Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/compute/docs/instances/windows/automate-pw-generation below:

Automating Windows password generation | Compute Engine Documentation

Stay organized with collections Save and categorize content based on your preferences.

Windows

The gcloud compute reset-windows-password command allows a user with write access to the Compute Engine project to securely retrieve passwords for accounts on Windows instances.

The command does this by sending a username and an RSA public key to the instance. The agent running on the instance then does one of the following:

• Creates an account on the instance for that username and generates a random password.
• Resets the password to a random value if the account already exists.

The agent running on the instance encrypts the password with the provided public key and sends it back to the client to be decrypted by the corresponding private key.

This section describes how this process works and gives you some example scripts that replicate these steps programmatically. If you want to manually follow these steps, read the Manual instructions section.

• Create a Windows instance.
• If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  1. Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:

     gcloud init

     If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

     Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
  2. Set a default region and zone.
  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:

  gcloud init

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

The steps in this manual guide use OpenSSL for the cryptographic functions and the Bash shell/Linux tools for some other functions, but many other implementations are possible.

1. Generate a 2048-bit RSA key pair. In OpenSSL, generate this key pair by running:

   $ openssl genrsa -out private_key 2048
   

   This creates a private key file named private_key with contents that look like the following:

   $ cat private_key
   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEAwgsquN4IBNPqIUnu+h/5Za1kujb2YRhX1vCQVQAkBwnWigcC
   qOBVfRa5JoZfx6KIvEXjWqa77jPvlsxM4WPqnDIM2qiK36up3SKkYwFjff6F2ni/
   ry8vrwXCX3sGZ1hbIHlK0O012HpA3ISeEswVZmX2X67naOvJXfY5v0hGPWqCADao
   +xVxrmxsZD4IWnKl1UaZzI5lhAzr8fw6utHwx1EZ/MSgsEki6tujcZfN+GUDRnmJ
   GQSnPTXmsf7Q4DKreTZk49cuyB3prV91S0x3DYjCUpSXrkVy1Ha5XicGD/q+ystu
   FsJnrrhbNXJbpSjM6sjo/aduAkZJl4FmOt0R7QIDAQABAoIBAQCsT6hHc/tg9iIC
   H5pUiRI55Uj+R5JwVGKkXwl8Qdy8V1MpTOJivpuLsiMGf+sL51xO/CzRsiBOfdYz
   bgaTW9vZimR5w5NW3iTAV2Ps+y2zk9KfV/y3/0nzvUSG70OXgBGj+7GhaBQZwS5Z
   5HZOsOYMAV1QSIv8Uu2FQAK1xuOA4seJ/NK42iXgVB1XvYe2AxCWNqCBJylk9F5N
   8a213oJWw2mwQWCSfZhuvwYRO7w/V+mInKPkKlWvf3SLuMCWeDI8s0jLsJMQ0rbp
   jYXRzc2G+LF1aLxjatiGeLsqfVYerNohufGAajpNkSvcMciDXvD9aJhZqior+x2Q
   rCnMuNRNAoGBAPI6r32wIf8H9GmcvGrXk9OYLq0uJGqAtJDgGmJM5BSX4mlSz+Ni
   SYlQOfi24ykQDo3XbA59Lb6H0L64czi2a3OmpG8s6h4ymp+3cSd1k1AER1oZudwH
   9UScGfSgT/nMgufBwEGlQkCMp5x4Sl20clCHZ49p9eNiXML3wxpCZPIjAoGBAM0T
   NKt/rjqMs0qOWAJKemSPk0zV+1RSjCoOdKC6jmHRGr/MIoKiJLIkywV2m53yv8Wu
   BF3gVUDlwojoOKcVR8588tek5L0j9RshGovKj4Uxz9uPPhzeNnlSA+5PS284VtKz
   LX8xZ/b+MNCyor9jT0qoWylqym0w+M4aFL2tUQSvAoGABJvnQO38B51AIk5QK3xE
   nM8VfEgXe0tNpEAPYHV0FYw6S6S+veXd3lX/dGMOeXaLwFkr/i6Vkz2EVEywLJEU
   BFRUZqUlI0P1OzrDVWvgTLJ4JRe+OJiSKycJO2VdgDRK/Vvra5RYaWADxG9pgtTv
   I+cfqlPq0NPLTg5m0PYYc58CgYBpGt/SygTNA1Hc82mN+wgRxDhVmBJRHGG0KGaD
   /jl9TsOr638AfwPZvdvD+A83+7NoKJEaYCCxu1BiBMsMb263GPkJpvyJKAW2mtfV
   L8MxG9+Rgy/tccJvmaZkHIXoAfMV2DmISBUl1Q/F1thsyQRZmkHmz1Hidsf+MgXR
   VSQCBwKBgQCxwJtGZGPdQbDXcZZtL0yJJIbdt5Q/TrW0es17IPAoze+E6zFg9mo7
   ea9AuGxOGDQwO9n5DBn/3XcSjRnhvXaW60Taz6ZC60Zh/s6IilCmav+n9ewFHJ3o
   AglSJZRJ1Eer0m5m6s2FW5U0Yjthxwkm3WCWS61cOOTvb6xhQ5+WSw==
   -----END RSA PRIVATE KEY-----
   

