SecureEncode [Base64 Encrypt & Decrypt (AES-256 Encrypted)]

About The Project
This project is an "Encoder" script that takes any file (.zip, .pdf, .exe, .txt or .iso etc.) and converts it into a single, self-extracting Windows command script (.cmd).

This generated .cmd file contains your original file, compressed with GZip and (optionally) encrypted with AES-256. When you run this .cmd file on any Windows 7, 8.1, 10, or 11 operatin system, it will prompt you for the password and securely recover the original file.

Features

• Context Menu Installer: Double-clicking the script runs an installer wizard that adds/removes an "Encrypt File..." option to the Windows right-click context menu.
• Self-Extracting: Combines the data and the logic to decode it into a single .cmd file.
• Optional AES-256 Encryption: Provides the option to protect your file with a password.
  • If a password is provided: The file is encrypted using AES-256, PBKDF2 (10,000 iterations), and a random Salt/IV.
  • If no password is provided (Enter is pressed): The file is not encrypted, only compressed.
• System Directory Protection: Prevents accidental encryption of files in critical system folders like C:\Windows, C:\Program Files, and the C:\ root.
• GZip Compression: Whether encrypted or not, all files are compressed with GZip to reduce the final file size.
• Large File Support: Processes large files (e.g., 300MB+ files) without throwing an OutOfMemoryException. The Base64 conversion is "streamed" directly to the file instead of being held in RAM.
• Secure Password Entry: Password entry is masked with *** characters in both the encoder and decoder scripts.
• SHA256 Integrity Check: After recovering the file, the decoder script verifies the SHA256 hash of the original file to confirm the data was not corrupted.
• Obfuscated Output Name: The generated _decode.cmd file's name (file_decode.cmd) hides the original file's extension.
• Read-Only Output: The generated _decode.cmd file is set to 'Read-Only' to prevent accidental edits.
• Wide Compatibility: Fully compatible with Windows 7, 8.1, 10, 11, and Server.
• Zero Dependencies: Requires no external software, using only Windows' native Batch and PowerShell (v2.0+) engines.

​

How to Use
The process consists of two steps: ENCODING and DECODING.

1. Encode (Packing the File)

1. Download the SecureEncode.bat script from this repo.
2. Drag and drop any file you want to pack (e.g., MySecretFile.zip) onto the SecureEncode.bat file.
3. A command prompt will open. Set a strong password and press Enter.
   • (To pack without a password, just press Enter.)
4. When the process is complete, a new file named MySecretFile_decode.cmd will be created in the same folder.

2. Decode (Recovering the File)

1. Take the generated ..._decode.cmd file and move it to the target machine (via email, USB, etc.).
2. Double-click the file to run it.
3. If you encrypted it, the command prompt will ask for the password (again, masked with ***). Enter the correct password.
4. The script will recover the original file (MySecretFile.zip) in the same folder and verify its integrity.

Security Model: Can My Password Be Cracked?
The security of this script is 100% dependent on the strength of the password you choose.

• The Algorithm (AES-256): Unbreakable. This is the industry standard used in banking and military systems. It is mathematically impossible for an attacker to decode the data without knowing your password.
• Your Password (Your Responsibility): Crackable. An attacker will not try to break the algorithm; they will try to guess your password (known as a Brute-Force or Dictionary Attack).

Security Levels:
Password Strength Example Password Time to Crack (Estimate) Security Status
Very Weak 1 or 123 Seconds INSECURE
Weak password123 Minutes / Hours INSECURE
Strong My!Passw-1990 Centuries SECURE
Passphrase red-car-77-goes-fast? Trillions of Years UNBREAKABLE

Summary: NEVER use weak passwords for sensitive data.

Dependencies

• Windows 7, 8.1, 10, 11 or Server
• PowerShell 2.0 or higher (Installed by default on all Windows 7 systems and newer)

Author
Abdullah ERTÜRK

• https://github.com/abdullah-erturk
• https://erturk.netlify.app

License
This project is distributed under the MIT License.

https://github.com/abdullah-erturk/Secure-Encode

Corrected version based on @abbodi1406 suggestion

Spoiler: Secure Encode Source Code

Code:

@echo off
title Base64 Encrypt ^& Decrypt (AES-256 Encrypted^) by Abdullah ERTURK
setlocal enabledelayedexpansion

echo.
echo Base64 Encrypt ^& Decrypt (AES-256 Encrypted^)
echo.
echo https://github.com/abdullah-erturk
echo.

