How to Retrieve the Password of a Saved Wi-Fi Network in Batch Script
Have you ever forgotten the password to a Wi-Fi network your computer is already connected to? Instead of digging through deep Windows settings or checking the back of a router, you can retrieve the clear-text password in seconds using a simple Batch script. This technique leverages the netsh utility, which stores wireless profile information in the system.
This guide will explain how to use the netsh wlan command to view saved Wi-Fi passwords and how to automate the process for every network saved on your PC, with scripts that work across all Windows display languages.
The Core Command: Netsh WLAN Key=Clear
The standard command to view a Wi-Fi profile is netsh wlan show profile. By default, this command hides the password for security reasons. To reveal it, you must append the key=clear parameter.
Basic Retrieval Method
To see the password for a specific network (e.g., "Home_WiFi"), run this in an elevated command prompt:
netsh wlan show profile name="Home_WiFi" key=clear
In the output, look for the line that contains the actual password. On English Windows, this line is labeled Key Content. On non-English Windows, the label is translated (e.g., "Contenido de la clave" in Spanish, "Contenuto chiave" in Italian), but the structure is the same, it is the last field in the "Security settings" section and the only line whose value looks like a plain-text password string.
Method 1: Language-Independent Password Extraction
The biggest challenge with extracting the Wi-Fi password in Batch is that the label "Key Content" is translated on non-English Windows. However, we can exploit a structural fact: when you run netsh wlan show profile key=clear, the password line is the only line in the "Security settings" section that contains a plain-text value after a colon. More reliably, we can export the profile to XML (using key=clear) and parse the XML, where the tag name <keyMaterial> is language-independent.
Option A: XML-Based Extraction (Fully Language-Independent)
This method exports the profile to a temporary XML file and reads the <keyMaterial> tag, which contains the password and uses the same tag name in every Windows language.
@echo off
setlocal enabledelayedexpansion
set /p "targetSSID=Enter the Wi-Fi Profile Name: "
rem --- Admin check: key=clear requires elevation ---
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] This script must be run as Administrator to reveal passwords.
endlocal
pause
exit /b 1
)
rem --- Verify the Wireless AutoConfig service is running ---
sc query WlanSvc 2>nul | findstr /i /c:"RUNNING" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Wireless AutoConfig service is not running.
endlocal
pause
exit /b 1
)
rem --- Verify the profile exists ---
netsh wlan show profiles 2>nul | findstr /i /c:"!targetSSID!" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Profile "!targetSSID!" not found.
echo [INFO] Available profiles:
netsh wlan show profiles
endlocal
pause
exit /b 1
)
rem --- Export the profile to a temporary XML file with key=clear ---
set "TempFile=%TEMP%\wifi_profile_temp_%RANDOM%.xml"
netsh wlan export profile name="!targetSSID!" folder="%TEMP%" key=clear >nul 2>&1
rem --- Find the exported file (filename format: Wi-Fi-ProfileName.xml) ---
set "XmlFile="
for %%f in ("%TEMP%\Wi-Fi-!targetSSID!.xml" "%TEMP%\*!targetSSID!*.xml") do (
if exist "%%f" set "XmlFile=%%f"
)
if not defined XmlFile (
echo [ERROR] Failed to export profile to XML.
endlocal
pause
exit /b 1
)
rem --- Extract the password from the <keyMaterial> tag ---
rem --- This tag name is language-independent (XML standard) ---
set "password="
for /f "tokens=1,* delims=<>" %%a in (
'findstr /i "keyMaterial" "!XmlFile!" 2^>nul'
) do (
rem --- %%b is the content between the tags ---
if not defined password (
set "password=%%b"
)
)
rem --- Clean up the temporary XML file (contains plain-text password) ---
del "!XmlFile!" >nul 2>&1
if defined password (
echo.
echo ------------------------------------------
echo Profile: !targetSSID!
echo Password: !password!
echo ------------------------------------------
) else (
echo [INFO] No password found for "!targetSSID!".
echo [INFO] This network may be open (no password^) or use Enterprise
echo authentication where the key cannot be displayed.
)
endlocal
pause
The exported XML file uses standardized tag names (<keyMaterial>, <SSID>, <authentication>) that are identical in every Windows display language. Only the netsh console output labels are translated, the XML structure is not.
