Reads the ASB solution shared secret from the local Windows registry
(HKLM\SOFTWARE\Wow6432Node\ArchestrA\ArchestrAServices\<solution>\
sharedsecret) and DPAPI-decrypts it with the canonical "wonderware"
entropy + LocalMachine scope, mirroring `AsbRegistry.cs:21-41`.
Auto-discovers:
$env:MX_LIVE = "1"
$env:MX_ASB_HOST = $env:COMPUTERNAME
$env:MX_ASB_SOLUTION = (read from DefaultASBSolution)
$env:MX_ASB_GALAXY_NAME = "ZB" (or -GalaxyName param)
$env:MX_ASB_VIA = net.tcp://<host>/ASBService/Default_<galaxy>_MxDataProvider/IDataV2
$env:MX_ASB_PASSPHRASE = (DPAPI-decrypted plaintext, never printed unless -Show)
Important wiring detail flagged inline: the system-wide ArchestrA
solution name (`Archestra_<HOST>`, source of the sharedsecret) is
DIFFERENT from the per-Galaxy MxDataProvider service segment
(`Default_<galaxy>_MxDataProvider`) that the WCF endpoint URL
targets. Both live under the same registry root but only the former
is owned by ArchestrA; the latter is what serves IASBIDataV2 per
the .NET probe's hardcoded default URL at
`src/MxAsbClient.Probe/Program.cs:5`.
Tested via dry-run on this box: `Archestra_DESKTOP-6JL3KKO` resolves
as the solution, 390 protected bytes decrypt to an 80-char
passphrase, and the assembled VIA URL matches the .NET probe's
default verbatim.
Hard rules:
* Plaintext passphrase NEVER printed unless -Show is explicit.
* Dot-source so env vars persist in the calling pwsh session.
* Caller account must be authorised against the LocalMachine-scope
DPAPI blob (typically: any local Administrator).
Usage:
. .\tools\Get-AsbPassphrase.ps1
cargo run -p mxaccess --example asb-subscribe
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Joseph Doherty
4ebfd8e3a3