if "%~1"=="" (
    mode con cols=90 lines=21
    echo.
    echo Base64 Encrypt ^& Decrypt (AES-256 Encrypted^)
    echo.
    echo You can use it without installation.
    echo.
    echo Please drag a file to this batch file to encode it.
    echo.
  
    net session >nul 2>&1
    if errorlevel 1 (
        echo Administrator privileges required for installation.
        echo Requesting elevated permissions...
        echo.
        powershell -Command "Start-Process '%~f0' -Verb RunAs"
        exit /b
    )
      
    if exist "C:\Windows\SecureEncode.cmd" (
        echo.
        echo.
        echo SecureEncode is already installed on the system.
        echo.
        choice /C YN /M "Do you want to uninstall it"
        if !errorlevel! equ 1 (
            echo.
            echo Uninstalling...
            del /f /q "C:\Windows\SecureEncode.cmd" >nul
            reg delete "HKCR\*\shell\SecureEncode" /f >nul
            echo.
            echo Uninstallation completed successfully.
            echo.
        ) else (
            echo.
            echo Uninstallation cancelled.
            echo.
        )
    ) else (
        echo.
        echo.
        echo SecureEncode is not installed on the system.
        echo.
        choice /C YN /M "Do you want to install it"
        if !errorlevel! equ 1 (
            echo.
            echo Installing...
            copy /y "%~f0" "C:\Windows\SecureEncode.cmd" >nul
            reg add "HKCR\*\shell\SecureEncode" /ve /d "Encrypt File (Secure Encode with AES-256)" /f >nul
            reg add "HKCR\*\shell\SecureEncode" /v "Icon" /d "C:\Windows\system32\imageres.dll,54" /f >nul
            reg add "HKCR\*\shell\SecureEncode\command" /ve /d "\"C:\Windows\SecureEncode.cmd\" \"%%1\"" /f >nul
            echo.
            echo Installation completed successfully.
            echo.
            echo Right-click on any file to see "Encrypt File (Secure Encode with AES-256)" option.
            echo.
        ) else (
            echo.
            echo Installation cancelled.
            echo.
        )
    )
    pause
    exit /b
)

set "is_forbidden=0"
set "full_path=%~f1"
set "user_profile_path=%userprofile%\"

set "check_user_path=!full_path:%user_profile_path%=!"
if /i not "!check_user_path!"=="!full_path!" goto :security_passed

if /i not "%~d1"=="C:" goto :security_passed

set "is_forbidden=1"

set "check_recycle=!full_path:$Recycle.Bin=!"
if not "!check_recycle!"=="!full_path!" set "is_forbidden=1"

set "check_sysvol=!full_path:System Volume Information=!"
if not "!check_sysvol!"=="!full_path!" set "is_forbidden=1"

if !is_forbidden! equ 1 (
    echo ========================== WARNING ==========================
    echo.
    echo File location: %~f1
    echo.
    echo This directory is a system folder.
    echo Encryption cannot be performed in this directory for security reasons.
    echo.
    echo Forbidden locations:
    echo    - C:\* root directory
    echo    - C:\Windows\*
    echo    - C:\Program Files\*
    echo    - C:\Program Files (x86^)\*
    echo    - C:\ProgramData\*
    echo    - System Volume Information (all drives^)
    echo    - $Recycle.Bin (all drives^)
    echo.
    echo Allowed locations:
    echo    - C:\Users\%username%\* (Desktop, Documents, Downloads, etc.^)
    echo    - D:\*, E:\*, F:\* (all other drives^)
    echo.
    echo ===========================================================
    echo.
    pause
    exit /b 1
)
:security_passed

:: === Password Section (Optional) ===
echo Please set a password for this file.
echo (Press ENTER to skip encryption. The file will only be GZipped and base64 encoded.)
echo.