Option B: Console-Based Extraction (English Windows)
If you know your script will only run on English Windows, you can parse the console output directly by matching "Key Content":
@echo off
setlocal enabledelayedexpansion
set /p "targetSSID=Enter the Wi-Fi Profile Name: "
rem --- Admin check ---
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] This script must be run as Administrator.
endlocal
pause
exit /b 1
)
rem --- Verify the profile exists ---
netsh wlan show profiles 2>nul | findstr /i /c:"!targetSSID!" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Profile "!targetSSID!" not found.
endlocal
pause
exit /b 1
)
rem --- Extract the Key Content line ---
rem --- NOTE: "Key Content" is only valid on English Windows ---
set "password="
for /f "tokens=1,* delims=:" %%a in (
'netsh wlan show profile name^="!targetSSID!" key^=clear 2^>nul ^| findstr /c:"Key Content"'
) do (
if not defined password (
set "password=%%b"
rem --- Trim the leading space after the colon ---
if defined password set "password=!password:~1!"
)
)
if defined password (
echo.
echo ------------------------------------------
echo Profile: !targetSSID!
echo Password: !password!
echo ------------------------------------------
) else (
echo [INFO] No password found. Network may be open or use Enterprise auth.
)
endlocal
pause
This script searches for "Key Content" which is an English-only label. On non-English Windows, this findstr returns nothing and the password appears empty even though it exists. Use Option A for multilanguage support.
Method 2: List All Saved Wi-Fi Passwords
To create a recovery script that lists every password for every saved network, we need to extract profile names from netsh wlan show profiles and then query each one. The challenge is that profile names are listed after a colon on lines containing a language-specific label like "All User Profile" (English) or "Profilo tutti gli utenti" (Italian).
Language-Independent Approach Using XML Export
@echo off
setlocal enabledelayedexpansion
echo ============================================
echo Wi-Fi Password Recovery Tool
echo ============================================
echo.
rem --- Admin check ---
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] This script must be run as Administrator.
endlocal
pause
exit /b 1
)
rem --- Verify Wi-Fi service ---
sc query WlanSvc 2>nul | findstr /i /c:"RUNNING" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Wireless AutoConfig service is not running.
endlocal
pause
exit /b 1
)
rem --- Create a temporary directory for XML exports ---
set "TempDir=%TEMP%\wifi_export_%RANDOM%"
mkdir "%TempDir%" >nul 2>&1
rem --- Export ALL profiles with passwords in clear text ---
netsh wlan export profile folder="%TempDir%" key=clear >nul 2>&1
rem --- Check if any XML files were exported ---
set "HasFiles=0"
for %%f in ("%TempDir%\*.xml") do set "HasFiles=1"
if "!HasFiles!"=="0" (
echo [INFO] No saved Wi-Fi profiles found.
rmdir /s /q "%TempDir%" >nul 2>&1
endlocal
pause
exit /b 0
)
echo %-30s %s
echo Profile Name Password
echo ------------------------------ --------------------------
set "Count=0"
rem --- Process each exported XML file ---
for %%f in ("%TempDir%\*.xml") do (
set "ssid="
set "pass="
rem --- Extract SSID name from <name> tag ---
for /f "tokens=1,* delims=<>" %%a in (
'findstr /i "<name>" "%%f" 2^>nul'
) do (
if not defined ssid set "ssid=%%b"
)
rem --- Extract password from <keyMaterial> tag ---
for /f "tokens=1,* delims=<>" %%a in (
'findstr /i "keyMaterial" "%%f" 2^>nul'
) do (
if not defined pass set "pass=%%b"
)
if defined ssid (
if defined pass (
echo !ssid!: !pass!
) else (
echo !ssid!: [No password / Enterprise]
)
set /a Count+=1
)
)
echo ------------------------------
echo !Count! profile^(s^) found.
rem --- Clean up: delete ALL temporary XML files (they contain plain-text passwords) ---
rmdir /s /q "%TempDir%" >nul 2>&1
echo.
echo [INFO] Temporary files have been deleted.
endlocal
pause
How this works:
- Export all profiles at once: Instead of trying to parse profile names from
netsh wlan show profiles(where the label is translated), we export every profile to XML usingnetsh wlan export profile folder=... key=clear. This creates one XML file per profile. - Extract from XML tags: The
<name>tag contains the profile/SSID name and<keyMaterial>contains the password. Both tag names are language-independent. - Cleanup: The temporary directory and all XML files are deleted at the end because they contain plain-text passwords.
