Skip to main content

How to Base64 Decode a String in Batch Script

Base64 is a common encoding scheme used to represent binary data as plain ASCII text. You will often encounter it in API responses, configuration files, or data streams where a password, a key, or even a small file needs to be safely embedded in a text format. While batch scripting has no native function to decode Base64, it can control a powerful, built-in Windows utility, certutil, to perform the conversion.

This guide will teach you the standard, file-based method for decoding a Base64 string using certutil. More importantly, it will demonstrate the vastly superior and simpler modern approach using a PowerShell one-liner, which is the recommended method for its efficiency and reliability.

The Challenge: No Native Base64 Decoder

The cmd.exe interpreter has no built-in understanding of Base64. To a batch script, a string like SGVsbG8gV29ybGQ= is just a sequence of characters. To decode it, we must pass this string to an external tool that understands the Base64 algorithm. Fortunately, modern Windows includes such tools by default.

The Core Method: Using certutil (File-Based)

The certutil.exe command is a powerful utility for managing certificate services, but it includes several handy encoding and decoding functions. Its primary limitation is that it is file-based; it can decode a file, but not a string directly from a variable.

The Syntax: certutil -decode "InputFile.b64" "OutputFile.txt"

This command reads the Base64 content from InputFile.b64, decodes it, and writes the resulting raw data to OutputFile.txt.

The Process: How the certutil Method Works

To use certutil in a script, we must follow a four-step process:

  1. Write to Temp File: ECHO the Base64 string into a temporary input file.
  2. Decode: Run certutil -decode on the temporary input file to create a temporary output file.
  3. Read from Temp File: Read the decoded plain text from the temporary output file into a variable.
  4. Cleanup: Delete both temporary files.
@ECHO OFF
SET "B64_STRING=SGVsbG8gV29ybGQ="
SET "DECODED_STRING="

REM Define temporary file paths
SET "TEMP_IN=%TEMP%\temp_base64_in.b64"
SET "TEMP_OUT=%TEMP%\temp_base64_out.txt"

ECHO Decoding the string: %B64_STRING%
ECHO.

REM Step 1: Write the string to a temp file
ECHO %B64_STRING%>"%TEMP_IN%"

REM Step 2: Decode the file to an output file
certutil -decode "%TEMP_IN%" "%TEMP_OUT%" > NUL

REM Step 3: Read the decoded content from the output file into a variable
REM SET /P reads only the first line of a file.
SET /P "DECODED_STRING=" < "%TEMP_OUT%"

REM Step 4: Clean up the temporary files
DEL "%TEMP_IN%"
DEL "%TEMP_OUT%"

ECHO Decoded string is: "%DECODED_STRING%"

Output:

Decoding the string: SGVsbG8gV29ybGQ=

Decoded string is: "Hello World"

For any modern Windows system, calling PowerShell is a far more efficient and direct solution. PowerShell can decode Base64 strings entirely in memory, completely avoiding the need for temporary files.

This one-liner, executed from a batch script, replaces the entire four-step certutil process.

@ECHO OFF
SET "B64_STRING=SGVsbG8gV29ybGQ="
SET "DECODED_STRING="

ECHO Decoding with PowerShell...

FOR /F "delims=" %%V IN (
    'powershell -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('%B64_STRING%'))"'
) DO (
    SET "DECODED_STRING=%%V"
)

ECHO Decoded string is: "%DECODED_STRING%"

This method is cleaner, faster, and less prone to errors from file system interactions.

Common Pitfalls and How to Solve Them

File I/O Overhead and Temporary Files

The certutil method is significantly slower than the PowerShell method because it has to write to and read from the hard disk multiple times. This disk I/O (Input/Output) is a major performance bottleneck.

Solution: For performance-sensitive scripts or any script that performs many decoding operations, the PowerShell method is strongly recommended.

Handling Line Endings

The ECHO command in the certutil method adds a carriage return and line feed (CR/LF) to the end of the temporary input file. While certutil is generally smart enough to ignore this trailing whitespace, it can be a source of subtle bugs with some Base64 strings.

Solution: The PowerShell method avoids this problem entirely by never writing the string to a file, making it more reliable.

Practical Example: Decoding a Configuration String

This script simulates retrieving a Base64-encoded username from a configuration source and then using the decoded value. It uses the recommended PowerShell method for efficiency.

@ECHO OFF
SETLOCAL

REM Imagine this value was read from a config file or API response
SET "ENCODED_USER=YWRtaW5pc3RyYXRvcg=="
SET "DECODED_USER="

ECHO --- Secure Configuration Loader ---
ECHO.
ECHO Decoding user credential...

FOR /F "delims=" %%U IN (
    'powershell -NoProfile -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('%ENCODED_USER%'))"'
) DO (
    SET "DECODED_USER=%%U"
)

IF DEFINED DECODED_USER (
    ECHO [SUCCESS] User decoded.
    ECHO.
    ECHO Simulating connection with user: %DECODED_USER%
) ELSE (
    ECHO [FAILURE] Could not decode the user string.
)

ENDLOCAL

Output:

--- Secure Configuration Loader ---

Decoding user credential...
[SUCCESS] User decoded.

Simulating connection with user: administrator

Conclusion

While batch scripting lacks a native command for Base64 decoding, modern Windows provides two excellent built-in utilities that can be controlled from a batch file.

  • The certutil method is the "pure" approach that works on most systems, but it is cumbersome, slow, and relies on creating and deleting temporary files.
  • The PowerShell method is the overwhelmingly superior and recommended choice. It is faster, safer, and works directly with strings in memory, avoiding all the pitfalls of the file-based approach.

For any modern scripting task, the PowerShell one-liner is the most professional and reliable way to decode Base64 strings.

Table of Contents