I have the following in .bat that is (this works):

"%winscp%" /ini=nul ^
           /log=C:\TEMP\winscplog.txt ^
           /command "open scp://goofy:changeme@ -hostkey=""ssh-rsa 2048 d4:1c:1a:4c:c3:60:d5:05:12:02:d2:d8:d6:ae:6c:5d""" ^
           "put ""%outfile%"" /home/public/somedir/somesubdir/%basename%" ^

I have tried to duplicate that into a powershell script like this:

& $winscp "/ini=nul" `
           "/log=C:\TEMP\winscplog.txt" `
           "/command" 'open sftp://goofy:changeme@ -hostkey="ssh-rsa 2048 d4:1c:1a:4c:c3:60:d5:05:12:02:d2:d8:d6:ae:6c:5d"' `
           "put `"" + $outfile + "`" /home/public/somedir/somesubdir/" + $basename `

When I run the .bat script the file will upload.

When I run the .ps1 script I get Host key does not match configured key ssh-rsa

I suspect that I have not formatted the command properly in powershell and the hostkey is getting mangled by the time winscp sees it.

I checked the log and all that is shown is the hostkey from the host. It does not show the key I am using. I confirmed that by changing my host and noting that it did not show up in the log. I compared the log between .bat and .ps1 and the difference is ps1 terminates with the error noted above.

winscp is a sftp utility.

    Does the log show what key (it thinks) is being specified? You might use a tool like Process Monitor to see the exact command line the process is being launched with. You could query this with PowerShell itself (`Get-WmiObject -Class Win32_Process -Filter 'Name = ''WinSCP.exe''' -Property CommandLine`) provided the process doesn't exit too quickly. – Lance U. Matthews Mar 04 '17 at 21:13

  • JamesQMurphy's helpful answer is the best solution in this case.

  • This answer generally discusses translating command lines written for cmd.exe to PowerShell.

Translating cmd.exe (batch-file) command lines to PowerShell is tricky - so tricky, that in PSv3 pseudo-parameter --%, the stop-parsing symbol, was introduced:

Its purpose is to allow you to pass everything that comes after --% as-is through to the target program, so as the control the exact quoting - except that cmd.exe-style %...%-style environment-variable references are still expanded by PowerShell[1].

However, --% comes with many severe limitations - discussed below - and its usefulness is limited to Windows, so it should be considered a last resort;

An alternative is to use the PSv3+ Native module (install with Install-Module Native from the PowerShell Gallery in PSv5+), which offers two commands that internally compensate for all of PowerShell's argument-passing and cmd.exe's argument-parsing quirks:

  • Function ie, which you prepend to any call to an external program, including cmd.exe, allows you to use only PowerShell's syntax_, without having to worry about argument-passing problems; e.g.:

    # Without `ie`, this command would malfunction.
    'a"b' | ie findstr 'a"b'
  • Function ins (Invoke-NativeShell) function allows you to reuse command lines written for cmd.exe as-is, passed as a single string; unlike --%, this also allows you to embed PowerShell variables and expressions in the command line, via a PowerShell expandable string ("..."):

    # Simple, verbatim cmd.exe command line.
    ins 'ver & whoami'
    # Multi-line, via a here-string.
    ins @'
      dir /x ^
    # With up-front string interpolation to embed a PowerShell var.
    $var='c:\windows'; ins "dir /x `"$var`""

Limitations and pitfalls of --%

  • --% must follow the name/path of the external utility to invoke (it can't be the first token on the command line), so that the utility executable (path) itself, if passed by [environment] variable, must be defined and referenced using PowerShell syntax.

  • --% supports only one command, which an unquoted |, || or && on the same line, if present, implicitly ends; that allows you to pipe / chain such a command to / with other commands.

    • However, using ; in order to unconditionally place another command on the same line is not supported; the ; is passed through verbatim.

    • --% reads (at most) to the end of the line so spreading a command across multiple lines with line-continuation chars. is NOT supported.[2]

  • Other than %...% environment-variable references, you cannot embed any other dynamic elements in the command; that is, you cannot use regular PowerShell variable references or expressions.

    • Escaping % characters as %% (the way you can do inside batch files) is not supported; %<name>% tokens are invariably expanded, if <name> refers to a defined environment variable (if not, the token is passed through as-is).
  • Other than %...% environment-variable references, you cannot embed any other dynamic elements in the command; that is, you cannot embed regular PowerShell variable references or expressions.

  • You cannot use stream redirections (e.g., >file.txt), because they are passed verbatim, as arguments to the target command.

