secure Strings and Credentials in Windows PowerShell
Article
History
Working with Passwords, Secure Strings and Credentials in Windows PowerShell
Table of Contents
Introduction
Create SecureString
Create PSCredentials
Extract password from PSCredentials
Extract password from SecureString
Saving encrypted password to file or registry
Best Practices
TechNet Gallery
Introduction
Passwords in PowerShell can be stored in a number of different forms:
String -
Plain text strings
.
Used to store any text and of course these can store passwords too. Strings are unsecure, they are stored in memory as plain text and most cmdlets will not accept passwords in this form.
System.Security.SecureString -
This type is like the usual string, but its content are encrypted in memory. It uses reversible encrypting so the password can be decrypted when needed, but only by the principal that encrypted it.
System.Management.Automation.PSCredential -
PSCredential is class that is composed of
username
(string) and
password
(SecureString). This is type that most cmdlets require for specifying credentials.
Converting from one type to another is not always an obvious task. The suggested methods are as follows;
Create SecureString
Type the password in an interactive prompt
001
$SecurePassword
=
Read-Host
-Prompt
"Enter password"
-AsSecureString
Convert from existing plaintext variable
001
002
$PlainPassword
=
"P@ssw0rd"
$SecurePassword
=
$PlainPassword
|
ConvertTo-SecureString
-AsPlainText
-Force
Create PSCredentials
Assuming that you have password in SecureString form in $SecurePassword variable:
001
002
003
$UserName
=
"Domain\User"
$Credentials
=
New-Object
System.Management.Automation.PSCredential
`
-ArgumentList
$UserName
,
$SecurePassword
Extract password from PSCredentials
The password can be easily obtained from PSCredential object using GetNetworkCredential method:
001
$PlainPassword
=
$Credentials
.
GetNetworkCredential
(
)
.
Password
Extract password from SecureString
If you have just simple SecureString with the password, you can construct a PSCredentials object and extract password by using the previous method. Another method is this:
001
002
003
$BSTR
=
`
[System.Runtime.InteropServices.Marshal]
::
SecureStringToBSTR
(
$SecurePassword
)
$PlainPassword
=
[System.Runtime.InteropServices.Marshal]
::
PtrToStringAuto
(
$BSTR
)
Saving encrypted password to file or registry
If you need to store password for script that runs in unattended mode by scheduler or using some other ways, it possible to save it to file system or registry in encrypted form. It is like the string representation of SecureString. Only user that created this line can decrypt and use it, so when saving this value, use the same account that the script or service will use.
Converting SecureString variable to secure plain text representation
001
$SecureStringAsPlainText
=
$SecurePassword
|
ConvertFrom-SecureString
$SecureStringAsPlainText looks like this "ea32f9d30de3d3dc7fcd86a6a8f587ed9" (actually longer) and can be easily stored in file, registry property or any other storage. When script will need to obtain secure string object it can be done this way:
001
$SecureString
=
$SecureStringAsPlainText
|
ConvertTo-SecureString
Best Practices
Where possible do not ask for passwords and try to use integrated Windows authentication.
When it is not possible or when specifying different credentials is useful, cmdlets should accept passwords only in the form of PSCredentials or (if username is not needed) as SecureString, but not plain text.
If you need to ask user for credential, use Get-Credential cmdlet. It uses a standard Windows function to receive password in consistent and secure manner without storing it in memory as clear text.
Credentials should be passed to external system also in most secure way possible, ideally as PSCredentials too.
Password should not be saved to disk, registry or other not protected storage as plain text. Use plaintext representation of SecureString when possible.
TechNet Gallery
https://gallery.technet.microsoft.com/Execute-PowerShell-Script-38881dce