Share via

How to Use an Environment Variable as a Password Credential to Run a Batch Script

  • Article

 

Preface

First and foremost, I want to say that storing passwords via environment variables is NOT a secure practice,
in the grand scheme of security; nor is storing clear-text, unencrypted passwords in plain text files.
 
That being said, a disposable/volatile environment variable CAN BE more secure than storing a password in
a plain text file, if used properly, with discretion and within a limited scope (i.e., only during brief,
active sessions, fully exiting the session when the script has completed); and only on an internal network,
behind a firewall; and only in a location where physical access also is properly restricted and monitored.

Assumptions

  1. You are running Windows 7
  2. You know how to get to the Windows "command shell." (Click "Start," type "cmd" and then press "Enter")
  3. You know how to use Notepad or equivalent tools to create a ".bat" script file in a "c:\scripts" area.
  4. You already have (or you create) a "c:\scripts" folder to hold your scripts
  5. For this example, you have the "psexec" utility in a "c:\tools" folder

Advantages

  1. Alleviates the need to store the password in the script itself
  2. Password is destroyed at end of script by setting it to a null value and/or exiting the command window
  3. Ease of use - quickly set any password in a variable and run a script requiring/using that variable
  4. Simple method of obscuring your password during script execution by previously setting it in a temporary variable
  5. Slightly more secure than exposing your password directly on the command line while executing a script
  6. Slightly more secure than saving a clear-text, hard-coded password in a plain text file.

Disadvantages

  1. Insecure
       a. Your password still is in "clear text," so it can be picked up (inside your network) via sniffers
       b. Your password also may be picked up by other internal Systems Admins / Network Admins with various tools

  2. Crash-sensitive
     If your system or session crashes before script completion, your password may or may not be exposed,
     depending on the type and level of crash; and, to finish the script, you need to determine "where" it crashed
     in the context of how far the script progressed (i.e., what was the last successful line?)

Steps

1. Go to the Windows command shell

2. Create a scripts folder, if you don't already have one

   md c:\scripts

3. Change directory to your scripts folder

   cd/d c:\scripts

4. Set a password environment variable for temporary use by the script

   set pwd=YourOwnPassword
   NOTE: REMEMBER: NO SPACES before or after the "=" sign.

5. Create a batch script, using an environment variable

    In this example, the environment variable "pwd" is used to hold the user's password

    Example: notepad javaupdate.bat

WARNING: You MUST include the "@echo off" line, in order to prevent the execution from displaying your password

@echo off
rem - javaupdate.bat -
echo.
echo "Executing the javaupdate.bat script"
echo.
rem Uninstall old java; then install new java (2 lines per PC)
c:\tools\psexec -u myDom\%1 -p %pwd%  \\PC1 MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83217005FF} /qn
c:\tools\psexec -u myDom\%1 -p %pwd%  \\PC1 MsiExec.exe /i "\\netserver\jre7\java7.msi" /qn /lv \\netserver\jre7\javalogs\PC1LOG.txt
 
c:\tools\psexec -u myDom\%1 -p %pwd%  \\PC2 MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83217005FF} /qn
c:\tools\psexec -u myDom\%1 -p %pwd%  \\PC2 MsiExec.exe /i "\\netserver\jre7\java7.msi" /qn /lv \\netserver\jre7\javalogs\PC2LOG.txt
echo.
rem - Delete the password from the "pwd" variable by setting it to null
set pwd=""
echo "Done. Exiting script."
rem - exit

6. Execute the batch script

   In this case, execute the script with "Your-Domain-UserID" as the only parameter ("%1%")
   NOTE: By including the domain ("myDom\) after the "-u," as in the example above, you then only need to enter
         the UserID parameter - this save a bit of typing when executing the script:

javaupdate jsmith myDomainPassword

NOTE: Where "jsmith" is "myDom\jsmith" and "myDomainPassword" is the password for that user's account.
      After each line executes, "psexec" will display "cmd exited on ... with error code 0." if
      the UserID+password credentials were passed properly, and the step executed successfully

7. After execution, if desired, review results of the log files:

   notepad \netserver\jre7\javalogs\PC1LOG.txt
   notepad \netserver\jre7\javalogs\PC2LOG.txt

8. For added security, exit (close) the Windows command shell when done

    (or uncomment the "rem - exit" in the script above)

See Also