KeePass and PowerShell (an imperfect approach with KPScript.exe)

TL;DR... read what's in bold.

UPDATE 05/25/16: Before reading or trying to use this script you should check out 

As the title suggests this is a less than stellar solution, but if you understand it's limitations it works really well. Before I started to build this I ran across Mittias Lundgren's functions that load the KeePass .dlls. I tried to follow his lead but was unsuccessful (I'm not a developer). The Internet soon pointed out the KeePass plugin (KPScript.exe). KPScript was written by the same guy who developed KeePass, Dominik Reichl. Having read through the documentation for KPScript.exe I started to wrap PowerShell along with Invoke-Expression around the KPScript.exe Single Command Operations

It is not recommended when you need to perform many operations, because for each command the database needs to be loaded from file, decrypted, modified, encrypted and written back to file.
— Dominik Reichl

Queue "Imperfect Approach"... My first attempts at parsing the KPScript.exe output was a bust, which lead me to troubleshooting with .bat files. That process gave me the idea to dynamically build batch files, run them, capture\parse the output, and then delete the batch file. With a few exceptions, this works pretty well. The real usefulness of this comes into play when used inside of other scripts; predictability and consistency help rule out a lot of the issues discussed below in Error Handling

Again, this is not perfect but it works. It's a fair amount of pointless overhead and running KPScript.exe again and again and again to do simple things is by no means efficient. Dominik even says it himself.

Download Script Here.

Limitations & Things to Know

Password Generator Profile

The function New-KeePassPassword along with the parameter -GenProfile does not fail if the generation profile specified can't be found. It continues but goes with the default generator profile.

Password Complexity & Special Characters

This one took some time to reliably predict and somewhat resolve. If you wish to use generated passwords with either Add-KeePassEntry or Edit-KeePassEntry then the generator profile used cannot contain a percent %, double quote ", or back slash \. While I can't say for surew why, it has something to do with those characters interfering within cmd.exe. So unless you want to dynamically escape those characters prior to using them with Add or Edit I suggest you use a profile similar to the one shown. Each of the special characters listed in "Also include the following characters" have been thoroughly tested. Extending on this, those 3x characters mentioned before also don't work in any other fields, Title, Username, Notes.

Processing Passwords in Clear Text

Using a tool like Process Monitor it is possible to view the following passwords when using any of the functions provided. KeePass database password, New-KeePassPassword passwords, Edit-KeePassPassword, and Add-KeePassPassword. To my knowledge it is not possible to pass a secure string to KPScript.exe. 

KPScript.exe and KeePass.exe

Both bin's must be version As of this writing those are both the latest versions. I have not tested any of this with older versions. KPScript.exe must be placed within KeePass's install directory. 

The Batch Files

The batch files that get generated on the fly are created in the KeePass install directory. That said, so long as you're not running any of these functions concurrently there shouldn't be a problem. 

Error Handling

Not a lot of effort was put into dealing with errors. If you provide the wrong KeePass password it will tell you, if the KeePass database you provided is missing it will tell you, if you provide and entry to Edit that can't be found it will tell you. If you add and entry to a group that does not exist it will create that group. If you add and entry that already exists it creates a new one. 

Help & Troubleshooting

Get-Help is your friend (Get-Help Add-KeePassEntry). You can also run any of the functions with -Verbose to see what's going on, below is an example.


Loading the functions and defining where KeePass is installed

Before you can dot source the PowerKeePass.ps1 script you must define the $KPInstallDir variable (e.g. $KPInstallDir = 'C:\Program Files (x86)\KeePass Password Safe 2'). Dot source the script (PS C:\files> . 'C:\Users\you\PowerKeePass.ps1'). There are some pre-reqs that run to make sure everything is correct, version is, bin's exist etc.

New-KeePassPassword (Generate a new KeePass Password from the generator profile '30CharComplex')

Get-KeePassEntry (Get the password for the Title 'My New Entry'. Think of it like Get | ?{$_.Title -eq 'My New Entry'})

Get-KeePassEntry (Get the notes for the Username 'contoso\userA'. Think of it like Get | ?{$_.Username -eq 'contoso\userA'})

Add-KeePassEntry (Add an entry for the admin contoso user to the CONTOSO group with a KeePass generated password)

Edit-KeePassEntry (Get the entry for contoso\administrator and change the password to 'NewPassword123')