2. Generate a public key. To create the public key, run:

   $ openssl rsa -pubout -in private_key -out public_key
   

   This creates a public_key file that looks like this:

   $ cat public_key
   -----BEGIN PUBLIC KEY-----
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgsquN4IBNPqIUnu+h/5
   Za1kujb2YRhX1vCQVQAkBwnWigcCqOBVfRa5JoZfx6KIvEXjWqa77jPvlsxM4WPq
   nDIM2qiK36up3SKkYwFjff6F2ni/ry8vrwXCX3sGZ1hbIHlK0O012HpA3ISeEswV
   ZmX2X67naOvJXfY5v0hGPWqCADao+xVxrmxsZD4IWnKl1UaZzI5lhAzr8fw6utHw
   x1EZ/MSgsEki6tujcZfN+GUDRnmJGQSnPTXmsf7Q4DKreTZk49cuyB3prV91S0x3
   DYjCUpSXrkVy1Ha5XicGD/q+ystuFsJnrrhbNXJbpSjM6sjo/aduAkZJl4FmOt0R
   7QIDAQAB
   -----END PUBLIC KEY-----
   

3. Extract the modulus and the exponent. A modulus and an exponent make up the public and private keys. From the public key, extract the modulus and the exponent:

   $ openssl rsa -in public_key -pubin -text -noout
   Public-Key: (2048 bit)
   Modulus:
       00:c2:0b:2a:b8:de:08:04:d3:ea:21:49:ee:fa:1f:
       f9:65:ad:64:ba:36:f6:61:18:57:d6:f0:90:55:00:
       24:07:09:d6:8a:07:02:a8:e0:55:7d:16:b9:26:86:
       5f:c7:a2:88:bc:45:e3:5a:a6:bb:ee:33:ef:96:cc:
       4c:e1:63:ea:9c:32:0c:da:a8:8a:df:ab:a9:dd:22:
       a4:63:01:63:7d:fe:85:da:78:bf:af:2f:2f:af:05:
       c2:5f:7b:06:67:58:5b:20:79:4a:d0:ed:35:d8:7a:
       40:dc:84:9e:12:cc:15:66:65:f6:5f:ae:e7:68:eb:
       c9:5d:f6:39:bf:48:46:3d:6a:82:00:36:a8:fb:15:
       71:ae:6c:6c:64:3e:08:5a:72:a5:d5:46:99:cc:8e:
       65:84:0c:eb:f1:fc:3a:ba:d1:f0:c7:51:19:fc:c4:
       a0:b0:49:22:ea:db:a3:71:97:cd:f8:65:03:46:79:
       89:19:04:a7:3d:35:e6:b1:fe:d0:e0:32:ab:79:36:
       64:e3:d7:2e:c8:1d:e9:ad:5f:75:4b:4c:77:0d:88:
       c2:52:94:97:ae:45:72:d4:76:b9:5e:27:06:0f:fa:
       be:ca:cb:6e:16:c2:67:ae:b8:5b:35:72:5b:a5:28:
       cc:ea:c8:e8:fd:a7:6e:02:46:49:97:81:66:3a:dd:
       11:ed
   Exponent: 65537 (0x10001)
   

