I am looking to write a script that will enable a TPM chip and BitLocker in Windows, with VBScript. I am new to VBScript and Windows scripting in general.
One part that I seem to be hitting a snag on is having my script start up again after a reboot.
For example, to enable the TPM chip a reboot is required to turn on the chip, and then a second reboot is required to take ownership of the TPM chip. A third reboot would be required to enable BitLocker.
How do I have the script start up again after each reboot to move to the next step? And is VBscript the best choice to accomplish this task?
Something like this should work:
rem Make sure you applied the appropriate policies before activating!
manage-bde -tpm -TurnOn
manage-bde -tpm -TakeOwnership PASSWORD
manage-bde -on C: -RecoveryPassword -SkipHardwareTest
The TPM must be enabled in the BIOS first, though.
Microsoft already provides a VBScript for enabling BitLocker. You can learn more about it here:
Enabling BitLocker by using a WMI script
And the script itself is available from here:
BitLocker Deployment Sample Resources
Related
I am trying to make out whether bitlocker or bitlocker togo(i.e. bitclocker on removable drive) is used to encrypt a drive. so basically its about knowing the volumeType as seen by bitlocker.
I tried using WMI class Win32_EncryptableVolume to get this information.
The interface has a property volumetype.
The way works fine in windows 10. In windows 7 the Win32_EncryptableVolume class is not having a property volumeType.
So is there a alternate way to know this ? i want to know whether bitlocker or bitlocker togo is used that will be same as knowing if a volume is removable or fixed.
I have tried using manage-bde.exe but that also does not give information about this.
So is there a way we can get this information for windows 7 ?
One thing is that this information is not same as how windows sees the drive as since there is a difference in the way bitlocker treats a volume(ref). So i cannot use interfaces such as wmic logicaldisk.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I have a specific piece of hardware which I'd like to disable and re-enable each time my Windows restarts. I created a batch script which is supposed to do that, along with running my program afterwards:
cd %~dp0
devcon.exe disable "PCI\VEN_1002&DEV_687F"
timeout /t 3
devcon.exe enable "PCI\VEN_1002&DEV_687F"
runMyWindows.exe --totally-not-virus
I am not sure if devcon.exe is a proper application for this in the first place because I have no experience with writing Windows scripts at all.
However, I have noticed that those commands don't quite do the job because my runMyWindows.exe program doesn't work as it should until I go to Windows Device Manager and manually disable and re-enable this device.
I have only 1 user on this machine which is in "Administrator" group and I am not running this script in any special way except double-clicking the .bat file, or in case of the restart, it is run from the startup folder (C:\Users\oxxo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).
Is there a way to do this properly within my batch script which should be run automatically on Windows startup?
PnPUtil do this job also and no SDK or anything else related required to download.
Included in Windows since Vista:
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil
Examples
Disables device specified by device instance ID:
pnputil /disable-device "USB\VID_045E&PID_00DB\6&870CE29&0&1"
Enables device specified by device instance ID:
pnputil /enable-device "USB\VID_045E&PID_00DB\6&870CE29&0&1"
Most people who'll be reading this thread won't find the other answer very useful, because it's mostly about how to run the script in the question with administrator privileges. I'll attempt to answer the implicit questions here:
Enable/disable a device via the command line
I found it easiest to use devcon.exe (6mb), like in the question:
set HARDWARE_ID="PCI\VEN_8086&DEV_4229&SUBSYS_11018086&REV_61"
devcon disable %HARDWARE_ID%
timeout /t 3
devcon enable %HARDWARE_ID%
devcon.exe requires administrator privileges.
Where to get devcon?
It's part of the Windows driver development toolkit. Unfortunately, the official resources ask you to download a 1gb SDK. I was able to get around that by following one of the answers here: https://superuser.com/questions/1002950/quick-method-to-install-devcon-exe
Once you have it, make sure devcon.exe is on your %PATH%. I put mine in C:\Windows\System32\.
Find the hardware ID of the device you want to manipulate
Open a Command Prompt with administrator privileges and do devcon hwids *, which will print all the devices and their corresponding IDs. That will produce a lot of output. Use Command Prompts search function to find what you need. Here's the section I was interested in:
PCI\VEN_8086&DEV_4229&SUBSYS_11018086&REV_61\4&6AB551C&0&00E1
Name: Intel(R) Wireless WiFi Link 4965AGN
Hardware IDs:
PCI\VEN_8086&DEV_4229&SUBSYS_11018086&REV_61
PCI\VEN_8086&DEV_4229&SUBSYS_11018086
PCI\VEN_8086&DEV_4229&CC_028000
PCI\VEN_8086&DEV_4229&CC_0280
Compatible IDs:
PCI\VEN_8086&DEV_4229&REV_61
PCI\VEN_8086&DEV_4229
PCI\VEN_8086&CC_028000
PCI\VEN_8086&CC_0280
PCI\VEN_8086
PCI\CC_028000
PCI\CC_0280
Pick a specific enough ID and check if it works by doing:
devcon find "PCI\VEN_8086&DEV_4229&SUBSYS_11018086&REV_61"
If that finds only 1 device, and it's the one you want, you're good. Notice that often you'll want to escape the hardware ID with quotes.
