Norman Bauer

… just technical stuff!
Home » Windows Internals » Archive by category "Environment"

How to change BitLocker recovery password with vbScript?

Posted on October 5, 2011 By

Reply

Related to my last post about how to change BitLocker recovery password from an elevated command prompt here is how you can achieve the same result with vbScript and WMI. This script is from Microsoft TechNet: BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS.

' Target drive letter
strDriveLetter = "c:"

' Target computer name
' Use "." to connect to the local computer
strComputerName = "."

' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"

On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)

If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)

If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' objVolume is now our found BitLocker-capable disk volume

' --------------------------------------------------------------------------------
' Perform BitLocker WMI provider functionality
' --------------------------------------------------------------------------------

' Add a new recovery password, keeping the ID around so it doesn't get deleted later
' ----------------------------------------------------------------------------------

nRC = objVolume.ProtectKeyWithNumericalPassword("Recovery Password Refreshed By Script", , sNewKeyProtectorID)

If nRC <> 0 Then
     WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
     WScript.Quit -1
End If

' Removes the other, "stale", recovery passwords
' ----------------------------------------------------------------------------------

nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector

nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)

If nRC <> 0 Then
     WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
     WScript.Quit -1
End If

' Delete those key protectors other than the one we just added.

For Each sKeyProtectorID In aKeyProtectorIDs
     If sKeyProtectorID <> sNewKeyProtectorID Then
          nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)
          If nRC <> 0 Then
               WScript.Echo "FAILURE: DeleteKeyProtector on ID " & sKeyProtectorID & " failed with return code 0x" & Hex(nRC)
               WScript.Quit -1
          Else
               ' no output
               'WScript.Echo "SUCCESS: Key protector with ID " & sKeyProtectorID & " deleted"
          End If
     End If
Next

WScript.Echo "A new recovery password has been added. Old passwords have been removed."

' - some advanced output (hidden)
'WScript.Echo ""
'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."

How to change BitLocker recovery password?

Posted on October 5, 2011 By

Reply

Sometimes you need to give a BitLocker recovery password to one of your customers. For example when you cannot access the computer remotely. It also happens that passwords get revealed accidentally or intentionally. While either scenario can be a security lack you may want to change the recovery password of a certain computer.

To do so, you’ll need to open an elevated command prompt. With manage-bde.exe (BitLocker Drive Encryption: Configuration Tool) you can manage to change such recovery passwords.

First get a list of recovery passwords for the desired partition by typing:

manage-bde.exe c: -protectors -get -type recoverypassword

This step is not really necessary unless you have more protectors of a certain type. If so you’ll need to copy the ID of the protector you want to change.

After that delete the protector. You can do this by using the id:

manage-bde.exe c: -protectors -delete -id {ID}

or by using the type:

manage-bde.exe c: -protectors -delete -type recoverypassword

The BitLocker Drive Encryption: Configuration Tool will now delete the protector. You may want to check this by running the first command again. Now you can add a new protector of type recovery password. That new protector will get a new id and a new password:

manage-bde.exe c: -protectors -add –rp

The configuration tool generates a new password, tells you to store it in a secure location and, if set up to do so, writes it to Active Directory.

Note: Every command used here, applies to the c: drive. You may want to change this according to your needs.

How to set the Windows 7 user account picture programmatically?

Posted on August 12, 2011 By

4 Comments

Windows 7 offers the possibility to show small user account pictures, for example in the start menu or on the lock screen. Since there is no documented way of setting this picture programmatically here is a solution for developing a small application that can do this for you.
You’ll simply need Visual Studio – either with C# or Visual Basic support. You can get your free edition here: http://www.microsoft.com/visualstudio/express. Create a new console application, copy and paste the following source code an build the solution. The resulting application will be able to set the user account pictures for you.

C# source:

using System;
using System.Runtime.InteropServices;

namespace useraccountpicture
{
    class Program
    {
        [DllImport("shell32.dll", EntryPoint = "#262", CharSet = CharSet.Unicode, PreserveSig = false)]
        public static extern void SetUserTile(string username, int notneeded, string picturefilename);

        [STAThread]
        static void Main(string[] args)
        {
            if (args.Length == 2)
            {
                SetUserTile(args[0], 0, args[1]);
            }
        }
    }
}

Visual Basic source:

Imports System.Runtime.InteropServices

Module useraccountpicture

    <DllImport("shell32.dll", EntryPoint:="#262", CharSet:=CharSet.Unicode, PreserveSig:=False)> _
    Private Sub SetUserTile(ByVal username As String, ByVal notneeded As Integer, ByVal picturefilename As String)
    End Sub

    Sub Main(ByVal args As String())
        If (args.Length = 2) Then
            SetUserTile(args(0), 0, args(1))
        End If
    End Sub

End Module

Now run it on a command line, for example:
useraccountpicture.exe domain\username picturefilename.jpg

Please note that this will not affect the logon screen. Since windows cannot know which user will logon it cannot display a picture.

How to use environment variables in Powershell?

Posted on November 6, 2010 By

1 Comment

Sometimes you need to use an environment variable (eg. username, userprofile, computername, …) in Powershell.

The location where environment variables are stored is “env:”. This behaves similar to a hard or flash drive. You can list its content or browse it by using

dir env:

The output shows all existing environment variables you can use. But how to use them?

You can get every environment variable by using the get-content or for short gc cmdlet.

$computername = get-content env:computername
$username = gc env:username

List of environment variables in Windows 7 / XP