Running command from ASP.NET App Pool Identity

Question

I am running an executable process from my ASP.NET application when a user clicks a button. This process creates several files and serves them up to the end-user. I can't really see what the process is or isn't doing, but it didn't work until I specified the admin user as the application pool identity on the server. I am using IIS7.

 using (var proc = new Process())
 {
    proc.StartInfo.FileName = Server.MapPath("~/Testing/Demo/MyExe.exe");
    proc.StartInfo.Arguments = String.Format("\"{0}\"", commandFilePath);
    proc.StartInfo.UseShellExecute = true;
    proc.Start();
    proc.WaitForExit();
 }

I'm assuming that this is generally a bad thing to do. Can you give me insight into what needs to be done in order to enable this for the normal ApplicationPoolIdentity account?

Thanks!

It is storing in a temp directory, zipping all files and serving it up. This works already. — daniel, Mar 04 '13 at 21:47

Aristos · Answer 1 · 2013-03-04T21:29:18.313

3

First of all, why you need the Shell to execute it ? Isn't a console application - do you open any window ?

Second you need to redirect the input and the output.

And final, what you need to do, is to place on the directory that your script runs, permission for the user under witch your pool is run. And remove the Admin from your pool.

proc.StartInfo.UseShellExecute = false;
proc.StartInfo.CreateNoWindow = false;
proc.StartInfo.RedirectStandardError = true;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.RedirectStandardInput = true;

proc.Start();

proc.StandardInput.Flush();
proc.StandardInput.Close();

proc.WaitForExit();
proc.Close();

So for example, if you add your pool to run under the UserA, then go to your directory that your program runs and add permission for the UserA to been able to execute programs on that directory. If your program also use other directories to read and write, also add permission to the UserA for that ones.

I can't really see what the process is or isn't doing

You can take a look if you use on the server the Process Explorer and see if its runs, if its close, if its stop but stay there.

edited Mar 04 '13 at 21:29

answered Mar 04 '13 at 21:23

Aristos

66,005
16
114
150

I see the process run for a second and then end... I'm assuming lack of permissions. – daniel Mar 04 '13 at 21:55
@daniel if you see it start, then is not permissions on the run. Add some log inside your application to find why is stop. – Aristos Mar 04 '13 at 22:02
Ever run a command and it tells you that you need to "run as administrator"? The process may still start, but it may not be able to do anything else without elevated permissions. – daniel Mar 04 '13 at 22:09
@daniel No you do not need administrator, except if you make some call that I do not know why, is need that permission. I have similar applications that runs just find the same way, no administrator needs. Check why this is required. – Aristos Mar 04 '13 at 22:14
It is trying to write to the c:\windows\syswow64\inetsrv directory (temp files). I'm guessing that this is because appcmd lives there? Kind of a bummer that I don't have control over that. I may be able to run it a different way and see if that causes the temp files to be created elsewhere. – daniel Mar 05 '13 at 14:53

score 2 · Answer 2 · edited Apr 13 '17 at 12:13

2

It is likely a file/execution permissions issue. Try granting execute permissions to the ApplicationPoolIdentity to ~/Testing/Dema/MyExe.exe and read permissions to commandFilePath. You mentioned that your process creates files. You will need to grant either modify or full control permissions to the ApplicationPoolIdentity on the folder where the files will be created. Here is a matrixed list of permissions.

See assign permissions to ApplicationPoolIdentity account for information on granting permissions.

The security event log should capture permission denied errors. Check there to see if you have access permission issues. The System and application logs might also contain information on the problem.

Process Explorer can also show File Access requests. Here is a technet article on troubleshooting with Process Explorer.

edited Apr 13 '17 at 12:13

Community

1
1

answered Mar 04 '13 at 21:23

Jay Walker

4,654
5
47
53

Agreed. The write location works fine already... it's the execute permissions. How would I go about changing the ApplicationPoolIdentity to have execute permissions? – daniel Mar 04 '13 at 21:45
It is using the IUSR account... and that account has full permissions on the directory. Do I still need to do what is mentioned in that thread? – daniel Mar 04 '13 at 22:23
You could start ProcessExplorer, then run the apppool under an admin account and log (via ProcessExplorer) all activity when the application runs successfully. Then change to run under the IUSR account and compare the ProcessExplorer logs. – Jay Walker Mar 04 '13 at 22:37
Process Monitor is what I needed... I ran it both ways... looks like it is writing temp files to C:\Windows\SysWOW64\inetsrv\ ... and that fails for the non-admin user. Suggestions? – daniel Mar 04 '13 at 22:55
Grant at least `modify` permissions to the executing user (IUSR or whatever) on that folder. Depending on what Process Monitor indicated you might also need to add `read` and/or `write` and possibly `delete` if your application deletes the file. – Jay Walker Mar 04 '13 at 23:02
Jay, thanks for your help. The Process Monitor idea was really what tipped me off to the "real issue". I appreciate your help. – daniel Mar 05 '13 at 15:41
1

I give props to Aristos for suggesting it. Glad you are up and running. – Jay Walker Mar 05 '13 at 15:43
1

The Process Explorer is more of an advanced task manager... the Process Monitor actually lets you track the specific process and see what it is (or is not) doing. – daniel Mar 05 '13 at 15:47

score 1 · Answer 3 · answered Mar 04 '13 at 22:45

Whenever you run any process from an ASP.NET page, it runs under the security context of the worker process, the privilege of your app pool account. It is not like you normally running the MyExe.exe, in that case it will run using logged in account. It is because of this, your code worked when you gave Admin account to app pool.

There are many ways to solve this issue.

One of the easiest would be to change your app pool identity to Network Service and add the Network Service to permissions of the folders in which the MyExe.exe will be accessing files form.

Hope it helps.

Network Service does not grant access to the inetsrv directory. — daniel, Mar 05 '13 at 14:51

daniel · Accepted Answer · 2013-03-05T15:45:26.507

Thank you all for your help. All I needed to do was set the StartInfo.WorkingDirectory to somewhere that I was able to write.

        using (var proc = new Process())
        {
            proc.StartInfo.FileName = Server.MapPath("~/Testing/Demo/MyEXE.exe");
            proc.StartInfo.Arguments = String.Format("\"{0}\"", commandFile);
            proc.StartInfo.WorkingDirectory = savePath;
            proc.Start();
            proc.WaitForExit();
        }

This causes the temp files to be written to a non-system folder and thus does not need any elevated permissions for the application pool.

Running command from ASP.NET App Pool Identity

4 Answers4