Passing a Password Variable

I'm trying to run an uninstaller that requires a password to work properly. I can make it work by feeding the password in the command line field as normal, but I would prefer to store it as a secure variable. Is this possible to do natively in PDQ? I've been stumbling through passing an AES encrypted password file and then trying to read it, but I'm hoping for an easier way.



Date Votes
  • No, Deploy can't do that natively. It sounds like you already found this blog, but just in case:

  • I was afraid you'd say that. Yes, I've been working with that blog post. I think that works correctly, but this particular .exe installer doesn't like being called from Powershell.

    I'm pretty sure I'm just formatting my Powershell incorrectly and this is purely a Powershell issue at this point. Attempting to create the script in ISE and running it locally, it seems like it doesn't run the same as it does from PDQ.

    I've tried different forms of passing arguments:
    & .\installer.exe /silentswitch /otherswitch /uninstallpassword $password
    .\installer.exe /silentswitch /otherswitch /uninstallpassword $password
    Start-Process ".\installer.exe" -ArgumentList "/silentswitch /otherswitch /uninstallpassword $password"
    Start-Process ".\installer.exe" -ArgumentList "/silentswitch","/otherswitch","/uninstallpassword $password"
    and so on.

  • Does it throw an error, or does it just fail silently? Does the password have any special characters or spaces in it? Have you tried outputting the password (using a fake password) to make sure the decryption is working on the target?

  • It fails silently. Hmm, yeah I didn't think to escape special characters. Uh, how can I even do that in a secure string?
    *2 seconds of Google later*
    I'll try a hex string and see how that goes, I guess?

    Yeah, when I've tried outputting the variable it just prints out "System.Security.SecureString" which, I suspected was supposed to happen. Here's my current horrible code:

    $PasswordFile = "pass.txt"
    $KeyFile = "AES.key"
    $Key = Get-Content $KeyFile
    $CPass = (Get-Content $PasswordFile | ConvertTo-SecureString -Key $Key)
    $app = '.\genericantivirusinstaller.exe'
    $arg1 = '/switch1'
    $arg2 = '/switch2'
    $arg3 = '/removeswitch 1'
    $arg4 = '/uninstallpassword ' + "$CPass"

    & $app $arg1 $arg2 $arg3 $arg4

    When I output $CPass is when I get the above mentioned output. It might be that I've messed up the conversion of the password into a secure string. Even doing ConvertFrom-SecureString -AsPlainText throws an error....
    *An additional second of Google and caffeine heightened reading comprehension*
    Okay, so I missed the fact that this parameter, -AsPlainText, was added in Powershell 7... which I'm not running.

    I'll continue blundering through this until I find out where I went wrong.

  • Oops. It's been a long time since I've worked with SecureString objects. I forgot that they made it difficult to convert them back to plaintext.

    Sorry about sharing that as a screenshot. Zendesk keeps marking my comment as spam when I try to post the actual text.

  • Yep, that did it. I was able to get the plain text with the -AsPlainText parameter in PS 7, but I didn't have any intention of putting 7 on my endpoints.

    However, your code snippet worked for me! I was about to mess with BSTR, whatever that is. Thanks! Now, I've got a working Deploy package!


Please sign in to leave a comment.

Didn't find what you were looking for?

New post