4. Encode the modulus and exponent. You must extract and base64-encode the modulus and exponent. Before encoding the modulus, remove the leading zero byte from the modulus. By default, the public_key file is already a base64-encoded string of bytes containing the following information:

   • 32 bytes of header information
   • 1 byte with the leading zero of the modulus
   • 256 bytes of modulus
   • 2 bytes of exponent header
   • 3 bytes of exponent

   The modulus and exponent need to be extracted and encoded separately from the rest of the file's contents. Extract and encode the modulus and exponent using the following commands:

   $ cat public_key | grep -v -- ----- | base64 -d | dd bs=1 skip=33 count=256 2>/dev/null | base64 -w 0; echo
           wgsquN4IBNPqIUnu+h/5Za1kujb2YRhX1vCQVQAkBwnWigcCqOBVfRa5JoZfx6KIvEXjWqa77jPvlsx
   M4WPqnDIM2qiK36up3SKkYwFjff6F2ni/ry8vrwXCX3sGZ1hbIHlK0O012HpA3ISeEswVZmX2X67naO
   vJXfY5v0hGPWqCADao+xVxrmxsZD4IWnKl1UaZzI5lhAzr8fw6utHwx1EZ/MSgsEki6tujcZfN+GUDR
   nmJGQSnPTXmsf7Q4DKreTZk49cuyB3prV91S0x3DYjCUpSXrkVy1Ha5XicGD/q+ystuFsJnrrhbNXJb
   pSjM6sjo/aduAkZJl4FmOt0R7Q==
   

   $ cat public_key | grep -v -- ----- | base64 -d | dd bs=1 skip=291 count=3 2>/dev/null | base64
   AQAB
   

   If you are running into problems encoding the modulus, make sure you have removed the leading zero byte from the modulus before attempting to encode it.

5. Create a JSON object with a username and public key information. Create a JSON object with the following data:

   • userName: The username to log into the instance.
   • modulus: The base64 encoded modulus of the public key.
   • exponent: The base64 encoded exponent of the public key
   • email: The email address of the user requesting the password. This should be the email address of the Google Account that is authenticated to the API.
   • expireOn: An RFC 3399 encoded timestamp of when the key should expire. This should be in UTC time, set approximately five minutes in the future. Since these keys are only used for generating the username and password, they are no longer necessary after the password is created. If a key has no expiration date or the expiration date has already passed, the agent will not use it and will skip over it completely.

   For example:

   {\"userName\": \"example-user\",  \"modulus\": \"wgsquN4IBNPqIUnu+h/5Za1kujb2YRhX1
   vCQVQAkBwnWigcCqOBVfRa5JoZfx6KIvEXjWqa77jPvlsxM4WPqnDIM2qiK36up3SKkYwFjff6F
   2ni/ry8vrwXCX3sGZ1hbIHlK0O012HpA3ISeEswVZmX2X67naOvJXfY5v0hGPWqCADao+xVxrmx
   sZD4IWnKl1UaZzI5lhAzr8fw6utHwx1EZ/MSgsEki6tujcZfN+GUDRnmJGQSnPTXmsf7Q4DKreT
   Zk49cuyB3prV91S0x3DYjCUpSXrkVy1Ha5XicGD/q+ystuFsJnrrhbNXJbpSjM6sjo/aduAkZJl
   4FmOt0R7Q==\", \"exponent\": \"AQAB\", \"email\": \"example.user@example.com\",
   \"expireOn\": \"2015-04-14T01:37:19Z\"}
   

   Note that there should be no newlines in the JSON string.

