Have you ever needed to convert a PowerShell SecureString into plain text, but hesitated due to security concerns or complexity? In this tutorial, I’ll walk you through multiple practical ways to convert a SecureString to plain text using PowerShell. You will see some real examples.
PowerShell Convert Secure String to Plain Text
PowerShell’s SecureString is designed to store sensitive data like passwords in an encrypted form in memory, protecting it from plain-text exposure.
However, some situations—like passing credentials to external programs or APIs—require the password in plain text. That’s when converting a SecureString back to plain text becomes necessary.
Below are a few methods to convert a secure string to plain text using PowerShell.
Method 1: Using Marshal Class to Convert SecureString to Plain Text
One of the most reliable ways to convert a SecureString to plain text is by leveraging the .NET System.Runtime.InteropServices.Marshal class. This method works well across different PowerShell versions and is widely used in enterprise environments.
How It Works
The Marshal class provides functions to allocate unmanaged memory and convert the SecureString to a BSTR (binary string) pointer. Then, it reads the pointer as a plain text string. This method keeps the plain text in memory only briefly, reducing security risks.
Here is the complete PowerShell script.
# Create a SecureString from a plain text password
$securePassword = ConvertTo-SecureString "WashingtonDC2025!" -AsPlainText -Force
# Convert SecureString to plain text
$ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword)
$plainText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr)
# Output the plain text password
Write-Output $plainText
# Free the allocated memory
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr)ConvertTo-SecureStringcreates a SecureString from a plain text password.SecureStringToBSTRconverts the SecureString to an unmanaged string pointer.PtrToStringBSTRreads the unmanaged pointer as a plain text string.- Finally,
ZeroFreeBSTRclears the unmanaged memory to prevent leaks.
Here is the exact output you can see in the screenshot below:
Check out PowerShell Convert XML to CSV
Method 2: Using GetNetworkCredential() Method
Another quick and easy way to convert a SecureString to plain text is by using the GetNetworkCredential() method of the PSCredential object. This method is especially handy when you already have credentials stored as a PSCredential.
How It Works
The GetNetworkCredential() method exposes the password as plain text by returning a NetworkCredential object, which includes the plain password string. This is a clean and simple approach when dealing with credential objects.
Here is the PowerShell script.
# Create a PSCredential object with username and SecureString password
$username = "Sarah.Jones@uscompany.com"
$securePassword = ConvertTo-SecureString "Seattle#2025" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
# Extract plain text password
$plainTextPassword = $credential.GetNetworkCredential().Password
# Output the plain text password
Write-Output $plainTextPassword- The PSCredential object holds both username and SecureString password.
GetNetworkCredential()exposes the password in plain text safely.- This method is great when working with credential objects rather than raw SecureStrings.
You can see the exact output in the screenshot below:
Read Add-Content in PowerShell
Method 3: Using PowerShell 7+ ConvertFrom-SecureString with Key
In PowerShell 7 and above, you can use ConvertFrom-SecureString with a key to convert and store encrypted strings securely, then decrypt them back to plain text.
How It Works
You generate an encryption key (a byte array), use it to encrypt your SecureString to a string, and then decrypt it using the same key. This method is useful if you want to store encrypted passwords and decrypt them later.
Here is an example, along with the complete PowerShell script.
# Generate a 16-byte encryption key
$key = (1..16)
# Convert plain text to SecureString
$securePassword = ConvertTo-SecureString "Dallas#2025" -AsPlainText -Force
# Encrypt SecureString to an encrypted standard string
$encryptedString = $securePassword | ConvertFrom-SecureString -Key $key
# Decrypt back to SecureString
$decryptedSecureString = $encryptedString | ConvertTo-SecureString -Key $key
# Convert decrypted SecureString to plain text using Marshal method
$ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($decryptedSecureString)
$plainText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr)
# Output the plain text password
Write-Output $plainText- The key ensures that the encryption and decryption are consistent and secure.
- This method is ideal for securely storing and retrieving passwords without exposing them unnecessarily.
- You still need to convert the decrypted SecureString to plain text using the Marshal class.
In this tutorial, I explained how to convert SecureString to plain text using PowerShell using three methods.
You may also like the following tutorials:
Bijay Kumar is an esteemed author and the mind behind PowerShellFAQs.com, where he shares his extensive knowledge and expertise in PowerShell, with a particular focus on SharePoint projects. Recognized for his contributions to the tech community, Bijay has been honored with the prestigious Microsoft MVP award. With over 15 years of experience in the software industry, he has a rich professional background, having worked with industry giants such as HP and TCS. His insights and guidance have made him a respected figure in the world of software development and administration. Read more.
