Geek Answers Handbook

User ApplicationPool vs StartInfo.Username?

I tested (over the last 4 days) a lot of options for starting a process under iis7 (asp.net)

I have found a solution.

So far we do not need to interact with the desktop, and we just need to run cmd (or something like that), it's simple:

  • w3wp User -> must be a high priority user.

  • Information about starting a process ( StartInfo.Username ) -> should also be a high priority user.

However, there is a catch (according to my testimony):

Both users must be the same (if we want to execute cmd )! this is the only way this will work.

So here are my 2 questions:

  • Why should they both be the same? Can't start w3wp HighPrivileged USerA (via process.startInfo) cmd as HighPriviliged USerB ?

  • Both users are domain administrators (who are also administrators of my local group). Can only a domain administrator / local administrator run processes on the local computer?

ps All folder permissions: everyone : full controll (including c:\windows\*.* /s and including permissions cmd.exe), and both users, as already mentioned, are admins on the local machine with the same cloned permissions. IIS7 handler mapping * [static file] set to read + execute

In addition, the complete cmd command:

cmd /c time /t >c:\1.txt . The success is that the file exists. (And I only succeed when both accounts were the same).

Full code:

 Process proc = new Process(); proc.StartInfo.FileName = "cmd"; proc.StartInfo.UserName = "Royin"; //<-- only if this user is the same as w3wp user , the operation succeed ! proc.StartInfo.Domain = ...; proc.StartInfo.WorkingFolder = @"c:\windows\system32"; proc.StartInfo.Password = ... proc.StartInfo.Arguments = @"/c time /t >c:\1.txt" proc.Start();
+4
source share
1 answer

Well, firstly, I highly recommend using the excellent SysInternals ProcessMonitor to help fix any problem like this: Process Monitor .

This application will basically tell you about every action that the process is trying to take, so in your situation you will see that it is trying to call QueryOpen , ProcessCreate , etc.

Have you verified that the ExitCode of the process is under an unsuccessful script? I would be ready to bet on real money returned as 0xC0000142 (-1073741502) , which means something like "failed to load DLL" or something like that. Running anything within the system32 path, even with privileged user credentials, will be triggered by remote access issues with permissions, again due to the initialization procedure to create the process.

Basically, the Process.Start stream looks something like this:

(assumptions: UserA == the w3wp process is running, UserB == impersonation ctx, UserC == credentials specified in the process startup information)

  • First, UserB will not have much impact, as we discussed in other conversations; any material for creating the process will be based on the process token of the "launching object", so the UserA credentials are the ones we will look for.

  • The runtime says: "Hey, can UserA access the file name specified in StartInfo.FileName ?"

  • Windows answers yes / no, but also "BUT, to use this, you must also be able to read all these other DLLs"

  • The runtime replies, "Well, can user access to these dlls?"

  • If the answer to all of the above is yes, then the runtime says "OK, log in to this user and try to create a new process using the line and cmd arguments ..."

Most likely, you are faced with C # 2 or # 4 problems, because the default application pool identifier does not have read access to the System32 folder. That is why when you switch the identity of the w3wp process to a privileged account, it works.

You can try a couple of things, but the easiest option is probably to switch to an account with a low privilege level (for example, the default application pool identifier), but provide read-only access to the system32 folder of this account.

I would ABSOLUTELY not run w3wp as a privileged user, though - it is just asking for massive headaches if something unpleasant happens, as if someone was hacking you.

Oh, last thoughts:

  • DO NOT set UseShellExecute to true, if you can help it, this is strange.

  • DO NOT set LoadUserProfile to true, if you can help it, it also does strange things, and also very slow.

  • DO set CreateNoWindow to true if you can, otherwise you will see that lots windows open / close on the server.

  • DO use RedirectStandardOutput / RedirectStandardError instead of pipelining output, it is more manageable and gives better feedback when something is wrong.

  • DO always check the ExitCode of the process if it does not look as if it worked

+2
source

More articles:


All Articles