Can I lock or set a password to a batch file/script, I have made a script but I don't want people on my work to change it. They must be able to run it but not edit it.
Is this possible and how?
I have search for it but I can't find it. I find all about how to lock PC or something else but not my batch file/script and the Q is not how to hide my script or something but if you whant to edit it, it gives a error or if you click on edit it don't work.
If you don't want them to be able to commit changes to the file, just set the file permissions, only allowing you (or some admin group) to modify the file.
This command will remove inherited ACL entries, grant you full permission, and grant everyone else read permission:
icacls your_file.cmd /inheritance:r /grant youruserid:F /grant everyone:RX
It's not possible however you can use this trick make a c/c++ program that simply call those cmds from system() function. In this case you commands will be hidden to some extent and they won't be able to change it.
One word more about this topic.
It is not possible to avoid that others have access to your Batch file; however, if you want to avoid that others can review the Batch file contents (so they can't modify any part of it) then there are several ways to do that including converting the file to .exe format, although no one of these methods gives complete protection against determined users.
The point here is to use a method simple enough for you, so you may implement it with no problems, but complex enough for others so it dissuade your users to try to break it. I propose a solution based on the Encode procedure for JScript source programs that is not a widely known method, so it may even gives protection against advanced users that have not the appropriate information about it. Here it is:
@if (@CodeSection == @Batch) @then
@echo off
setlocal DisableDelayedExpansion
REM Obfuscate.bat: Obfuscate Batch files
REM Antonio Perez Ayala
if "%~1" equ "" echo Usage: Obfuscate filename.bat & goto :EOF
if not exist "%~1" echo File not found: "%~1" & goto :EOF
set "at=@"
set "pass=%random%"
(
echo %at%if (@Pass == @X%pass%^) @begin
echo @echo off
echo CScript //nologo //E:JScript.Encode "%%~F0" ^> %pass%.bat
echo call %pass%
echo del %pass%.bat
echo exit /B
echo %at%end
echo //**Start Encode**
echo var a = new Array(^);
set "i=0"
for /F "usebackq delims=" %%a in ("%~1") do (
set /A i+=1
set "line=%%a"
setlocal EnableDelayedExpansion
echo a[!i!] = '!line:'=\x27!';
endlocal
)
setlocal EnableDelayedExpansion
echo for ( var i=1; i^<=!i!; ++i ^) WScript.Stdout.WriteLine(a[i]^);
) > "%~N1.tmp"
CScript //nologo //E:JScript "%~F0" "%~N1.tmp"
del "%~N1.tmp"
goto :EOF
@end
// Encode a JScript source file
// Antonio Perez Ayala
var fileToEncode = WScript.Arguments(0);
// Read the source file
var oFSO = WScript.CreateObject("Scripting.FileSystemObject");
var oFile = oFSO.GetFile(fileToEncode);
var oStream = oFile.OpenAsTextStream(1);
var sSourceFile = oStream.ReadAll();
oStream.Close();
// Encode the file
var oEncoder = WScript.CreateObject("Scripting.Encoder");
var sDest = oEncoder.EncodeScriptFile(".js",sSourceFile,0,"")
// Write the encoded version
var sFileOut = fileToEncode.slice(0,-3)+"obf.bat";
var oEncFile = oFSO.CreateTextFile(sFileOut);
oEncFile.Write(sDest);
oEncFile.Close();
Copy this program as Obfuscate.bat and use it giving your Batch file in the parameter; after that, a new file with .obf.bat extension is created that works in the same way than the original file, but with its contents encoded in an unreadable way. For example:
C:\> type test.bat
@echo off
echo Hello World
C:\> Obfuscate test.bat
C:\> type test.obf.bat
@if (@Pass == @X20203) @begin
@echo off
CScript //nologo //E:JScript.Encode "%~F0" > 20203.bat
call 20203
del 20203.bat
exit /B
@end
//**Start Encode**#@~^kQAAAA==@#@&\CMPmP',x⌂APzD.lH`bI@#@&l]qT,'PE@$nm4W,WW0vI@#
@&C$yDP{Pvn1tW~u⌂VsW, KDs9Bp@#@&6WM~`,\CD,kxqpPk@!x pP_3r~#,⌂Um.k2Oc?ONK;Yc⌂.r
D+SrU⌂`C$bD*i@#@&kiYAAA==^#~@
C:\> test.obf.bat
Hello World
I tested this method in Windows XP and Windows 8.
