Guide to Setting Up SecureCRT Logon Scripts-Here Are Mine!

What Am I Providing Here?

What I want to explain and provide here is a detailed guide on how to setup SecureCRT to take advantage of these Logon Scripts, provide a few extra tips, and leave you with a copy of my files.

Please leave comments / suggestions / improvements below and I will update the scripts for everyone’s use.

What Am I Using These Scripts For?

You can use these scripts in many ways.  I will show you what I cover here.  Then some additional ways to use them and what I will work on in future.

Below are some of the different ways to use them.  The next item is what I’m covering in this article. “Individual Connection Profiles in SecureCRT

Individual Connection Profiles in SecureCRT

For these profiles you simple click on the entry in SecureCRT, and you launch a connection to that device.  This launches the script that is located within the profile.

This is good for making a connection to that single device and executing the commands listed in the reference script from that profile.  You can see 3 entries below to  I have my connect profile, backup profile and unique command profile.  So if I’m investigating an incident or making a change, I can connect, or make a backup which is written to a file, with a single double click.

Setup "Individual Connection Profiles" in Bulk

This section is coming in future.

You want to create the above set of profiles for all your devices of a certain type.  Then just copy these profile entries to your SecureCRT configuration.  You can manually do this as per below instructions.  I will run a lab test in future to make an automated script to do this given a list of IP addresses and profile types.

This automation should allow a much easier rollout of these individual profiles for connecting to all your devices, or let it be used in a shared environment when you want these profiles to be available to multiple users, with zero input from them to setup.

Refer to the section below for some details and how to set this up manually: Setting up Bulk SecureCRT Profiles

Use SecureCRT to Launch Scripts-Execute Command Sets on Multiple Devices

This section is coming in future.

Individual profiles are great when you don’t have too many devices, but what if you have 3000 devices to manage and need to execute a set of commands on all of them.  Then you can utilize SecureCRT to launch a script to run that pre-configured command set.

I will bring you some scripts to utilize this feature in future.

What is a SecureCRT Logon Script?

See the official SecureCRT site for information on what a Logon Script is in SecureCRT.

Logon Script to Log On to Multiple Hosts with SecureCRT®

A developer at a telecommunications firm submitted this scripting tip, which logs on to multiple hosts using a common password. The script also allows him to easily change passwords on the dozens of sessions he has to manage. This script can be used with SecureCRT for Windows.

Why Do I Use Logon Scripts?

I use SSH to connect to my remote hosts. I had 161 sessions, so the time taken to change my password every 3 months was getting ridiculous This essential item above drove me to this solution:

  • To update my password in one file and have this apply to all my SecureCRT connection sessions
  • One click (or double click) to connect automatically and establish a session

This doesn’t interpret perfectly, as I needed a separate script for each device type as the logon process and commands are different.

Also, you need a different script if the credentials are different. If I have different password domains, I setup a new file. This gives me segregation. An example of this is if you have different clients you manage from the one location or you have TACACS authentication and Radius authentication in the one client with different auth requirements.

You could combine this into one script with device type identification, but I chose to keep these separate.

How Can I Enhance What the Logon Script Does?

Next, I expanded on this essential feature above, so now include:

  • A snapshot of some essential settings / status information when I connect
  • Create a backup of the remote host – Using a unique “backup” session
  • Run custom commands – Using a unique “custom” session

Logging – I log everything – SecureCRT creates the directory if it doesn’t exist:

  • My “connect” session is logged to a “session” directory
  • My “backup” session is written to a “cfg_backups” directory
  • My “custom” sessions are written to a “save_cmds” directory

SecureCRT Keyword Highlighting: Importing an INI File

 If you wish to really make the problems stand out of the displayed data, run this.  Select words are highlighted in different colors, so you can easily identify issues and select data.

This is the default template (as provided by “Casey).  I may look at customising in future as this is customised for Cisco devices.

Alternative cisco file by

Additional Hints and Tricks to Improve SecureCRT

Another site that covers off these points well:

8 Useful Tips & Tricks for SecureCRT


You need direct access from your SecureCRT client to the destination server for this method to work. You will need to use a different method if you go through a jump host.

Security on the Desktop

These files are plain text, so your password can be read by anyone with system access.