    • For stdout output you can work around that by appending | Set-Content file.txt instead, but there is no direct PowerShell workaround for stderr output.
    • However, if you invoke your command via cmd, you can let cmd handle the (stderr) redirection (e.g., cmd --% /c nosuch 2>file.txt)

Applied to your case, this means:

  • %winscp% must be translated to its PowerShell equivalent, $env:winscp, and the latter must be prefixed with &, PowerShell's call operator, which is required when invoking external commands that are specified by variable or quoted string.
  • & $env:winscp must be followed by --% to ensure that all remaining arguments are passed through unmodified (except for expansion of %...% variable references).
  • The list of arguments from the original command can be pasted as-is after --%, but must be on a single line.

Therefore, the simplest approach in your case - albeit at the expense of having to use a single line - is:

# Invoke the command line with --%
# All arguments after --% are used as-is from the original command.
& $env:winscp --% /ini=nul /log=C:\TEMP\winscplog.txt /command "open scp://goofy:changeme@ -hostkey=""ssh-rsa 2048 d4:1c:1a:4c:c3:60:d5:05:12:02:d2:d8:d6:ae:6c:5d""" "put ""%outfile%"" /home/public/somedir/somesubdir/%basename%" "exit"

[1] Note that, despite the cmd.exe-like syntax, --% also works on Unix-like platforms in PowerShell Core (macOS, Linux), but is of very limited use there: unlike with native shells such as bash there, --% only works with double-quoted strings ("..."); e.g., bash --% -c "hello world" works, but bash --% -c 'hello world' doesn't - and the usual shell expansions, notably globbing, aren't supported - see this GitHub issue.

[2] Even `, PowerShell's own line-continuation character, is treated as a pass-through literal. cmd.exe isn't even involved when you use --% (unless you explicitly use cmd --% /c ...), so its line-continuation character, ^, cannot be used either.

    If you're using environment variables anyway, I find `cmd /c 'winscp /ini=nul ... "%outfile%" ...'` more readable, since it doesn't require escaping the nested double quotes. Also: [maybe](https://social.technet.microsoft.com/wiki/contents/articles/7703.powershell-running-executables.aspx) [interesting](https://blogs.technet.microsoft.com/josebda/2012/03/03/using-windows-powershell-to-run-old-command-line-tools-and-their-weirdest-parameters/). – Ansgar Wiechers Mar 04 '17 at 22:25
  • @AnsgarWiechers I see what you mean, but my focus was on preserving the _original_ command line, without having to worry about its syntax at all. If you enclose the command line in `'...'`, you then have to worry about the original command line containing `'` instances. – mklement0 Mar 04 '17 at 22:37
  • 1
    This is interesting, but I did not give you the credit for the answer because I want to switch the powershell way of doing things. For others this will be VERY useful. – Be Kind To New Users Mar 04 '17 at 23:06
  • @MichaelPotter: I appreciate the feedback. Indeed, my answer is focused on allowing you to use the `cmd.exe` command line _as-is_ (as much as possible), but I commend you for trying to learn how PowerShell ticks, which will benefit you in the long run. If you want to know how PowerShell parses _unquoted_ tokens on a command line, see [this answer](http://stackoverflow.com/a/41254359/45375) of mine. – mklement0 Mar 04 '17 at 23:09

Martin Prikryl (the author of WinSCP) also provides a .Net assembly, which might be a better choice if you want to switch to PowerShell.

Example from the documentation updated with the parameters from your commandline:

try {
    # Load WinSCP .NET assembly
    Add-Type -Path 'WinSCPnet.dll'

    # Setup session options
    $sessionOptions = New-Object WinSCP.SessionOptions -Property @{
        Protocol = [WinSCP.Protocol]::Sftp
        HostName = ''
        UserName = 'goofy'
        Password = 'changeme'
        SshHostKeyFingerprint = 'ssh-rsa 2048 d4:1c:1a:4c:c3:60:d5:05:12:02:d2:d8:d6:ae:6c:5d'

    $session = New-Object WinSCP.Session

    try {
        # Connect

        # Upload files
        $transferOptions = New-Object WinSCP.TransferOptions
        $transferOptions.TransferMode = [WinSCP.TransferMode]::Binary

        $transferResult = $session.PutFiles($outfile, "/home/public/somedir/somesubdir/$basename", $false, $transferOptions)