Bonus: running a .bat script at startup or power on
In my case, I also needed to run this script when computer has booted after shutdown or sleep. I gave the above script sensible permissions and used Task Scheduler to run it on login and on startup, in its terminology:
https://www.sevenforums.com/tutorials/67503-task-create-run-program-startup-log.html?ltr=T
Due to security 'improvements' in Windows 10 and certainly since Windows Vista and the introduction of User Account Control I assume you would need to Run as administrator, not just be a member of the Administrators group.
It should generally be read that Run as administrator means Run as the user with the account name Administrator not Run as any user who holds membership of the Administrators group.
To Run as administrator, right click on the batch file and select Run as administrator from the context menu.
There are other ways of running as Administrator too.
You can use a self-elevating batch file, which usually uses a PowerShell or WSH helper function.
You can use Task Scheduler and choose the appropriate triggers and account information, (possibly using the SYSTEM account).
Additionally you need to ensure that DevCon.exe is either:
Along side the batch file, "%~dp0DevCon.exe" Disable "PCI\VEN_1002&DEV_687F*"
At a location defined within %PATH%, DevCon Disable "PCI\VEN_1002&DEV_687F*"
Invoked using its full path, "C:\Tools\DevCon.exe" Disable "PCI\VEN_1002&DEV_687F*"
In all cases above please note the asterisk which is missing from your examples
I want to set up path redirection in both files and registry keys in the same manner UAC virtualization works for another process at launch time (either programmatically or using some existing interface).
For example, I want to run C:\my_path\app.exe and when it opens any file on disk (C:\other_path\file.txt) for writing, the actual open file should be C:\temp_for_my_app\C\other_path\file.txt.
I've seen some programs are able to set up such redirection (i.e. Sandboxie), but I'm unsure which mechanism they are using (not even sure if it is the same UAC virtualization uses).
Any insight into the way UAC virtualization implements it might be useful (your comment on this will be appreciated)
Try cmregistercallback() or API HOOKING to hook zwopenkey() and zwcreatekey()
I need to know if a program exists ( or if I can create) that runs that computer's command prompt from a USB, without having to log in. I guess I don't really care if it is that computers cmd, but I need all of the modern functions of today's cmd. I also need to make sure that it has full administrative privileges. I know that it is possible, because just about every Linux system uses a similar system when it initially boots up, even when just downloaded to USB.
I guess I really need something that I can use with multiboot (a pure ISO file, not something like Rufus, which requires you to format usb). I don't know, but I don't think an ms dos thingy would have all of today's commands in cmd.
Any help much appreciated. Piece.
Edit: I just need the equvolent of single user mode in a Mac. Administrative access to the terminal without login info.
You can boot windows to safe mode limited command prompt, or you can launch a cmd window via the startup group (but you can't get a full screen after XP and the window can be closed with the latter method).
That is the first issue for you to solve, and then you can consider booting from USB.
I've recently discovered that by default, execution of powershell scripts is disabled. I was going to rely on it to safely remove a USB device from Windows, however if it's not enabled by default, I'd have to enable it first. Is it generally acceptable to do such things?
Alternative solutions are also welcome.
This question follows: https://superuser.com/questions/637854/safely-remove-a-usb-drive-using-bat-file/637878
I would not enable the execution of scripts globally on a machine just because your app wants to use it. That's an IT/Security policy decision, and they shouldn't be forced to accept your decision simply by using your software. If you're calling a PowerShell runspace from within a .NET app, you shouldn't need to worry about the execution policy since you can run your commands without calling to a separate .ps1 script. If you need to call powershell.exe and give it a script file, look at -ExecutionPolicy Bypass. About_Executionpolicies says this about Bypass:
- Nothing is blocked and there are no warnings or
prompts.
- This execution policy is designed for configurations
in which a Windows PowerShell script is built in to a
a larger application or for configurations in which
Windows PowerShell is the foundation for a program
that has its own security model.
MS used to deliver systems that were 'ready-to-exploit'. They got smarter about it, and take security much more seriously. So they now disable many features by default.
As for PowerShell, the default 'execution policy' by default did not allow scripts to be run. However, on a command line you could bypass the execution policy all together (ie. without changing it) as long you have permissions to do so:
PowerShell -ExecutionPolicy Bypass -file yourfile.ps1
If you are an administrator of the machine, it's perfectly OK to enable it and use it. If you are just an app-owner, you should probably consult with the administrator to change the policy, but as noted above, you may not need to.