Powershell:如何使用Windows服务从文本文件读取安全字符串

tag-icon tag-icon windows powershell service credentials
Powershell:如何使用Windows服务从文本文件读取安全字符串

我使用 Powershell 将 vSphere 环境的凭据保存到文本文件中ConvertFrom-SecureString。我想使用以下命令在我的 powershell 脚本中使用此凭据:

$password4host = get-content C:\shutdown\HostsCred.txt | convertto-securestring

如果我想通过服务执行 powershell 脚本,我会收到无法从文本文件中读取凭据的错误。这似乎属于事实,将安全字符串保存在文本文件中与将这些凭据保存到文本文件的用户绑定在一起。只有用户自己才能解密凭据。

代码片段:

$time = ( get-date ).ToString('HH-mm-ss')
$date = ( get-date ).ToString('dd-MM-yyyy')
$logfile = New-Item -type file "C:\shutdown\ShutdownLog-$date-$time.txt" -Force
Import-Module -Name VMware.*
# Some variables
$vcenter = "10.10.10.10"
$username = "[email protected]"
$username4host = "fakeuser"
$cluster = "ESXi-Cluster"
$datacenter = "Datacenter"
$vCenterVMName = "VMware vCenter Server" #Name of vCenter VM
$StarWindVM1 = "Starwind-VM" #Name of first StarWind VM
$StarWindVM2 = "Starwind-VM (1)" #Name of second StarWind VM
$StarWind = "10.10.10.11" #IP address of one of StarWind VMs
$ESXIhost1 = "10.10.10.12" #Name of first ESXI Host
$ESXIhost2 = "10.10.10.13" #Name of second ESXI Host
try
{
    $password4vCenter = get-content C:\shutdown\vCenterCred.txt | convertto-securestring
}
catch
{
    Write-Host $_ -foreground red
    Add-Content $logfile "$(get-date -f dd/MM/yyyy) $(get-date -f HH:mm:ss) $_"
    exit
}
try
{
    $password4host = get-content C:\shutdown\vCenterCred.txt | convertto-securestring
}
catch
{
    Write-Host $_ -foreground red
    Add-Content $logfile "$(get-date -f dd/MM/yyyy) $(get-date -f HH:mm:ss) $_"
    exit
}
$tmp = get-content C:\Temp\HostsCred.txt | convertto-securestring
$password4Starwind = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($tmp)) 
$credentials = new-object System.Management.Automation.PSCredential $username, $password4vCenter
$credentials4host = new-object System.Management.Automation.PSCredential $username4host, $password4host
Write-Host ""
Write-Host "$(get-date -f dd/MM/yyyy) $(get-date -f HH:mm:ss) Shutdown command has been sent to the vCenter Server." -Foregroundcolor yellow
Write-Host "This script will shutdown all of the VMs and hosts located in $datacenter." -Foregroundcolor yellow
Write-Host ""
Sleep 5
Add-Content $logfile "$(get-date -f dd/MM/yyyy) $(get-date -f HH:mm:ss) PowerOff Script Engaged"
Add-Content $logfile ""
# Connect to vCenter
$counter = 0
if ($counter -eq 0){
       Set-PowerCLIConfiguration -InvalidCertificateAction ignore -Confirm:$false | Out-Null
}
Write-Host "Connecting to vCenter - $vcenter.... " -nonewline
Set-PowerCLIConfiguration -InvalidCertificateAction ignore -confirm:$false
Add-Content $logfile "$(get-date -f dd/MM/yyyy) $(get-date -f HH:mm:ss) Connecting to vCenter - $vcenter"
try
{
    $success = Connect-VIServer $vcenter -Credential $credentials -WarningAction:SilentlyContinue
}
catch
{
    Write-Host $_ -foreground red
    Add-Content $logfile "$(get-date -f dd/MM/yyyy) $(get-date -f HH:mm:ss) $_"
    exit
}

但我已经将此服务的登录用户更改为保存了加密凭据的用户。看来该服务仍未以特定用户身份运行,或者无法将这些安全字符串与 Windows 服务一起使用。

如果我以该用户登录时从 powershell ISE 运行 powershell 脚本,它会运行该脚本而不会出现任何错误。

如何在通过 Windows 服务触发的 powershell 中使用凭据,而不将它们以纯文本形式保存在 powershell 脚本中?

具有特定用户的 Windows 服务

相关内容