1

I have an exe app that I run on IIS (from C:\inetpub\wwwwroot in DefaultAppPool) and needs to access the registry, but it doesn't work, it seems like it doesn't have permission. What's weird is I ran it on Windows 8 and it works fine, but on Windows 7 and Server 2012 hosts it doesn't run. I know registry keys have permissions and I've even tried to set Everyone to full control, but it still fails. I also tried both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE, no luck.

I did read about trust levels but I'm unsure what those are, the only references I could find related to ASP apps. Is there something I need to add to web.config or to IIS management console to allow my CGI app to access the Registry, ideally under HKCU?

Edit: Tried to see what went on with Process Monitor but I can't see any line about it. I did however write this quick Perl script to replicate this:

use strict;
use Win32API::Registry qw (:ALL);
print "Content-type: text/plain\n\n";

RegCreateKeyEx(HKEY_CURRENT_USER, "Software\\TestingRegistryAccess", 0, "", REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, [], my $rh, []) or print regLastError();
if(defined($rh)) { RegCloseKey($rh); }

And the output is:

Access is denied.

So there has to be some way to allow a CGI script to access this, it works on my Win8 desktop.

chicks
  • 3,793
  • 10
  • 27
  • 36
Dendory
  • 333
  • 1
  • 4
  • 13
  • Why you want to read the registry, and not a config file ? You cant port your cgi to a linux os too and tbe api to read the registry overload your CGI IMO – yagmoth555 Dec 06 '14 at 00:18
  • It stores config values like database name etc. And that isn't really the point. It works on Windows 8 so I'm assuming there's some way to allow a CGI app to write to the registry as a normal app would... – Dendory Dec 06 '14 at 00:22
  • For security purpose the cgi is isolated, that mean its not secure on your win8. – yagmoth555 Dec 06 '14 at 00:23
  • How is writing in the current folder more secure than writing a registry key..? – Dendory Dec 06 '14 at 00:24
  • Run processmonitor and watch for acces denied.., the user is more like IUSR.. for IIS user, everyone is not enought. – yagmoth555 Dec 06 '14 at 00:25
  • Both are not secure, but its isolated in the cgi folder, you dont open other location. Its called risk management – yagmoth555 Dec 06 '14 at 00:27
  • Ok then, tell me how to give a CGI app access to write to a file? I just tried this Perl script: `print "Content-type: text/plain\n\n"; open(F, ">test.txt") or print $!;` and it failed with **Permission denied**. – Dendory Dec 06 '14 at 00:48
  • Add the Internet guest account IUSR to a folder your cgi got access to – yagmoth555 Dec 06 '14 at 01:07
  • Nope, regardless of what permission I give to `C:\inetpub\wwwroot\test`, even **Full Control** to **Everyone**, I still can't write to a file. Yet if I try to write to `C:\temp` it works on the first try, without any change needed. Still, all of this doesn't solve my initial problem. – Dendory Dec 06 '14 at 01:26
  • Try by setting the CGI option to impersonate user at off, will run under system account... – yagmoth555 Dec 06 '14 at 01:41
  • 1
    So I managed to find a way to get it to work, but it doesn't really solves my issue completely. If I create a new user, then in IIS mgr I convert the folder into an Application, set Connect As.. to that user, then set `cgi runAsProcess` to true, then it works. But that's a ridiculous setup process, plus leaves a new user with a non-expiring password, bad security practice. I cannot believe that writing a config file in the current folder (accessible to all) is a better way to do things. **How** am I suppose to store basic settings for a CGI app (like database address, etc) ?? – Dendory Dec 06 '14 at 02:30
  • As CGI are executed, and can never be downloaded (unless someone hack the server, but at this point he got the full server access), I used to hard code my setting in the CGI I used to create (but it was in C). The fact you write seem a bigger problem, but I know that you can create a folder outside of inetpub, but at this point a more skilled IIS user will have to help you correctly. Like the php.ini, or such config, it's stored on the server too. The problem with the registry is that if your write there and he corrupt it, you break the windows or user profile, in folder there is quota, etc.. – yagmoth555 Dec 06 '14 at 02:39

1 Answers1

1

After hours working on this, I figured out that Registry permissions do not matter when it comes to CGI scripts, even with Everyone having Full Access IIS still blocks it. The only way a web app can access the registry is by running as a normal user, instead of as IUSR.

I wrote a batch script that assigns a username/password to virtual directories, creates a virtual directory for my web app, and allows the app to run:

@echo off
set /p id="Username: "
set /p pass="Password: "
%windir%\system32\inetsrv\appcmd set site "Default Web Site" -virtualDirectoryDefaults.userName:%id% -virtualDirectoryDefaults.password:%pass%
%windir%\system32\inetsrv\appcmd add vdir /app.name:"Default Web Site/" /path:/nodepoint /physicalPath:"%CD%"
%windir%\system32\inetsrv\appcmd set config -section:isapiCgiRestriction /+[path='%CD%\app.exe',allowed='true',description='Web App']

Hopefully this is useful to others as well.

Dendory
  • 333
  • 1
  • 4
  • 13