6. Add the JSON object to the instance metadata. Set the instance metadata using the metadata key windows-keys and the JSON object as the key value.

   In order to update instance metadata in the API, you must provide a fingerprint with your request. Get the current fingerprint of the instance by making a GET request to the instance:

   GET  https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/test-windows-auth
   [..snip..]
   "metadata": {
   "kind": "compute#metadata",
   "fingerprint": "5sFotm8Ee0I=",
   "items": [
    {
    …
    }
   [..snip]..
   

   Next, make a POST request to the setMetadata method, providing the fingerprint and the JSON object you created:

   POST https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/test-windows-auth/setMetadata
   
   {
    "fingerprint": "5sFotm8Ee0I=",
    "items": [
     {
      "value": "{\"userName\": \"example-user\",  \"modulus\": \"wgsquN4IBNPqIUnu+h/5Za1kujb2YRhX1vCQVQAkBwnWigcCqOBVfRa5JoZfx6KIvEXjWqa77jPvlsxM4WPqnDIM2qiK36up3SKkYwFjff6F2ni/ry8vrwXCX3sGZ1hbIHlK0O012HpA3ISeEswVZmX2X67naOvJXfY5v0hGPWqCADao+xVxrmxsZD4IWnKl1UaZzI5lhAzr8fw6utHwx1EZ/MSgsEki6tujcZfN+GUDRnmJGQSnPTXmsf7Q4DKreTZk49cuyB3prV91S0x3DYjCUpSXrkVy1Ha5XicGD/q+ystuFsJnrrhbNXJbpSjM6sjo/aduAkZJl4FmOt0R7Q==\", \"exponent\": \"AQAB\", \"email\": \"user@example.com\", \"expireOn': '2015\"04-14T01:37:19Z\"}\n",
      "key": "windows-keys"
     } ]
   }
   

   The name of the key should be windows-keys and the value should be set to one or more JSON strings like the one above. Multiple strings should be separated by newlines. When adding multiple entries, ensure that the metadata value does not exceed 32 KB.

7. Read the output from serial port number four. The agent on the instance will automatically take the value of windows-keys and create an encrypted password. Read the encrypted password by querying serial port number four. In the API, make a GET request to the getSerialPortOutput method, passing in port=4 as a query parameter:

   GET https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/test-windows-auth/serialPort?port=4
   
   {
    "kind": "compute#serialPortOutput",
    "selfLink": "https://www.googleapis.com/compute/v1/projects/myproject/zones/_/instances/test-api-auth/serialPort",
    "contents": "{\"ready\":true,\"version\":\"Microsoft Windows NT 6.1.7601 Service Pack 1\"}\n{\"encryptedPassword\":\"uiHDEhxyvj6lF5GalH
    h9TsMZb4bG6Y9qGmFb9S3XI29yvVsDCLdp4IbUg21MncHcaxP0rFu0kyjxlEXDs8y4L1KOhy6iyB42Lh+vZ4XIMjmvU4rZrjsBZ5TxQo9hL0lBW7o3FRM\\/UIXCeRk39ObUl2A
    jDmQ0mcw1byJI5v9KVJnNMaHdRCy\\/kvN6bx3qqjIhIMu0JExp4UVkAX2Mxb9b+c4o2DiZF5pY6ZfbuEmjSbvGRJXyswkOJ4jTZl+7e6+SZfEal8HJyRfZKiqTjrz+DLjYSlXr
    fIRqlvKeAFGOJq6IRojNWiTOOh8Zorc0iHDTIkf+MY0scfbBUo5m30Bf4w==\",\"exponent\":\"AQAB\",\"modulus\":\"0tiKdO2JmBHss26jnrSAwb583KG\\/ZIw5Jw
    wMPXrCVsFAPwY1OV3RlT1Hp4Xvpibr7rvJbOC+f\\/Gd0cBrK5pccQfccB+OHKpbBof473zEfRbdtFwPn10RfAFj\\/xikW0r\\/XxgG\\/c8tz9bmALBStGqmwOVOLRHxjwgtG
    u4poeuwmFfG6TuwgCadxpllW74mviFd4LZVSuCSni5YJnBM2HSJ8NP6g1fqI17KDXt2XO\\/7kSItubmMk+HGEXdH4qiugHYewaIf1o4XSQROC8xlRl7t\\/RaD4U58hKYkVwg0
    Ir7WzYzAVpG2UR4Co\\/GDG9Hct7HOYekDqVQ+sSZbwzajnVunkw==\",\"passwordFound\":true,\"userName\":\"example-user\"}\n"
   }
   