:: Get password securely using PowerShell (displays ***)
echo Please enter your password (Optional^)
set "user_pass="
for /f "delims=" %%p in ('powershell -ExecutionPolicy Bypass -NoProfile -Command "$securePass=Read-Host -AsSecureString -Prompt 'Password (ENTER for none)'; $bstr=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass); $password=[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); [void][System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr); [void]$securePass.Dispose(); Write-Output $password"') do (
    set "user_pass=%%p"
)

set "ENCRYPT_FLAG=1"
if "!user_pass!"=="" (
    set "ENCRYPT_FLAG=0"
    echo.
    echo No password set. File will NOT be encrypted.
) else (
    echo.
    echo Password set. Please do not forget it.
)
echo.
:: === Password Section End ===

set "src_file=%~1"
set "src_name=%~nx1"
set "output_name_only=%~n1"
set "output_cmd=%~dp1%output_name_only%_decode.cmd"
set "temp_b64=%~dp1%~n1.b64"

if exist "%output_cmd%" (
    echo Found existing decode file. Removing read-only attribute...
    attrib -R "%output_cmd%"
    echo.
)

echo ================== ENCODE PROCESS ==================
echo Source file    : %src_name%
for %%F in ("%src_file%") do set "src_size=%%~zF"
if "%src_size%"=="" set "src_size=0"

if "%src_size%"=="0" (
    echo.
    echo ERROR: File not found or file size is 0 bytes.
    echo Checked path: "%src_file%"
    echo.
    echo If the filename contains spaces, ensure you use quotes in the command line:
    echo Example: %~n0 "My File.pdf"
    echo Or simply drag and drop the file onto the .bat file.
    echo.
    pause
    exit /b
)

set /a "b64_mb=%src_size% / 1048576"
set /a "b64_kb=(%src_size% %% 1048576) / 1024"
if %src_size% GEQ 1048576 (
    echo Source dimension: !b64_mb!.!b64_kb! MB ^(!src_size! bytes^)
) else (
    set /a "b64_kb=%src_size% / 1024"
    echo Source dimension: !b64_kb! KB ^(!src_size! bytes^)
)
for /f "delims=" %%H in ('certutil -hashfile "%src_file%" SHA256 ^| findstr /v "hash" ^| findstr /r /v "^$"') do set "src_sha=%%H"
set "src_sha=%src_sha: =%"
echo Source SHA256    : %src_sha%
echo.

