<http://www.netikka.net/tsneti/info/tscmd182.php>
Copyright © 2003- by Prof. Timo Salmi  
Last modified Sun 4-May-2014 15:51:58
Welcoming the user from 54.224.13.210
On Tue 17-Oct-2017 01:07:38 local time

 
Assorted NT/2000/XP/.. CMD.EXE Script Tricks
From the html version of the tscmd.zip 1cmdfaq.txt file
To the Description and the Index
 

This page is edited from the 1cmdfaq.txt faq-file contained in my tscmd.zip command line interface (CLI) collection. That zipped file has much additional material, including a number of detached .cmd script files. It is recommended that you also get the zipped version as a companion.

Please see "The Description and the Index page" for the conditions of usage and other such information.



182} How do I protect a script, e.g. for a safe access of user passwords?

Probably the safest solution is to utilize PGP-encryption. E.g. one could prepare with an MS-DOS PGP program the following file in a PGP-encrypted format only. (For the details of how to encrypt a file download the PGP program package given further down and read its documentation.)
  @echo off
  :: Set the users and passwords information
  set user1_=foouser
  set pass1_=foopassword

To utilize that encrypted information one might have e.g. the following plain script
  @echo off & setlocal enableextensions
  rem Note: Avoid using long filenames (a PGP old version limitation)
  ::
  if defined ProgramW6432 (
    echo/
    echo Exiting: %~f0 is incompatible with a 64-bit OS
    goto :EOF)
  ::
  :: A temporary folder

  set temp_=%temp%
  if defined mytemp if exist "%mytemp%\" set temp_=%mytemp%
  ::
  :: The location of the encrypted and decrypted scripts

  set EncryptedBatch=C:\_M\batch.pgp
  set DecryptedBatch=%temp_%\batch.cmd
  ::
  call :DecryptFile %EncryptedBatch% %DecryptedBatch%
  ::
  call %DecryptedBatch%
  ::
  :: Just for demonstration show that it worked

  echo user1_=%user1_%
  echo pass1_=%pass1_%
  ::
  :: Clean up

  for %%f in (%DecryptedBatch%) do if exist %%f del %%f
  for %%v in (user1_ pass1_) do set %%v=
  ::
  endlocal & goto :EOF
  ::
  :: A decryption subroutine utilizing
  :: 306805 Jan 18 1996 pgp263i.zip
  :: Pretty Good Privacy RSA public key cryptography, P.Zimmermann

  :DecryptFile
  setlocal enableextensions
  set path_=%path%
  set tz_=%TZ%
  set TZ=Europe/Helsinki
  SET PGPPATH=C:\PGP
  SET PATH=%PGPPATH%;%PATH%
  %PGPPATH%\pgp -d %~1 -o %~2
  set path=%path_%
  set path_=
  set TZ=%tz_%
  endlocal & goto :EOF

The (test) output will be something like
  C:\_M>C:\_D\TEST\CMDFAQ.CMD
  Pretty Good Privacy(tm) 2.6.3i - Public-key encryption for the masses.
  (c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-01-18
  International version - not for use in the USA. Does not use RSAREF.
  Current time: 2010/07/19 20:37 GMT

  File is encrypted. Secret key is required to read it.
  Key for user ID: John Doe <john@doe.fi>
  1024-bit key, key ID ABC1234D, created 2003/11/26

  You need a pass phrase to unlock your RSA secret key.
  Enter pass phrase: Pass phrase is good.  Just a moment......
  Plaintext filename: C:\_M\TEMP\batch.cmd
  user1_=foouser
  pass1_=foopassword

One potential true-life usage of the technique is getting or putting material from or to an FTP site. See Item #84.

Other encryption solutions than PGP could also be used. Especially, since the PGP encryption is not quite trivial to install on a PC the first time. An somewhat easier method is to put the confidential script into a scrambled zipfile.
  @echo off & setlocal enableextensions
  ::
  if defined ProgramW6432 (
    echo/
    echo Exiting: %~f0 is incompatible with a 64-bit OS.
    echo Get e.g. Winzip or similar and its command line plugin
    echo and then customize the script accordingly.
    goto :EOF)
  ::
  :: A temporary folder

  set temp_=%temp%
  if defined mytemp if exist "%mytemp%\" set temp_=%mytemp%
  ::
  :: The files and folders

  set EncryptedBatch=C:\_M\batch.zip
  set DecryptedBatch=batch.cmd
  set TargetFolder=%temp_%
  ::
  :: 207394 Mar 1 1999 pk250dos.exe
  :: PKWARE zip un/archiver, with long filename support

  pkunzip -s "%EncryptedBatch%" "%DecryptedBatch%" "%TargetFolder%"
  ::
  :: Failure?

  if not exist "%TargetFolder%\%DecryptedBatch%" (
  echo Warning: File "%TargetFolder%\%DecryptedBatch%" not found
  echo Incorrect password for decrypting "%EncryptedBatch%"?
  goto :EOF)
  ::
  :: Call the script that was unzippped

  call "%TargetFolder%\%DecryptedBatch%"
  ::
  :: Just for demonstration show that it worked

  echo user1_=%user1_%
  echo pass1_=%pass1_%
  ::
  :: Clean up

  for %%f in ("%TargetFolder%\%DecryptedBatch%") do if exist %%f del %%f
  for %%v in (user1_ pass1_) do set %%v=
  endlocal & goto :EOF

The output
  C:\_M>C:\_D\TEST\CMDFAQ.CMD

  PKUNZIP (R) FAST! Extract Utility Version 2.50 03-01-1999
  Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
  PKUNZIP Reg. U.S. Pat. and Tm. Off.

  Password ? **********

  · Pentium II class CPU detected.
  · XMS version 2.00 detected.
  · DPMI version 0.90 detected.

  Searching ZIP: C:/_M/BATCH.ZIP
    Inflating: C:/_M/TEMP/BATCH.CMD
  user1_=foouser
  pass1_=foopassword

> What about running it [the sensitive script] through a batch compiler?

A frequent and understandable suggestion. However, no practically useful batch compiler is known even if some nominal such programs exist. A fact of batch programming life that has been discussed every now and then e.g. in alt.msdos.batch.nt .