        # Throw on any error

        # Print results
        foreach ($transfer in $transferResult.Transfers) {
            Write-Host ("Upload of {0} succeeded" -f $transfer.FileName)
    } finally {
        # Disconnect, clean up

    exit 0
} catch [Exception] {
    Write-Host ("Error: {0}" -f $_.Exception.Message)
    exit 1
Ansgar Wiechers
  • I would have liked to use this but the install instructions for this was way to confusing for me. – Be Kind To New Users Mar 04 '17 at 22:52
  • It should be sufficient to put the DLL and executable in your module directory and load the DLL with its full path. – Ansgar Wiechers Mar 04 '17 at 23:14
  • This is an example of why I am confused: I don't know what "The DLL" is. I also don't know where "my Module Directory" is. When I click on a link that looks like it is going to give me step by step instructions it starts talking about dot net. I don't care about dot net for this project so I just move on to working with what I am familiar. Probably in a couple of weeks of working with powershell this will make sense. – Be Kind To New Users Mar 05 '17 at 00:23
  • I'm talking about the DLL (and executable) from the .Net assembly archive that you find on the [download page](https://winscp.net/eng/download.php). Module directories are explained [here](https://msdn.microsoft.com/en-us/library/dd878350.aspx#Anchor_1). – Ansgar Wiechers Mar 05 '17 at 00:36
  • 1
    @MichaelPotter Just extract the `WinSCP-X.X.X-Automation.zip` package along with your script and that's all. – Martin Prikryl Mar 05 '17 at 17:08

Whenever I have to invoke an executable from PowerShell, I always pass the parameters as a list, like below. I also use single quote marks, unless I'm actually substituting variables, in which case I have to use the double quotation marks.

 & SomeUtility.exe @('param1','param2',"with$variable")

It gets a little tricky when there are spaces in the parameters, since you may have to provide quotation marks so that the utility can properly parse the command.

Your example is even more tricky, since WinScp wants the argument of the /command parameter enclosed in quotation marks, and any strings inside enclosed in double quotation marks. All of that needs to be preserved, because of WinScp. I believe the following would work. I've broken up the parameters into multiple lines for readability. I'm also assuming that you've successfully populated your $winscp, $outfile, and $basename variables.

$params = @(
  '"open scp://goofy:changeme@ -hostkey=""ssh-rsa 2048 d4:1c:1a:4c:c3:60:d5:05:12:02:d2:d8:d6:ae:6c:5d"""',
  ('"put ""' + $outfile + '"" /home/public/somedir/somesubdir/' + $basename + '"'),

& $winscp $params

Note the parentheses around the fifth parameter; this is due to the string concatenation operations there. (Without the parentheses, each operand would have been added to the list separately -- you can confirm this by looking at $params.Count.) Also keep in mind that you will need quotation marks around your log file path if you ever have to change it to something with spaces.

  • 3
    Kudos for a methodical approach, but there's no need to pass the arguments as an _array_: `& SomeUtility.exe 'param1' 'param2' "with$variable"` will do just fine - ultimately, the arguments _are_ passed as a _space-separated_ list anyway. _Conceptually_ - though it makes no technical difference _here_ - the equivalent of passing the array stored in `$params` would be: `& $winscp @params` (note the _splatting operator_). – mklement0 Mar 04 '17 at 22:48

I ran your code (modified to work with my own server, of course) and got the following log:

. 2017-03-04 15:32:24.387 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" /ini=nul /log=C:\TEMP\winscplog.txt /command "open sftp://goofy:***@ -hostkey=ssh-rsa" 2048 d4:1c:1a:4c:c3:60:d5:05:12:02:d2:d8:d6:ae:6c:5d"" exit
. 2017-03-04 15:32:24.388 Time zone: Current: GMT-6, Standard: GMT-6 (Central Standard Time), DST: GMT-5 (Central Daylight Time), DST Start: 3/12/2017, DST End: 11/5/2017
. 2017-03-04 15:32:24.388 Login time: Saturday, March 4, 2017 3:32:24 PM
. 2017-03-04 15:32:24.388 --------------------------------------------------------------------------
. 2017-03-04 15:32:24.388 Script: Retrospectively logging previous script records:
> 2017-03-04 15:32:24.388 Script: open sftp://goofy:***@ -hostkey=ssh-rsa
. 2017-03-04 15:32:24.388 --------------------------------------------------------------------------

Note how in the first line it inserted a double quote immediately after -hostkey=ssh-rsa and in the last line the -hostkey parameter is truncated from what we expect it to be.

I was able to connect successful after doubling up the inner double quotes around the -hostkey parameter like this:

"/command" 'open sftp://goofy:changeme@ -hostkey=""ssh-rsa 2048 d4:1c:1a:4c:c3:60:d5:05:12:02:d2:d8:d6:ae:6c:5d""' `
Lance U. Matthews
