Skip to Content
Personal Insights
Author's profile photo Jakob Marius Kjær

Making life easier for yourself with Keepass

Hi all,


If you are in any way like me then you feel like you are constantly asking your security people for unlocks to various systems and clients. I keep forgetting my passwords, enter them for the wrong systems. Or maybe you are like some other people i’ve seen who keeps their passwords in an excel sheet or text file, which obviously is a no-go!

I started using Keepass to handle my passwords, but got annoyed with always having to ALT+TAB between my sapgui logon window and the keepass window. Yes I know i’m petty.

But i want to show you how I managed to open the SAP GUI directly from within keypass.

This has been blogged about before for example by Peter Langner

But because i’m lazy and know when copying from one to another that I’ll miss something when recreating, I modified his script just slightly to be able to fetch the name and client from the title.

So download the latest keepass version and add this as URL

cmd://sapshcut –maxgui -system={T-REPLACE-RX:/{Title}/([^A-Z])+//} -client={T-REPLACE-RX:/{Title}/([^0-9])+//} -user={USERNAME} -pw={PASSWORD}

Now in your title you just maintain the system ID and client. Like DEV 100

That’s it. the regression takes the letters and add as systemid and the numbers as the client. Easy peasy and a breeze to copy and paste now 😉

Now when you want to log into a new SAP GUI session, just open keepass instead of the SAP GUI logon, find your entry and press CTRL + U.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Y.T. Ho
      Y.T. Ho

      Thanks for sharing!

      Great alternative for the plugin that supports SAP GUI logon.

      Author's profile photo Christian Winheller
      Christian Winheller

      Author's profile photo Kaitlin Siatat
      Kaitlin Siatat


      Thank you for the time taken to explain.

      My system is a combination of letters and numbers so your above formula separates the letters in one field(system) and all numbers in the second one(client), in other words for a combination of PA2 100 your formula returns



      Can you adjust it to cope with the case of alphanumeric system?

      Thank you in advance.



      December 4th:

      Never mind, after several hours of searches (and feeling stupid in all this time because RegEx syntax looks like Chinese encrypted in Arabic to me) I finally found what I need, the script version that works for me is:

      cmd://sapshcut –maxgui -system={T-REPLACE-RX:/{Title}/(.{3}).*/$1/} -client={T-REPLACE-RX:/{Title}/.*(.{3})/$1/} -user={USERNAME} -pw={PASSWORD}

      The change in the script simply pulls the first and last 3 characters from the Title and feeds the system with the first and the client with the last.


      Author's profile photo Stefan Molzen
      Stefan Molzen

      Thanks for sharing.


      Even though password-times are almost over they are still alive and sometimes the only option for a login 😉 ... especially as an IT consultant handling various customers and landscapes.

      We did some more thoughts on the solution over the years since we read the post in 2012 and want to give back some information/tweaks - maybe its useful for others.



      • make use of encryption
      • get independent from logonpad entries
      • automate password changes to high degree



      • title is of the format SIDCLT, e.g. APD000
      • custom string MSSERV containing the message server port, e.g. 3600
      • username is referenced to a central field containing a domain joined account name of format DOMAIN\USER
      • URL field containing a simple sapgui_sso://
      • SAP Gui option "Show system name in taskbar button" activated in "interaction design" - " Visualization 2" menu


      URL overrides defined in Keepass options:

      • sapgui (encrypted message server connection via SNC + username)
        cmd://"{ENV_PROGRAMFILES_X86}{ENV_DIRSEP}SAP{ENV_DIRSEP}FrontEnd{ENV_DIRSEP}SAPgui{ENV_DIRSEP}SAPgui.exe" /SHORTCUT="-gui="/M/sap{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}{S:MSSERV}/G/SPACE /SUPPORTBIT_ON=NEED_STDDYNPRO" -SID={T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -client={T-REPLACE-RX:!{TITLE}!^.{0,3}!!} -u={T-REPLACE-RX:!{USERNAME}!^(.*)\\!!} -pw= -l=EN -snc_name=p:SAPService{T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -reuse=1 -snc_qop=9 -max"
      • sapgui_id+pw (encrypted message server connection via SNC + credentials)
        cmd://"{ENV_PROGRAMFILES_X86}{ENV_DIRSEP}SAP{ENV_DIRSEP}FrontEnd{ENV_DIRSEP}SAPgui{ENV_DIRSEP}SAPgui.exe" /SHORTCUT="-gui="/M/sap{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}{S:MSSERV}/G/SPACE /SUPPORTBIT_ON=NEED_STDDYNPRO" -SID={T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -client={T-REPLACE-RX:!{TITLE}!^.{0,3}!!} -u={T-REPLACE-RX:!{USERNAME}!^(.*)\\!!} -pw={PASSWORD} -l=EN -snc_name=p:SAPService{T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -reuse=1 -snc_qop=9 -max"
      • sapgui_sso (encrypted message server connection via SNC + SSO)
        cmd://"{ENV_PROGRAMFILES_X86}{ENV_DIRSEP}SAP{ENV_DIRSEP}FrontEnd{ENV_DIRSEP}SAPgui{ENV_DIRSEP}SAPgui.exe" /SHORTCUT="-gui="/M/sap{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}{S:MSSERV}/G/SPACE" -SID={T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -client={T-REPLACE-RX:!{TITLE}!^.{0,3}!!} -l=EN -snc_name=p:SAPService{T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -reuse=1 -snc_qop=9 -max"


      Custom Auto-Type sequences:

