12

We are trying to store a user password in the registry as a secure string but we can not seem to find a way to convert it back to plain text. Is this possible with SecureString?

Here is the simple test script we are trying to use...

Write-Host "Test Start..."
$PlainPassword = "@SomethingStupid" | ConvertTo-SecureString -AsPlainText -Force

$BSTR = ` [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($PlainPassword)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Write-Host "Password is: " $PlainPassword
Read-Host

This is the error we are getting...

The term ' [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR'
is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\test.ps1:4 char:71
+ $BSTR = ` [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR
<<<< ($PlainPassword)
    + CategoryInfo          : ObjectNotFound: (
[System.Runtim...ureStringToBSTR:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Cannot find an overload for "PtrToStringAuto" and the argument count: "1".
At C:\test.ps1:5 char:75
+ $PlainPassword =
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto <<<< ($BSTR)
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest
Improve this question
6
  • 2
    Try without wrapping the $BTSR line with the back tick Commented Feb 12, 2014 at 23:18
  • Give me a syntax error... "Unexpected Token" Commented Feb 12, 2014 at 23:23
  • Ok, try actually putting the plaintext in its own string variable first like in the article I think you were looking at - social.technet.microsoft.com/wiki/contents/articles/… Commented Feb 12, 2014 at 23:26
  • Hmm - what OS, .NET and Powershell versions are you running? Commented Feb 12, 2014 at 23:58
  • 1
    Sorry you're right, the back tick was the issue. When I originally removed it I took the first character off the command and that was the unexpected token error. Commented Feb 13, 2014 at 4:01

2 Answers 2

Reset to default
21

What is with the backtick in the $BSTR = ... line? I agree with Graham above. If I remove the backtick it work just fine:

$PlainPassword = "@SomethingStupid" | ConvertTo-SecureString -AsPlainText -Force
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($PlainPassword)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Write-Host "Password is: " $PlainPassword

Outputs:

Password is:  @SomethingStupid

You're not trying to run this on something like Windows RT or some other PowerShell configuration where the language is restricted - are you?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

16

Here's a kludgy but much simpler way to decrypt a secure string, taking advantage of the fact that the PSCredential class has a constructor that accepts the password as a secure string and a method (GetNetworkCredential) that returns that password in plain text:

(New-Object System.Management.Automation.PSCredential 'N/A', $secure_string).GetNetworkCredential().Password

Although it's intended for use with credentials, there's nothing that prevents you from using this to decrypt any secure string* regardless of purpose, supplying a dummy argument for the username (the username argument can't be null or an empty string, but any meaningless string will do).

* Under the context of the account that encrypted the secure string to begin with, of course

Improve this answer

3 Comments

Perfect. It allowed me to retrieve a previously ConvertTo-SecureString password stored in a file to then pass it to the Invoke-SqlCmd.
What's "kludgy" about this? I can store a PS securestring in a database field, retrieve it, put it in a PSCredential object and use this method to decrypt it. Awesome!
It's not just account specific, but also machine unless you've used the -Key or -SecureKey options in ConvertFrom-SecureString to move it over. I love this because it's a one-liner.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.