:: === Optional Encryption Block ===
if "!ENCRYPT_FLAG!"=="1" (
    echo "Compressing, Encrypting (AES-256), and Encoding to Base64..."
    :: AES ENCRYPTED PATH
    powershell -ExecutionPolicy Bypass -NoProfile -Command "$_m=[math]; $password=$env:user_pass; $sw=[Diagnostics.Stopwatch]::StartNew(); $file='%src_file%'; $out='%temp_b64%'; $bytes=[IO.File]::ReadAllBytes($file); $originalSize=$bytes.Length; Write-Host 'Original size    : ' -NoNewline; if($originalSize -ge 1MB){ Write-Host ('{0:F2} MB ({1} bytes)' -f ($originalSize/1MB),$originalSize) }else{ Write-Host ('{0:F2} KB ({1} bytes)' -f ($originalSize/1KB),$originalSize) }; $ms=New-Object IO.MemoryStream; $gz=New-Object IO.Compression.GZipStream -ArgumentList @($ms,[IO.Compression.CompressionMode]::Compress); $gz.Write($bytes,0,$bytes.Length); $gz.Close(); $compressed=$ms.ToArray(); $ms.Close(); $bytes=0; $compressedSize=$compressed.Length; Write-Host 'Compressed size    : ' -NoNewline; if($compressedSize -ge 1MB){ Write-Host ('{0:F2} MB ({1} bytes)' -f ($compressedSize/1MB),$compressedSize) }else{ Write-Host ('{0:F2} KB ({1} bytes)' -f ($compressedSize/1KB),$compressedSize) }; $ratio=$_m::Round((1-($compressedSize/$originalSize))*100,1); Write-Host ('Compression    : {0}%%' -f $ratio); Write-Host ''; $salt=New-Object byte[] 16; (New-Object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($salt); $iv=New-Object byte[] 16; (New-Object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($iv); $kdf=New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList @($password, $salt, 10000); $key=$kdf.GetBytes(32); $aes=[System.Security.Cryptography.Aes]::Create(); $aes.Mode='CBC'; $aes.Padding='PKCS7'; $aes.Key=$key; $aes.IV=$iv; $encryptor=$aes.CreateEncryptor(); $msCrypt=New-Object IO.MemoryStream; $cs=New-Object System.Security.Cryptography.CryptoStream -ArgumentList @($msCrypt, $encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write); $cs.Write($compressed, 0, $compressed.Length); $cs.FlushFinalBlock(); $cs.Close(); $encryptedData=$msCrypt.ToArray(); $msCrypt.Close(); $compressed=0; $aes.Clear(); Write-Host \"`rProgress: [\" ('='*30) \"] 100%%\"; $txtOut=New-Object IO.StreamWriter -ArgumentList @($out,[System.Text.Encoding]::Default); $txtOut.WriteLine('-----BEGIN CERTIFICATE-----'); $txtOut.Flush(); $b64t = New-Object System.Security.Cryptography.ToBase64Transform; $b64Stream=New-Object System.Security.Cryptography.CryptoStream -ArgumentList @($txtOut.BaseStream, $b64t, [System.Security.Cryptography.CryptoStreamMode]::Write, $true); $b64Stream.Write($salt,0,$salt.Length); $b64Stream.Write($iv,0,$iv.Length); $b64Stream.Write($encryptedData,0,$encryptedData.Length); $b64Stream.FlushFinalBlock(); $b64Stream.Close(); $txtOut.WriteLine(); $txtOut.WriteLine('-----END CERTIFICATE-----'); $txtOut.Close(); $sw.Stop(); $ts=$sw.Elapsed; if($ts.TotalMinutes -ge 1){ Write-Host ('Time: {0} minute {1:F0} seconds' -f $_m::Floor($ts.TotalMinutes),$ts.Seconds) }else{ Write-Host ('Time: {0:F2} seconds' -f $ts.TotalSeconds) }"
) else (
    echo "Compressing and Encoding to Base64 (No Encryption)..."
    :: UNENCRYPTED PATH (GZip + Base64 Only)
    powershell -ExecutionPolicy Bypass -NoProfile -Command "$_m=[math]; $sw=[Diagnostics.Stopwatch]::StartNew(); $file='%src_file%'; $out='%temp_b64%'; $bytes=[IO.File]::ReadAllBytes($file); $originalSize=$bytes.Length; Write-Host 'Original size    : ' -NoNewline; if($originalSize -ge 1MB){ Write-Host ('{0:F2} MB ({1} bytes)' -f ($originalSize/1MB),$originalSize) }else{ Write-Host ('{0:F2} KB ({1} bytes)' -f ($originalSize/1KB),$originalSize) }; $ms=New-Object IO.MemoryStream; $gz=New-Object IO.Compression.GZipStream -ArgumentList @($ms,[IO.Compression.CompressionMode]::Compress); $gz.Write($bytes,0,$bytes.Length); $gz.Close(); $compressed=$ms.ToArray(); $ms.Close(); $bytes=0; $compressedSize=$compressed.Length; Write-Host 'Compressed size    : ' -NoNewline; if($compressedSize -ge 1MB){ Write-Host ('{0:F2} MB ({1} bytes)' -f ($compressedSize/1MB),$compressedSize) }else{ Write-Host ('{0:F2} KB ({1} bytes)' -f ($compressedSize/1KB),$compressedSize) }; $ratio=$_m::Round((1-($compressedSize/$originalSize))*100,1); Write-Host ('Compression    : {0}%%' -f $ratio); Write-Host ''; Write-Host \"`rProgress: [\" ('='*30) \"] 100%%\"; $txtOut=New-Object IO.StreamWriter -ArgumentList @($out,[System.Text.Encoding]::Default); $txtOut.WriteLine('-----BEGIN CERTIFICATE-----'); $txtOut.Flush(); $b64t = New-Object System.Security.Cryptography.ToBase64Transform; $b64Stream=New-Object System.Security.Cryptography.CryptoStream -ArgumentList @($txtOut.BaseStream, $b64t, [System.Security.Cryptography.CryptoStreamMode]::Write, $true); $b64Stream.Write($compressed,0,$compressed.Length); $b64Stream.FlushFinalBlock(); $b64Stream.Close(); $txtOut.WriteLine(); $txtOut.WriteLine('-----END CERTIFICATE-----'); $txtOut.Close(); $sw.Stop(); $ts=$sw.Elapsed; if($ts.TotalMinutes -ge 1){ Write-Host ('Time: {0} minute {1:F0} seconds' -f $_m::Floor($ts.TotalMinutes),$ts.Seconds) }else{ Write-Host ('Time: {0:F2} seconds' -f $ts.TotalSeconds) }"
)

for %%F in ("%temp_b64%") do set "b64_size=%%~zF"
set /a "b64_mb=!src_size! / 1048576"
set /a "b64_kb=(!src_size! %% 1048576) / 1024"
if !src_size! GEQ 1048576 (
    echo B64 file size    : !b64_mb!.!b64_kb! MB ^(!b64_size! bytes^)
) else (
    set /a "b64_kb=!src_size! / 1024"
    echo B64 file size    : !b64_kb! KB ^(!b64_size! bytes^)
)
echo ================== ENCODE PROCESS ==================