Ethics and Security. This script should only be used to recover your own passwords or for legitimate IT support tasks on machines you are authorized to manage. The passwords are displayed in clear text, so never run this on a shared screen or store the output in an unprotected file.
How to Avoid Common Errors
Wrong Way: Searching for "Key Content" on Non-English Windows
The label "Key Content" is translated in every non-English Windows version. A script that searches for this English text will silently return no results on other languages.
rem *** BAD: only works on English Windows ***
findstr "Key Content"
rem *** BAD: "Password" is not the label Windows uses in any language ***
findstr "Password"
Correct Way: Export the profile to XML and read the <keyMaterial> tag, which is the same in every language.
Wrong Way: Parsing Profile Names with Hardcoded Token Positions
The original "List All Passwords" script used tokens=4,* with findstr "All User Profile". Both the token count and the label text are language-dependent.
rem *** BAD: "All User Profile" is English-only, token position varies ***
for /f "tokens=4,*" %%i in ('netsh wlan show profiles ^| findstr "All User Profile"') do ...
Correct Way: Export all profiles to XML files and process the files, or use delims=: with tokens=1,* and extract the profile name from after the colon (though the line identification still requires matching a translated label). The XML approach avoids this entirely.
Wrong Way: Using tokens=2 delims=: for Password Extraction
Passwords can contain colon characters. Using tokens=2 truncates the password at the first colon.
rem *** BAD: truncates passwords containing colons ***
for /f "tokens=2 delims=:" %%a in (...) do set "pass=%%a"
Correct Way: Use tokens=1,* delims=: so that %%b captures everything after the first colon, preserving the full password. Or use the XML method where the password is between <keyMaterial> and </keyMaterial> tags.
Problem: "Key Content" Line Is Missing
If the password line does not appear in the output, common causes include:
- Open network: The network has no password. There is no
<keyMaterial>tag in the XML. - Enterprise authentication: Networks using 802.1X (username/password or certificate) do not store a simple key. The password cannot be displayed.
- Not running as Administrator: Without elevation,
key=clearmay be silently ignored and the password is not shown.
Problem: SSID Names with Special Characters
Wi-Fi network names can contain spaces, ampersands, parentheses, and other characters that have special meaning in Batch. Always wrap SSID values in quotes when passing them to netsh.
rem *** BAD: breaks on names with spaces or special characters ***
netsh wlan show profile name=Coffee Shop & Bar key=clear
rem *** GOOD: quotes protect the name ***
netsh wlan show profile name="Coffee Shop & Bar" key=clear
Best Practices and Rules
1. Always Run as Administrator
The key=clear parameter requires elevation. Without it, netsh either hides the password or omits the field entirely, depending on the Windows version and group policy settings.
2. Use XML Export for Language Independence
The console output labels of netsh are translated into every Windows display language. The XML structure (tag names like <keyMaterial>, <name>, <authentication>) is never translated. For scripts that must work internationally, always export to XML and parse the tags.
3. Delete Temporary Files Containing Passwords
When using the XML export method, the exported files contain plain-text passwords. Always delete these files after extraction. Use rmdir /s /q on the temporary directory to ensure nothing is left behind.
4. Handle Missing Passwords Gracefully
Not every profile has a recoverable password. Open networks, Enterprise networks, and certificate-based authentication will not have a <keyMaterial> tag. Your script should report this clearly instead of showing a blank or crashing.
5. Use setlocal / endlocal
Always wrap scripts in setlocal and endlocal to prevent variables (especially those containing passwords) from leaking into the parent environment.
6. Use tokens=1,* Not tokens=2
When splitting on : (for console parsing) or <> (for XML parsing), always use tokens=1,* to capture everything after the delimiter. This preserves values that contain the delimiter character, which is possible for both passwords (colons) and XML content.
Final Thoughts
Retrieving saved Wi-Fi passwords in Batch is straightforward with netsh wlan show profile key=clear, but building a script that works reliably across all Windows languages requires a different approach. The console output labels are translated, making findstr "Key Content" an English-only solution. The robust alternative is to export profiles to XML using netsh wlan export profile key=clear and parse the <keyMaterial> tag, which is language-independent. Combined with proper administrator checks, temporary file cleanup, and special-character handling, this technique becomes a reliable, professional-grade password recovery tool.