Short answer: No
Long answer: No, it's not possible
You can obfuscate it, but you can't hide the source.
Somehow cmd.exe has to execute your batch, so it has to see the commands, but when cmd.exe can see your commands, then a person can see them also.
As you only want to lock the file for editing you can use the both mentioned ways:
Then using attrib could solve it with adding readonly or hidden attributes (like @JanDoggen mentioned).
Or the more secure way by changing the security settings (like @mstth mentioned)
But this will only prevent changes from absolutly noobs.
I tried to make this in batch. I suppose this file could be somewhat helpful, it uses a encrypted password method. You could wrap the batch file into a encrypted exe file, also if you wanted the code obfuscated, possibly even an added byte order mark to make it harder for other people to get your password just ask and I will do that for you. Also you can automatically set the file by doing this ; Go to the "PasswordOptions.bat" file after it is created, set your password, un-hide password files, open then password folder, copy and paste the "Pswrd.Zask" & "Key.Zask" files in a different folder and use the contents for later use, lastly reset your password.
@echo off
title Zask's password encrypted batch file
color 0a
echo ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
echo º Zask's password encrypted batch file º
echo ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
echo.
if not exist "C:\Pswrd.Zask\" (
mkdir "C:\Pswrd.Zask\"
if "!errorlevel!" EQU "0" (
goto DirectoryExist
) else (
echo Created the folder "C:\Pswrd.Zask" & timeout /t 5 /nobreak
)
) else (
goto DirectoryExist
)
:DirectoryExist
if exist C:\Pswrd.Zask\Key.Zask (
goto UsernameExist
) else (
goto CreatePasswordScreen
)
:UsernameExist
for /f "Delims=" %%A in (C:\Pswrd.Zask\Password.Zask) do (
set CHECKPASSWORD=%%A
)
for /f "Delims=" %%B in (C:\Pswrd.Zask\Key.Zask) do (
set CHECKKEY=%%B
)
goto PasswordScreen
:CreatePasswordScreen
cls
echo Create a password.
echo.
setlocal EnableDelayedExpansion
set /p "CREATEPASSWORD= Enter password : "
set /p "CREATEKEY= Enter a key number (Choose a number 2-200) : "
set CHAR=0123456789bhfcjrwmudaxopvntzlqeisykg
for /l %%C in (10 1 36) do (
for /f %%D in ("!CHAR:~%%C,1!") do (
set /a MATH=%%C*%CREATEKEY%
for /f %%E in ("!MATH!") do (
set "CREATEPASSWORD=!CREATEPASSWORD:%%D=-%%E!"
)
)
)
echo %CREATEPASSWORD% >> C:\Pswrd.Zask\Password.Zask
attrib C:\Pswrd.Zask\Password.Zask +s +h & echo. & echo Password Created!
echo %CREATEKEY% >> C:\Pswrd.Zask\Key.Zask
attrib C:\Pswrd.Zask\Key.Zask +s +h & echo Username Created!
echo.
