Windows: Get and decrypt password from rdp files


rdp files can store the password for a connection. The password is protected with the users key who saved the file.

The password can be decrypted by the .NET System.Security.Cryptography.ProtectedData class.

This script opens a rdp file and retrieve the user and the password.

		A PowerShell script to decrypt passwords from rdp files
		A PowerShell script to decrypt passwords from rdp files
	.PARAMETER rdpfile
		rdp file

if(-not (Test-Path $rdpfile))
	write-warning ("File {0} not found!" -f $rdpfile)
	exit 2


# Read RDP File
$sFileContent=Get-Content $rdpfile
foreach($sLine in $sFileContent)
	elseif($sLine.StartsWith("password 51:b:"))
		$sEncryptedPass=$sLine.Replace("password 51:b:","")
# Check Input
	write-warning "No username found!"
	exit 2
	write-warning "No encrypted password found!"
	exit 2
if($sUserName.IndexOf("\") -lt 0 -and  $sDomain)
	$sUserName="{0}\{1}" -f $sDomain,$sUserName

[System.reflection.assembly]::LoadWithPartialName("System.Security") | out-null

[byte[]]$aEncryptedPasswordBytes = New-Object -TypeName byte[] $iBytes
for ($i = 0; $i -lt $iBytes; $i++) {
    $aEncryptedPasswordBytes[$i] = [System.Convert]::ToByte($sEncryptedPass.Substring($i*2,2), 16)
[byte[]]$passwordAsBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($aEncryptedPasswordBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)

write-host ("{0,-16} : {1}" -f "UserName",$sUserName)
write-host ("{0,-16} : {1}" -f "Password",$sPass)

The Convert[To|From]-SecureString string uses the same methods. So you can encrypt and decrypt the password these command-lets:


PS D:\> $PasswordEncrypted=("MySecretPassword!" | ConvertTo-SecureString -Force -AsPlainText ) | ConvertFrom-SecureString


PS D:\> $ssecPasswordEncrypted = ConvertTo-SecureString $PasswordEncrypted
PS D:\> $pSecString = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($ssecPasswordEncrypted)
PS D:\> $MyPlainPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto($pSecString)
PS D:\> write-host $MyPlainPassword

To add a password to the RDP file add the following line:

password 51:b:01000000d08c9d....

All after “b:” must be replace with the content of $PasswordEncrypted

Note: Such a file does only work on the PC where the encrypted password is generated because it is bound to the users key of that machine by using the DPAPI.


Further links

Extracting DPAPI Passwords

Advertisment to support

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.