  • Virtual Desktop – I keep my session files encrypted with 7-Zip on the Virtual Desktop. Then decrypt them when I use them.
  • I specify the SecureCRT Configuration Folder: C:\Users\{Your Userid}\Documents\SecureCRT_Config
  • On My Laptop, I run VeraCrypt, which decrypts the Configuration Folder on logon with my decrypt passphrase and encrypts it on logoff.

Summary of the My Scripts!

I have 3 scripts for each type of device I connect to.

  • Script 1: “Connect” – Session connects, runs basic status information, and presents the logon prompt
  • Script 2: “Backup” – cfg_backup – Session connects, runs basic status information, completes backup, collect routing, logoff
  • Script 3: “Custom” – save_cmds – Session connects, runs basic status information=>Run pre-configured command blocks-Backup, show tech, server operational status, etc=>Logoff
Device Types Script 1-Connect “session” Scripts 2-Backup “cfg backup” Scripts 3-Custom “save_cmds”
Cisco ASA
Standalone or Virtual Context
Production Production Production
Cisco ASA System Context Production Production Production
Check Point Functional Functional Functional
Palo Alto Functional Functional Functional
Fortinet Fortigate Functional Functional Improvements coming
Cisco Firepower FMC Functional Functional Improvements coming
Cisco Firepower IPS* Functional Functional Improvements coming
Linux Production Production Production

Click the links above to see the dedicated pages with the code.

*The Cisco Firepower is your old style ASA chassis, with the ASA module and Firepower IPS module

Installing My Logon Scripts

Check your SecureCRT configuration folder:

  • Menu => Options => Global Options…
  • General => Configuration Paths => Configuration folder:
Make sure you know where this is, or set it where you want (I like to choose the My Documents folder for ease of access).
Choosing a cloud drive mean’s you have an automatic backup to the cloud (but be aware of the security risks).

C:\Users\<MyUserid>\OneDrive – 1System\Documents\Backup\SecureCRT_Config\

  • In this folder, create a “Scripts” directory
  • Change to that directory
  • Place the zip file in this directory: …
  • unzip the file ==> Right click 7-Zip/Winzip => “Extract Here”
  • Next create your first profile to take advantage of the scripts.

Setting up Bulk SecureCRT Profiles

If your creating your SecureCRT profiles from scratch, and you have a lot of devices, use the official import script:

Importing SecureCRT® Sessions from a Data File

You can find the Import Arbitrary Data From File To SecureCRT Sessions script discussed in this tip on the VanDyke Software Scripting Forum.”

Updating a SecureCRT Profile to Utilize the Logon Scripts

Create a new SecureCRT profile.

There are only a couple of settings you need to update:

  • Connection => Logon Actions => Logon script:
  • Connection => Logon Actions => Display logon prompts in terminal window: Tick
  • Terminal => Log File => Log file name:
  • Terminal => Log File => Options => Start log upon Connect (only select this one)
  • Terminal => Log File => Options => Append to file

You need the logging to save the backup and save_cfg files.  You don’t need the logging for the connect sessions, but once you set it, it works automatically, and may just save you sometime in the future.

Detailed steps below.

Logon Script & Log File Name Settings


Details below for these settings (customise them for your path setup).

Connection => Logon Actions => Logon script:

Terminal => Log File => Log file name:

Customise the Scripts for You!

You don’t need to change more than the userid and password to make these scripts work for you.  For the “save_cmds” script you can enable the commands/command blocks you wish to run.

To make updating your password easier, select all the scrips you need to update that have the same details in each script you wish to update (such as the same password).  Then open them all in Notepad++.


Next, simply update the setting and “Replace All in All Opened Documents”:

Detailed Profile Setup Instructions

  • Create a new profile
  • Add the name
  • Set the Protocol to: SSH2
  • Select => Logon script
  • Add the path as per above details
  • Tick => Display logon prompts in terminal window
  • Add => Hostname/IP of the host
  • Leave “Username” clear
  • Add Log file name
  • Select => Start log upon connect
  • Select => Append to file

That's It!

Please let me know if you have found this article useful.

If you would like to see:

  • Improvements to these scripts
  • New scripts supporting new platforms

Please join above, or leave me a comment advising what you would like to see.

Leave a Reply