if exist "%~dp0ResetPassword.bat" (
del "%~dp0ResetPassword.bat" )
:ResetPassword
set /p "RESETOPTION=Would you like to create the password options file in the current directory (Y/N)? : "
if /i %RESETOPTION%==Y goto ResetOptions
if /i %RESETOPTION%==N goto SkipResetOptions
:ResetOptions
echo @echo off >> PasswordOptions.bat
echo title ResetPassword.bat >> PasswordOptions.bat
echo color 0a >> PasswordOptions.bat
echo :start >> PasswordOptions.bat
echo. >> PasswordOptions.bat
echo echo ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» >> PasswordOptions.bat
echo echo º This file is used to reset your password, hide it for future purposes or delete it º >> PasswordOptions.bat
echo echo º to avoid other users from removing your password. You have 5 options º >> PasswordOptions.bat
echo echo ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ >> PasswordOptions.bat
echo echo. >> PasswordOptions.bat
echo echo 1 - Reset password. >> PasswordOptions.bat
echo echo 2 - Open password folder. >> PasswordOptions.bat
echo echo 3 - Unhide files in the password folder. >> PasswordOptions.bat
echo echo 4 - Hide files in the password folder. >> PasswordOptions.bat
echo echo 5 - Exit dialog. >> PasswordOptions.bat
echo echo. >> PasswordOptions.bat
echo set /p "OPTIONS=Chose a number to select that option : " >> PasswordOptions.bat
echo if %%OPTIONS%%==1 goto PasswordReset >> PasswordOptions.bat
echo if %%OPTIONS%%==2 start C:\Pswrd.Zask ^& cls ^& goto start >> PasswordOptions.bat
echo if %%OPTIONS%%==3 attrib C:\Pswrd.Zask\Password.Zask -s -h ^& attrib C:\Pswrd.Zask\Key.Zask -s -h ^& cls ^& goto start >> PasswordOptions.bat
echo if %%OPTIONS%%==4 attrib C:\Pswrd.Zask\Password.Zask +s +h ^& attrib C:\Pswrd.Zask\Key.Zask +s +h ^& cls ^& goto start >> PasswordOptions.bat
echo if %%OPTIONS%%==5 exit >> PasswordOptions.bat
echo. >> PasswordOptions.bat
echo :PasswordReset >> PasswordOptions.bat
echo cls >> PasswordOptions.bat
echo set /p "RESET=Are you sure you want to reset your password (Y/N)? : " >> PasswordOptions.bat
echo if /i %%RESET%%==Y goto ResetPassword >> PasswordOptions.bat
echo if /i %%RESET%%==N goto start >> PasswordOptions.bat
echo cls >> PasswordOptions.bat
echo. >> PasswordOptions.bat
echo :ResetPassword >> PasswordOptions.bat
echo rd /s /q "C:\Pswrd.Zask" >> PasswordOptions.bat
echo echo Password was deleted! >> PasswordOptions.bat
echo pause >> PasswordOptions.bat
echo del %%~n0%%~x0 >> PasswordOptions.bat
echo exit >> PasswordOptions.bat
cls
echo. & echo Created file "%~dp0ResetPassword.bat" & timeout /t 5 /nobreak
:SkipResetOptions
start %~n0%~x0
exit
:PasswordScreen
color 0a
cls
echo Existing User Account.
echo.
setlocal EnableDelayedExpansion
set /p "PASSWORD= Enter Password : "
set /p "KEY= Enter the original encryption key : "
set CHAR=0123456789bhfcjrwmudaxopvntzlqeisykg
for /l %%C in (10 1 36) do (
for /f %%D in ("!CHAR:~%%C,1!") do (
set /a MATH=%%C*%CHECKKEY%
for /f %%E in ("!MATH!") do (
set "CHECKPASSWORD=!CHECKPASSWORD:%%E=%%D!"
)
)
)
for /f %%F in ("!CHECKPASSWORD!") do (
set "CHECKPASSWORD=!CHECKPASSWORD:-=!"
)
if %PASSWORD%==%CHECKPASSWORD% (
goto Operation1True
) else (
goto OperationFalse
)
:Operation1True
if %KEY%==%CHECKKEY% (
goto Operation2True
) else (
goto OperationFalse
)
:OperationFalse
color 0c
echo Password Incorrect!
timeout /t 10 /nobreak
goto PasswordScreen
:Operation2True
cls
echo Password Correct!
echo.
pause
REM YOUR CODE GOES HERE.
REM YOU CAN CONVERT THIS IS INTO A EXE FILE IF WANTED.
REM FREE TO MODIFY ANY CONTENT IN THIS FILE FOR BUSINESS OR PERSONAL REASONS.
You could set an attribute at the beginning of the file like this:
@echo off
attrib +R
If your users are not very sophisticated maybe you can hide your batch file and call it from another one:
One.bat
@echo off
two
Two.bat
@echo off
echo this is 2
pause
Set attributes of two.bat to -h (and maybe -r).
Then call one.bat. Just tested this under Win7 and to my surprise it works.
But this does not solve your issue if the people at your work know how to change file attributes.