:: === Create Decoder Script ===
echo @echo off > "%output_cmd%"
echo title Base64 Encrypt ^^^& Decrypt (AES-256 Encrypted) >> "%output_cmd%"
echo setlocal enabledelayedexpansion >> "%output_cmd%"
echo pushd %%~dp0 >> "%output_cmd%"
echo set "file=%src_name%" >> "%output_cmd%"
echo set "expected_sha=%src_sha%" >> "%output_cmd%"
echo set "IS_ENCRYPTED=!ENCRYPT_FLAG!" >> "%output_cmd%"
echo echo. >> "%output_cmd%"
echo echo Base64 Encrypt ^^^& Decrypt (AES-256 Encrypted)>> "%output_cmd%"
echo echo. >> "%output_cmd%"
echo echo https://github.com/abdullah-erturk >> "%output_cmd%"
echo echo. >> "%output_cmd%"
echo echo ================== DECODE PROCESS ================== >> "%output_cmd%"
echo echo Target file    : %%file%% >> "%output_cmd%"
echo echo. >> "%output_cmd%"
echo. >> "%output_cmd%"
echo powershell -ExecutionPolicy Bypass -NoProfile -Command "$_m=[math]; $ProgressPreference='SilentlyContinue'; $sw=[Diagnostics.Stopwatch]::StartNew(); $c=$false; $sb=New-Object System.Text.StringBuilder -ArgumentList 2000000; $lines=@(Get-Content '%%~f0'); $t=$lines.Count; $i=0; $lp=-1; foreach($ln in $lines){ $i++; if($ln -eq '-----BEGIN CERTIFICATE-----'){ $c=$true; continue } if($ln -eq '-----END CERTIFICATE-----'){ $c=$false; break } if($c){ [void]$sb.Append($ln) } $pct=$_m::Floor(($i/$t)*100); if($pct -ne $lp -and ($pct %%%% 5) -eq 0){ $barLen=$_m::Min(30,$_m::Floor($pct/2)); $bar='='*$barLen; $space=' '*(30-$barLen); Write-Host `rProgress: [$bar$space] $pct%%%% -NoNewline; $lp=$pct } } Write-Host `rProgress: [ ('='*30) ] 100%%%%; try { $combinedData=[Convert]::FromBase64String($sb.ToString()); if($env:IS_ENCRYPTED -eq "1") { Write-Host 'This file is password protected.'; $securePass=Read-Host -Prompt 'Please enter password' -AsSecureString; $bstr=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass); $password=[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr); [void][System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr); [void]$securePass.Dispose(); $salt=New-Object byte[] 16; $iv=New-Object byte[] 16; $encryptedData=New-Object byte[] ($combinedData.Length - 32); [Array]::Copy($combinedData, 0, $salt, 0, 16); [Array]::Copy($combinedData, 16, $iv, 0, 16); [Array]::Copy($combinedData, 32, $encryptedData, 0, $encryptedData.Length); $kdf=New-Object System.Security.Cryptography.Rfc2898DeriveBytes -ArgumentList @($password, $salt, 10000); $key=$kdf.GetBytes(32); $aes=[System.Security.Cryptography.Aes]::Create(); $aes.Mode='CBC'; $aes.Padding='PKCS7'; $aes.Key=$key; $aes.IV=$iv; $decryptor=$aes.CreateDecryptor(); $msCrypt=New-Object IO.MemoryStream -ArgumentList (,$encryptedData); $cs=New-Object System.Security.Cryptography.CryptoStream -ArgumentList @($msCrypt, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read); $msDecompressed=New-Object IO.MemoryStream; $buffer = New-Object byte[] 4096; while (($read = $cs.Read($buffer, 0, $buffer.Length)) -gt 0) { $msDecompressed.Write($buffer, 0, $read) }; $compressed=$msDecompressed.ToArray(); $msCrypt.Close(); $cs.Close(); $msDecompressed.Close(); $aes.Clear(); } else { Write-Host 'File is not encrypted, decompressing...'; $compressed=$combinedData; } $ms=New-Object IO.MemoryStream -ArgumentList (,$compressed); $gz=New-Object IO.Compression.GZipStream -ArgumentList @($ms,[IO.Compression.CompressionMode]::Decompress); $output=New-Object IO.MemoryStream; $buffer = New-Object byte[] 4096; while (($read = $gz.Read($buffer, 0, $buffer.Length)) -gt 0) { $output.Write($buffer, 0, $read) }; $decompressed=$output.ToArray(); $gz.Close(); $ms.Close(); $output.Close(); [IO.File]::WriteAllBytes('%%file%%',$decompressed); $sw.Stop(); $ts=$sw.Elapsed; if($ts.TotalMinutes -ge 1){ Write-Host ('Time: {0} minute {1:F0} seconds' -f $_m::Floor($ts.TotalMinutes),$ts.Seconds) }else{ Write-Host ('Time: {0:F2} seconds' -f $ts.TotalSeconds) }; if(Test-Path '%%file%%'){ Write-Host 'SUCCESSFUL    : %%file%% created' } } catch [System.Security.Cryptography.CryptographicException] { Write-Host `nERROR: Wrong password or corrupted file. -ForegroundColor Red } catch { Write-Host `nUNEXPECTED ERROR: $_ -ForegroundColor Red }" >> "%output_cmd%"
echo. >> "%output_cmd%"
echo powershell -ExecutionPolicy Bypass -NoProfile -Command "if(Test-Path '%%file%%') { $sha = (Get-FileHash -Algorithm SHA256 '%%file%%').Hash; if($sha -eq '%src_sha%'){ Write-Host 'SHA256 VERIFIED    : File integrity OK.' }else{ Write-Host 'SHA256 MISMATCH: File may be corrupted.' } }" >> "%output_cmd%"
echo. >> "%output_cmd%"
echo echo ================== DECODE PROCESS ================== >> "%output_cmd%"
echo echo. >> "%output_cmd%"
echo. >> "%output_cmd%"
echo pause >> "%output_cmd%"
echo goto :eof >> "%output_cmd%"

