Mask all important passwords in all MDT logs

By default, MDT logging routine masks the entire line if it sees the word "password".

I came across the problem with UDI, when using ZTIUserSatat.wsf, the encryption key is exposed in clear text in the logs with command line when ScanState.exe or LoadState.exe is called because there is no word “password” in the logging line.

Regardless, you don’t want to hide the whole line for troubleshooting purposes, only the value of that variable that gets exposed.

So, I modified ZTIUtility.vbs adding logic to hide those variables. Here is what was added to CreateEntry function

 

Public Function CreateEntry(sLogMsg, iType)Dim sTime, sDate, sTempMsg, oLog, bConsole, sMaskedVar ' Each of the operations below has the potential to cause a runtime error. ' However, we must not stop operation if there is a failure, so allways continue. On Error Resume Next ' Special Handling for Debug vs. Non-Debug messages If not Debug then If iType = LogTypeVerbose Then Exit Function ' Verbose Messages are only displayed when Debug = TrueElseif iType = LogTypeDeprecated TheniType = LogTypeInfo ' Deprecated messages are normally Info messages End if ' Suppress messages containing password If Instr(1, sLogMsg, "password", 1) > 0 thensLogMsg = "<Message containing password has been suppressed>" End if ' Mask variables containing passwords For Each sMaskedVar in Split(oEnvironment.Item("MaskedVariables"),",")sLogMsg = Replace(sLogMsg, Trim(oEnvironment.Item(sMaskedVar)), "<password has been suppressed>") Next Else ' Debug = True

 

Make changes in your CustomSettings.INI ``by adding a new property

[Settings]...

Properties=MaskedVariables

....

 

[Default]

...

MaskedVariables=_SMSTSReserved2,OSDUserStateKeyPassword

...

 

 

Enjoy!