Mask all important passwords in all MDT logs


By default, MDT logging routine masks the entire line if it sees the word “password”.

I came across the problem with UDI, when using ZTIUserSatat.wsf, the encryption key is exposed in clear text in the logs with command line when ScanState.exe or LoadState.exe is called because there is no word “password” in the logging line.

Regardless, you don’t want to hide the whole line for troubleshooting purposes, only the value of that variable that gets exposed.

So, I modified ZTIUtility.vbs adding logic to hide those variables. Here is what was added to CreateEntry function


 

Public Function CreateEntry(sLogMsg, iType)
Dim sTime, sDate, sTempMsg, oLog, bConsole, sMaskedVar

' Each of the operations below has the potential to cause a runtime error.
' However, we must not stop operation if there is a failure, so allways continue.

On Error Resume Next

' Special Handling for Debug vs. Non-Debug messages

If not Debug then

If iType = LogTypeVerbose Then
Exit Function ' Verbose Messages are only displayed when Debug = True
Elseif iType = LogTypeDeprecated Then
iType = LogTypeInfo ' Deprecated messages are normally Info messages
End if

' Suppress messages containing password

If Instr(1, sLogMsg, "password", 1) > 0 then
sLogMsg = "<Message containing password has been suppressed>"
End if

' Mask variables containing passwords
For Each sMaskedVar in Split(oEnvironment.Item("MaskedVariables"),",")
sLogMsg = Replace(sLogMsg, Trim(oEnvironment.Item(sMaskedVar)), "<password has been suppressed>")
Next

Else ' Debug = True

 

Make changes in your CustomSettings.INI by adding a new property

[Settings]
...

Properties=MaskedVariables

....

 

[Default]

...


MaskedVariables=_SMSTSReserved2,OSDUserStateKeyPassword

...

 

 

Enjoy!


Comments (0)

Skip to main content