3

When calling the following code, .NET issues Access is denied. I would like to use the System.Diagnostics library to obtain information about a process.

Process[] processes = Process.GetProcessesByName("MyProcess");

if (processes.Any())
{
   var process = processes[0];

   // Access is denied
   var startTime = process.StartTime;
}

The above code is part of an HttpGet method of an ASP.NET MVC Core 2.2 service running on IIS 10 (so far all locally). I am using System.Diagnostic.Process 4.3.0.

Adding the IIS Apppool to the local administrators group did not help. And that makes some sense given the documentation for this property which states that the Process class contains a link demand, and that "A SecurityException is thrown when either the immediate caller or the derived class does not have full-trust permission." The problem is that i do not understand how to provide full-trust in .net core web applications, and i haven't found any good examples on link demands. Is it in web.config - which part i thought went away with .net core if not earlier?

The process in which i am interested is a window console application in the same solution, but launched by a windows scheduler.

I would expect to get the Process.StartTime, but instead get Access is denied. However, I am missing something in my security configuration.

So, assuming that IIS AppPool is the executor of the HttpGet, and the other process - a windows console application - is running independently, how do i configure the security to enable a successful call of Process.StartTime?

PS - I have tried the [SecurityCritical] annotation on the method - no success.

tonyatl
  • 109
  • 1
  • 1
  • 5
  • Does anything change when you switch between [in-process and out-process configuration](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-2.2#enable-the-iisintegration-components)? – GSerg Apr 26 '19 at 16:56
  • same results. i specifically want to use InProcess. – tonyatl Apr 26 '19 at 17:06
  • 1
    This is not a .NET exception, it is the OS that objects against you trying to access the process. You need to configure the scheduled task with another account. – Hans Passant Apr 26 '19 at 17:18
  • 1. i didn't say that is was a .Net exception - my wording is very precise and deliberate. 2. another account is not an option. there should be a way to permeate the walls through appropriate configuration of the service assembly – tonyatl Apr 26 '19 at 17:38
  • Not a solution about your specific scenario, but have you considered using Kestrel instead of IIS, this way there should be one less thing to configure. – Matthew Apr 26 '19 at 17:41
  • 1
    yes, i have played with kestrel for this project, and not sure if that would help this specific issue, but IIS is where the solution needs to reside. – tonyatl Apr 26 '19 at 18:01

1 Answers1

0

Within IIS you can set the Application Pool your site uses to run as a specified user.

Within your task scheduler you can also set your console application to run as a specified user.

I would recommend running these as the same user.

I would give full permissions to your application pool user on the folder that your console application resides in.

You need to add your Application Pool user to the "Performance Log Users" group and/or the "Performance Counter Users" group (depending of if they need only need read privileges). I would have expected making this user an admin would have resolved your issue, but it would seem that is not the case. (I would recommend reading through this very similar question as well)

PS - you no longer have a web.config by default, but it can still be added to projects and has many uses (such as configuring your IIS site settings when using One-Click Publish from Visual Studio).

App-Devon
  • 253
  • 2
  • 10
  • 1
    "Adding the IIS Apppool to the local administrators group did not help." – GSerg Apr 26 '19 at 22:18
  • Thanks, I forgot about that part in the question (edited accordingly). They may need to use the opensource Git repo's that the user in my linked question went with in that case. – App-Devon Apr 26 '19 at 22:21
  • no good - no one is reading the question. I specifically stated that I did not want to correlate users - ie use the same one across processes - this is a hack and not permitted in my environment. The Core documentation specifically talks about trust levels for this class, so I expected an answer along those lines. Adding the app pool users to the designated groups is NOT a solution - it doesn't and can't work. sorry to be a crank but i have implemented my own ProcessManager and have moved on. – tonyatl Apr 29 '19 at 17:28
  • @tonyatl, you never state that they cannot be the same user, just that they cannot be an administrator. Rather than remarking that you fixed the problem, I would recommend you provide your solution as an answer to your own question for people who are trying to solve this problem in the future. – App-Devon Apr 29 '19 at 17:47