Scripting - Command Line and Registry

AxCrypt may be called by other programs, or manually, by specifying command-line arguments. The general syntax is:

AxCrypt [-i | p | u | x ] | [-b tag] [-f] [-c] [-g] [-n filename] [-m] [-e] [-a | -k "passphrase"] [-z | d | o | w | s | q | h file(s)] [-t [tag]] | file(s)

Except for -i -p -u -x, the options are interpreted sequentially and may occur multiple times if it makes sense.

The options and their meanings are:

-i Install Set all registry values to default.
-p Psp test Test for the need to install psapi.dll. Only relevant on NT. If return code is 0, no need. This is an installation helper function only.
-u Uninstall Clear all registry values.
-x eXit End the resident server process, if loaded.
-b tag Batch id Define a tag, or batch id, to be used with subsequent pass phrases. These pass phrases will only be used when the same tag is specified in future calls to AxCrypt. The batch id is a decimal non-zero positive 32-bit signed integer. Odd values are reserved for internal use. If no -b option is given, saved pass phrases are 'global'. All tagged pass phrases are saved until cleared with -t.
-f Toggle Fast mode Will modify certain operations to execute fast, rather than safe and/or secure. There is no guaranteed effect. Initially off.
-c Toggle Copy-only flag Causes subsequent -d and -z to retain the originals. May be combined with -f for fast copy without wiping of temporaries. Initially off.
-g Toggle ignore encrypted flag If set, attempted encryption of already encrypted files will do nothing. Initially off.
-n Output Name Defines a file name to be used as output instead of default for the next -z or -d.
-m Toggle recurse flag If set, causes subsequent wild card file names to search into sub-directories. Initially off.
-e Encryption pass phrase definition Subsequent -a or -k options on this invocation define the default encryption key instead of one of possibly many decryption keys. The -b option may be used to define pass phrases with limited context.
-a Add pass phrase Prompt for a pass phrase using the AxCrypt standard safe dialogues. -b and -e may be used as modifiers.
-k "pass phrase" Cache pass phrase Cache the given pass phrase, quotes are recommended. The pass phrase is case-sensitive. -b and -e may be used as modifiers.
-z encrypt Encrypt and (if useful) compress the given file(s) with either the current default encryption key, or with one that is prompted for. The originals are wiped. -b, -c, -g, -f and -n may be used as modifiers.
-d Decrypt Decompress and decrypt the given file(s) with either a cached key, or with one that is prompted for. -b, -c, -f and -n may be used as modifiers.
-o Open Open the given file(s) with the appropriate application after temporary decryption and decompression. If they are modified after application exit, they are re-encrypted with the same pass phrase. -b may be used as modifier.
-w Wipe Wipe the given files and delete. Show a confirmation warning first.
-s wipe Silent Wipe the given files and delete, but do not ask for confirmation.
-q Query pass phrase cache Return exit code 0 if all files given have pass phrases in the cache already. -b may be used as modifier.
-h Anonymous rename Renames the given file(s) to anonymous names. The original names will be restored on decryption.
-t Clear pass phrase cache Clear the internal pass phrase cache. If -b is given, only pass phrases associated with that tag are affected, otherwise all are removed, tagged and un-tagged alike.

If no options are given but just file(s), they are opened as with -o. Otherwise the most recent -z, -d, -c, -o, -w, -s or -h determines the operation performed on the file.

The first time AxCrypt is started, a server process is initiated which will run until terminated. It is within this process that the pass phrase cache is kept, in a secure manner.

All operations are 'waitable', and will return a non-zero exit code on error.

The 'flag' options are important to specify before the operations they intend to modify, parameters are parsed and executed sequentially as the appear on the command line. Only operating system restrictions on command line lengths limit the number of operations on a single line. If any operation returns an error, the rest of the command line is ignored, and that error is returned as exit code.

Standard wild cards are accepted for all file specifications, except for Open. If the recursion flag is enabled, sub-directories will be searched too.

If you need to do several operations, and keep them together, without affecting the "global" pass phrase cache, use the -b option with an arbitrary tag as described above. Deriving one from the time of day may be appropriate for example. The -b option is valid over multiple calls to the server process, as long as it is not restarted.

REGISTRY KEYS AND VALUES

AxCrypt keeps some persistent data and chosen options in the registry. Most of these are managed automatically, and should not be modified manually.

Some values under HKEY_CURRENT_USER\Software\Axon Data\AxCrypt\  are:

ServerMode is a DWORD entry, that when non-zero causes AxCrypt to enter a non-interactive server mode. In this mode, no message boxes or dialogues will be displayed. The messages will be logged to %TEMP%\AxCrypt.Log, and they will be given default responses. The shell extension, i.e. the right click menu in Windows Explorer with AxCrypt options will be disabled as well.

EventLogLevel is normally zero DWORD, causing nothing to be logged, unless server mode is enabled. You may increase this to positive values to get increasing levels of detailed log-entries in %TEMP%\AxCrypt.Log. This is primarily for testing and debugging purposes.

EntropyPool is 128 byte BINARY used to persistently save the state of half of the entropy pool.

KeyWrapIterations is a DWORD that specifies the number of rounds performed in the key-wrapping operation, where the actual master data encrypting key is wrapped with the SHA-1 hash of the pass phrase. The minimum value is 6, no maximum, except it may take a long time...

NoUnsafeWipeWarn is a DWORD that when non-zero disables the warning about not being able to securely wipe certain types of files, notably compressed and EFS encrypted. This is modified by the checkbox in the warning dialog.

SaveDecKey  is a DWORD that when non-zero causes decryption pass phrases to be cached in memory. This is modified by the checkbox in the enter pass phrase dialog.

SaveEncKey is a DWORD that when non-zero causes an encryption pass phrase to be cached in memory and be used as default encryption pass phrase. This is modified by the checkbox in the enter pass phrase dialog for encryption. 

CompressThreshold is DWORD that indicates the minimum estimated compression level needed for AxCrypt to compress before encryption. To disable compression, set the value to 101. To enable compression in all cases, set it to 0. The default is 20, indicating that at least estimated 20% savings is required for compression to be performed.

DisableRenameMenu is a DWORD when non-zero causes the anonymous rename menu to disappear from the right-click context menu.

TryBrokenFile is a DWORD that when non-zero makes AxCrypt give the user the option to try decrypting a file, even if it appears broken. Use only for data-recovery, and at your own risk, and always on a copy of the file in question.

BruteForceCheck is a REG_SZ that maintains the most recent check-point in a custom brute force key-recovery search. See the code for details. This is not for ordinary mortals. Please don't waste bandwidth hollering 'back-door' without understanding what this is about. It's not. For questions, please contact me directly.

AllowAnyExtension is a DWORD that when non-zero causes AxCrypt to allow any extension of files to be decrypted. The default is to assume that if this happens it's because of a faulty association, and thus give a message to this effect.

Some values under HKEY_LOCAL_MACHINE\Software\Axon Data\AxCrypt\  are:

SelfExtractorName is a REG_SZ that contains the name of the executable base file used for self decrypting archives. This should be a file name without a path, it must reside in the same directory as the program.