      • PW Change during SSO login
        Window match: {T-REPLACE-RX:!{TITLE}!.{0,3}$!!}*{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}*Password Change Prompt*
        Keystroke sequence: {C:Change PW SSO}{PASSWORD}{TAB}{NEWPASSWORD:/Profile/}{TAB}{NEWPASSWORD:/Profile/}{ENTER}
      • Easy Access menu screen right after login to initiate through SU3
        Window match: {T-REPLACE-RX:!{TITLE}!.{0,3}$!!}*{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}*SAP Easy Access*
        Keystroke sequence: {C:Change PW Easy Access}^/{DELAY 1000}/nSU3{ENTER}{DELAY 5000}{F6}{DELAY 2500}{PASSWORD}{TAB}{NEWPASSWORD:/Profile/}{TAB}{NEWPASSWORD:/Profile/}{ENTER}
      • Initiate automatic password change just from SAP Logon
        Window match: SAP Logon*
        Keystroke sequence: {C:Change PW logonpad}{CMD:!{T-CONV:${T-REPLACE-RX:#{URL}{S:PW_URL}#(sapgui.*?(?=sapgui:\/\/|cmd:\/\/))|(_.*?(?=:\/\/)|S:PW_URL)##}$Raw$}!W=0!}{DELAY 15000}{F1}{DELAY 2000}{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}{TAB}{T-REPLACE-RX:!{USERNAME}!^(.*)\\!!}{TAB}{PASSWORD}{F5}{DELAY 5000}{NEWPASSWORD:/Profile/}{TAB}{NEWPASSWORD:/Profile/}{ENTER}
      • To make Global Auto Type Hotkey work
        Window match: {T-REPLACE-RX:!{TITLE}!.{0,3}$!!}*000 SAP
        Keystroke sequence: {C:Fill CLNT+ID+PW}{F1}{DELAY 2000}{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}{TAB}{T-REPLACE-RX:!{USERNAME}!^(.*)\\!!}{TAB}{PASSWORD}{ENTER}


      Why so many URL overrides and Auto-Type sequences?

      We started with one only in the past but created more soon after. The URL overrides build the backbone for login and password change. sapgui:// is the only one which allows an automated password change via auto-type. sapgui_id+pw:// & sapgui_sso:// perform automated login – which one to use depends on personal requirement.  The auto-type sequences offer different ways of password change or logon.

      By purpose SU01/SU10 have been excluded as those are Admin functions, no end user functions.



      An entry is maintained like SIDCLNT, e.g. APD000. The username is referenced to DOMAIN\USER (can be simplified according to needs of course). URL field maintained with sapgui_sso:// to allow a seamless login via SSO to the system/client. Custom string MSSERV maintained with the message server port. Custom string PW_URL can exist, but mustn´t. If it exists it can be blank, can contain another URL override that allows password change dialog or it can contain a dedicated command that allows for password change also (e.g. in case when a system needs a special connection string). Fallback is always sapgui://. The fallback is arranged via regex which matches and replaces with nothing so the outcome of the regex is either the custom cmd:// or sapgui:// (


      How to use for logon?

      • From Keepass
        • Open Keepass, mark an entry, press CTRL+U
        • sapgui_sso:// URL override will pass connection string on to SAP Logon and log you in via SSO
      • From SAP Logon
        • Double click an entry (non-SSO) to open up the logon screen
        • Switch to Keepass, mark the entry to login, press CTRL+V. Keepass will detect the right auto-type sequence based on the window title, fill in client, user, password and log you in.


      How to use for password change?

      • From Keepass (easiest and most efficient method)
        • Open SAP Logon. Doesn’t matter what item is marked.
        • Then switch to Keepass, mark the entry you want to change password for, press CTRL+V. Keepass will detect the right auto-type sequence based on the window title, fill in client, user, password, initiate the password change dialog, enter new password and save.
      • From SAP Logon
        • Open SAP Logon. Logon to a system of your choice. Make sure to be on the first page “SAP Easy Access”
        • Then switch to Keepass, mark the entry you want to change password for, press CTRL+V. Keepass will detect the right auto-type sequence based on the window title, call transaction /nSU3, initiate the password change dialog, enter old and new password and save
      • From SAP Logon
        • One auto type sequence is made for password change prompt during SSO login. In case you login via SSO and the system forces you to change your password, make sure the cursor is placed in field “old password”
        • Then switch to Keepass, mark the corresponding entry to change password for, press CTRL+V. Keepass will detect the right auto-type sequence based on the window title, enter old and new password and save


      Just a hint in general:

      Global hotkeys can also make life MUCH easier. You can just stay in the application, press CTRL+ALT+A to initiate auto type. In case Keepass identifies only 1 sequence as a fit, it will start typing. Otherwise it will show a selection screen to choose from:


      The above is quite optimized for certain situations but also gives some flexibility for system specific deviations. It hasn’t been really tested with old system types (R/3) – but those will anyhow die out. Everything >=NW7 should work.

      Hopefully I was able to explain in good words and maybe it is useful for others.




      EDIT 1: The hostnames in the above examples are very well structured and follow naming convention sapSID. Otherwise that part of the cmd needs to be changed of course

      EDIT 2: Based on feedback the article has been reworked entirely. Option to define extraordinary URL for password change added. Examples and step by step guide added.

      Author's profile photo Doris Karapici
      Doris Karapici

      Hi everyone,

      Is there any way to configure a similar thing but to access the SAP CC (convergent charging) application?

      I tried to achieve this by modifying the URL on the entry where I stored the SAP CC Credentials, and the log-on screen is opened but looks like KeePass is not filling in the credentials and pressing enter.

      cmd://"C:\Users\XXXX\YYYYY\08 - SAP CC\CCDESKTL01_0-70007776\bin\core_tool.bat" {TAB} {USERNAME} {TAB} {PASSWORD} {ENTER}

      Any suggestion would be very great!

      Thank you,