   The serial port output may contain multiple responses, separated by newlines. To find the correct response, match the modulus that you passed in, to the output of the serial port. Each response is a JSON encoded string with the following fields:

   • userName: The username that was passed to the instance.
   • passwordFound: A Boolean value indicating whether the password generation was successful.
   • encryptedPassword: A base64 encoded, encrypted password.
   • modulus: The modulus that was previously passed in.
   • exponent: The exponent that was previously passed in.

   For information about serial port output retention, see Viewing serial port output.

8. Decrypt the password. To get the password, use the previously created private key to decrypt the encrypted password. The password must be decrypted with Optimal Asymmetric Encryption Padding (OAEP). For OpenSSL, the command to decrypt input data is:

   $ openssl rsautl -decrypt -inkey private_key -oaep
   

   To decrypt the password above, provide the encryptedPassword value. Remember to remove the \\ escape characters from the string beforehand or the decryption will fail:

   $ echo 'uiHDEhxyvj6lF5GalHh9TsMZb4bG6Y9qGmFb9S3XI291MncHcaxP0rFu0kyjxlEXDs8y4L1KOhy6iyB42Lh+vZ4XIMjmvU4rZrjsBZ5Tx
   Qo9hL0lBW7o3FRM/UIXCeRk39ObUl2AjDmQ0mcw1byJI5v9KVJnNMaHdRCy/kvN6bx3qqjIhIMu0JExp4UVkAX2Mxb9b+c4o2DiZF5pY6ZfbuEmjS
   bvGRJXyswkOJ4jTZl+7e6+SZfEal8HJyRfZKiqTjrz+DLjYSlXrfIRqlvKeAFGOJq6IRojNWiTOOh8Zorc0iHDTIkf+MY0scfbBUo5m30Bf4w==' |
   base64 -d | openssl rsautl -decrypt -inkey private_key -oaep
   

   The command prints out the decrypted password:

   dDkJ_3]*QYS-#>X
   

   The username and password for this account would be:

   username: example-user
   password: dDkJ_3]*QYS-#>X
   

9. Throw away the keys. Unlike SSH Keys, the keys used for retrieving/resetting Windows passwords are meant to be ephemeral. Reusing public/private key pairs is not recommended and may not work as expected. If the key has been saved to disk, the files should be deleted at the end of the process. Better yet, if possible, keep the key in memory and discard it when the process has completed.

• Connecting to a Windows VM
• Creating Passwords for Windows Instances

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["The `gcloud compute reset-windows-password` command allows users with project write access to securely reset or retrieve passwords for accounts on Windows instances."],["This command works by sending a username and RSA public key to the instance, where an agent either creates a new account or resets an existing one's password."],["The agent encrypts the generated password using the provided public key, then sends it back to the client for decryption with the corresponding private key."],["Before using this command, users must create a Windows instance and set up authentication through either the Google Cloud console, gcloud CLI, or REST API, depending on their preferred method."],["The process of creating or resetting a password can also be done manually by creating a key pair, encoding the public key, and then using it to create or reset an account on the instance."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4