type "%temp_b64%" >> "%output_cmd%"
del "%temp_b64%"

attrib +R "%output_cmd%"

echo.
echo The ReadOnly attribute is set for the Decode File.
echo.
echo Decode File: %output_cmd%
echo.
pause

 

My GitHub account was suspended for no reason.

I'm trying to recover my account.

I've added the source code to the thread.

 

I sent an email to GitHub support.

I'm waiting for a response.

@abbodi1406 I corrected the code according to your suggestion

The certutil command assigns the hash (perhaps with spaces) to the src_sha variable.

The set "src_sha=%src_sha: =%" command removes all spaces from this variable.

Thus, the expected_sha variable is written to the _decode.cmd file as clean and without spaces.

When the decoder script runs, the Get-FileHash command also produces a clean and without spaces in modern PowerShell.

As a result, the comparison ($sha -eq '%src_sha%) now compares two clean strings and correctly returns the SHA256 VERIFIED message.

This eliminates the need to add .Replace(' ','') on the PowerShell side since the data to be compared has already been cleared by the encoder.

 

v2 updated

Changelog:

Installer & Right-Click Menu Added
Added an installer wizard that runs on double-click. It adds or removes the "Encrypt File (Secure Encode with AES-256)" option from the Windows right-click context menu.

Administrator Privileges
The script now automatically requests Administrator (UAC) privileges to handle registry and `C:\Windows` access required for installation/uninstallation.

Directory Security Check
A robust security check was added to prevent accidental encryption of files in critical system folders like `C:\Windows`, `C:\Program Files`, and the `C:\` root.

Read-Only Attribute Handling
The script now automatically removes the "Read-Only" attribute from an existing `_decode.cmd` file before overwriting it and sets the new file to "Read-Only" upon completion. Thus, the security of the encrypted data is partially ensured.

abdullah-erturk/Secure-Encode: Secure Encode

----------------------------------

If you are looking for an advanced encryption program that also has a folder encryption feature, you can also review my work:

abdullah-erturk/Encryption-Decryption-Tool: Easily encrypt and decrypt any file or folder you want in Windows environment.

 

When encoding to base64, the actual file data grows by almost 33%, which means increased RAM usage for decoding. For this reason, the size limit generally caused problems above 1.5 GB in my tests. However, it works fine up to 1 GB.

I'm currently exploring ways to completely disable base64 encoding, compress only files using Gzip, and encrypt them with AES-256. (With the help of AI ) If I can manage it, we'll be able to bypass the file size limit. This will allow us to use an encryption method like AES-256 only with cmd commands.

 

My goal is to do this with Windows' native codes without any software dependency.