0

I am trying to launch a process from a web page's back-end code/app pool. This process will launch an App that i built myself.

For some reason, the process only works / runs when i start it from VS2013... it never works when i launch it from IIS(7.5) itself.

I am on a Windows 7 machine (both IIS host, and App location), and I've setup my web site to only be accessible via internal network.

Here's the code, followed by the config / attempts to fix the issue:

protected void btn_DoIt_Click(object sender, EventArgs e)
{
    string file_text = this.txt_Urls.Text;

    if (!String.IsNullOrWhiteSpace(file_text))
        File.WriteAllText(ConfigurationManager.AppSettings["filePath"], file_text);

    ProcessStartInfo inf = new ProcessStartInfo();

    SecureString ss = GetSecureString("SomePassword");
    inf.FileName = @"........\bin\Release\SomeExecutable.exe";
    inf.Arguments = ConfigurationManager.AppSettings["filePath"];
    inf.UserName = "SomeUserName";
    inf.Password = ss;
    inf.UseShellExecute = false;
    //launch desktop app, but don't close it in case we want to see the results!
    try
    {
        Process.Start(inf);
    }
    catch(Exception ex)
    {
        this.txt_Urls.Text = ex.Message;
    }

    this.txt_Urls.Enabled = false;
    this.btn_DoIt.Enabled = false;
    this.txt_Urls.Text = "Entries received and process started. Check local machine for status update, or use refresh below.";
}

Here are the things I've tried to resolve the issue:

  1. Made sure the executing assembly was built with AnyCPU instead of x86
  2. Ensured that the AppPool that runs the app, also runs under the same account (SomeUsername) as the ProcessStartInfo specified.
  3. Ensured that the specific user account has full access to the executable's folder.
  4. Ensured that IIS_USR has full access to the executable's folder.
  5. Restarted both the app pool and IIS itself many times over implementing these fixes

I am now at a loss as to why this simply will not launch the app... when i first looked into the event log, i saw that the app would die immediately with code 1000:KERNELBASE.dll, which got me on the AnyCPU config instead of X86 fix... that fixed the event log entries but the app still doesn't start (nothing comes up in task manager), and i get no errors in the event log...

if someone could help me fix this problem i would really appreciate it. This would allow me to perform specific tasks on my main computer from any device on my network (phone, tablet, laptop, etc etc) without having to be in front of my main PC...

UPDATE

The comment to my OP, and ultimate answer from @Bradley Uffner actually nailed the problem on the head: My "app" is actually a desktop application with a UI, and in order to run that application, IIS would need to be able to get access to the desktop and the UI, just like if it were a person sitting down in front of the PC. This of course is not the case since IIS is running only as a service account and it makes sense that it shouldn't be launching UI programs in the background. Also see his answer for one way of getting around this.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
MaxOvrdrv
  • 1,780
  • 17
  • 32
  • It is dangerous to run IIS with a high-privilege account. Consider instead having your web app set a flag (e.g. in a database, by posting to a message queue, by creating a file, etc.) that causes the process to begin running. – Eric J. Oct 20 '14 at 02:34
  • i'm not worried about who runs it (local network only), or what it does (the app does something specific that doesn't affect the PC at all), or what gets passed to it because the app is built securely (only specific things, in specific formats, cause it to do anything)... otherwise, it simply exits and logs and invalid attempt... no really not worried about it, just want it to run. – MaxOvrdrv Oct 20 '14 at 02:38
  • A hacker that can figure out how to access Port 80 in your local network can leverage the elevated permissions of IIS along with any security vulnerabilities that happen to be present in IIS to gain all if the privileges of the user running IIS, including access to files and executing arbitrary code. If that doesn't worry you you're good. It would worry me. – Eric J. Oct 20 '14 at 02:46
  • @EricJ. like i said... my system and my network are very well protected. I understand what you're saying but i'm not worried about someone getting access to port 80 because i'm not using port 80, the port i'm using is blocked for any outside calls by: my gateway, my modem router, my internal router, my native (win) firewall and my 3rd party firewall that resides on top of the (win) one. So is port 80... if that can soothe you a bit ;) – MaxOvrdrv Oct 20 '14 at 02:57
  • Twitter. LinkedIn. Target. eBay. Dominoes Pizza. PF Chang. They all thought they had very well protected systems. Your call. – Eric J. Oct 20 '14 at 03:01
  • It is! again, not being posted to the outside world... those sites are available to the world... mine isn't... it's only available to my network. In any case, it doesn't solve my problem... – MaxOvrdrv Oct 20 '14 at 03:09
  • 1
    Your code refers to the application as a "desktop app", does this mean it has a user interface? IIS runs as a service account without access to a desktop "context", it won't be able to display the UI and the program will probably fail immediately. Unfortunately I can't really think of a good solution if this is the case. – Bradley Uffner Oct 20 '14 at 03:22
  • ahhhh... indeed it does have a UI... so because IIS is a service, it cannot launch any apps with a UI? – MaxOvrdrv Oct 20 '14 at 16:36
  • @MaxOvrdrv is the application a .NET executable? If so, you can possibly add a reference to it as if it was a DLL and execute it programmatically. – Chris Marisic Oct 20 '14 at 17:10

2 Answers2

3

Your best bet might be to try writing this as 2 parts. A web site that posts commands to a text file (or database, or some other persistent storage), and a desktop application that periodically polls that file (database, etc) for changes and executes those commands. You could write out the entire command line, including exe path command arguments, and switches.

This is the only way I can really think of to allow a service application like IIS to execute applications that require a desktop context with a logged in user.

Bradley Uffner
  • 16,641
  • 3
  • 39
  • 76
  • So far this is what makes the most sense. Short of just re-writing the code so that the actual work, which is currently done inside the desktop app, now also runs directly on the back-end of the ASP.Net page.... which would actually solve everything. The rights in that scenario then would simply have to have access to the folders i'm interacting with and wouldn't have to know or mess with the Win Desktop context since no UI is invoked. I'll see what i want to implement in the end but yeah... this now makes sense (along with your comment on OP) and this actually explains why it was failing. – MaxOvrdrv Oct 20 '14 at 16:47
0

You should assign a technical user with enough high priviliges to the running application pool. By default the application pool is running with ApplicationPoolIdentity identy which has a very low priviliges.

Peter Kiss
  • 9,309
  • 2
  • 23
  • 38