Skip navigation

Scripting Password Prompts


How do I use a script to interactively ask a user for a password?

The answer depends on the scripting model you're using, so I'll answer this question in two parts. First, I'll look at how to create password prompts in Cmd.exe shell scripts (aka batch files). Second, I'll look at how to accomplish the task with Windows Script Host (WSH) scripts.

Getting Passwords in Shell Scripts
Cmd.exe in Windows 2000 and later provides the Set /p command, which lets you retrieve a line of text and store it in an environment variable. Because the text you type appears on the screen, though, Set /p is generally unsuitable for obtaining a password.

A better solution is a command-line tool that lets you read a password into an environment variable without displaying it on the screen. My freeware utility, EditV32, provides this capability. You can download the latest version of the tool from my Web site ( EditV32 is a generalized tool that lets you interactively edit an environment variable's contents in Windows NT 4.0 or later. To support password input, the tool has an -m (masked input) option that displays asterisks (*) for each typed character. The tool also has an array of other options that let you control the input. Table 1 shows a list of EditV32's command-line options. To use EditV32, download the file by clicking the Download the Code box at the top of the Web page. Then, extract the EditV32.exe file and put it in a directory that's in the system path (either %SystemRoot% or %SystemRoot%\system32 should work). Now, you can use the tool in your scripts.

Listing 1 shows a simple passwordinput example. After disabling command echo and using the Setlocal command, the code uses EditV32 to interactively edit an environment variable named PWD. The -m option on the command line hides the typed input. Because the script uses the Setlocal and Endlocal commands, the PWD variable simply disappears from the environment after the script is finished.

Getting Passwords in WSH Scripts
Microsoft provides the ScriptPW.Password object in Windows XP and later. This object provides a single method, GetPassword, that works only if the script is executed by the CScript host. The GetPassword method simply waits for you to enter a string of text. The typed characters do not appear on the screen. When you press Enter, the GetPassword method returns the typed string.

Listing 2 ScriptPW.vbs, shows how to use the ScriptPW.Password object in VBScript. Listing 3 ScriptPW.js, shows the same code in JScript. Because these scripts use the ScriptPW.Password object, you must run them at the command line by using the CScript host. Also, these scripts don't work unless you have Windows XP or later. Note the use of the Write method of the WScript.StdOut object to display the password prompt without moving the cursor to the next line on the screen.

If you need to retrieve password input on an older OS (such as Windows 2000 or NT), the ScriptPW.Password object isn't available. Some script authors have used VBScript's InputBox function, but InputBox isn't suitable for passwords because it can't mask the typed input.

To address this limitation, I created the InputDlg.Dialog object, which provides an InputBox method that's similar to VBScript's MsgBox function. However, unlike the VBScript MsgBox function, InputDlg.Dialog's InputBox method provides a MaskInput property. If the MaskInput property is False (the default), the user input will appear normally; if the property is True, the user input will be masked by asterisks. (As an aside, another reason I wrote the InputDlg.Dialog object is that JScript lacks an InputBox function like VBScript's.)

To use the InputDlg.Dialog object, you must first download the InputDlg.dll file by clicking the Download the Code box at the top of the Web page. After downloading the file, you must register it on your computer. To do this, type the following command at a command prompt:

regsvr32 \[/s\] 

This command creates the necessary registry entries that make the InputDlg.Dialog object available to scripts. The /s option, if you include it, performs the registration silently (meaning that Regsvr32 won't display a confirmation message). To unregister the component, include the /u option on the Regsvr32 command line (i.e., Regsvr32 /u). You can perform a silent unregister by using /u /s. Specify the path to the InputDlg.dll file if it's not in the current directory. Note that you must be a member of Administrators to register or unregister the component.

After you've registered InputDlg.dll, you can use it in a script. As I mentioned above, the InputDlg.Dialog object has a single property, Mask Input. The object also provides a single method: InputBox. The InputBox method's syntax is nearly identical to the InputBox function's syntax in VBScript; the only difference is that the InputDlg.Dialog object's InputBox method doesn't support the helpfile and context parameters that VBScript's InputBox function supports. The syntax for the InputDlg .Dialog object's InputBox method is as follows:

  title\]\[, default\]\[, xpos\]\[,

Table 2 describes each of the Input-Box method's parameters.

If the user clicks OK or presses Enter, the InputBox method returns the contents of the text box. If the user cancels the dialog box by clicking Cancel or pressing the Esc key, the InputBox method returns an empty string.

Listing 4, InputDlg.vbs, shows a simple example of how to use the InputDlg.Dialog component in VBScript. Listing 5 shows the same code written in JScript. After declaring its variables, the script creates an instance of the InputDlg.Dialog object, as you can see in the code at callout A in Listing 4 and Listing 5. Because this script is going to request a password, it sets the object's MaskInput property to True, as the code at callout B in both listings shows. The script then executes the object's InputBox method. Figure 1 shows the object in action.

An alternative to using these scripts to get a password is to use Internet Explorer to display an HTML form that contains a password box. The Microsoft Windows 2000 Scripting Guide contains an example of how to use this technique; see the " Masking Passwords by Using Internet Explorer" section at Regardless of whether you use shell scripts or WSH scripts, the solutions presented here make it easy to ask for a password in a script.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.