0

The problem we have run into is as follows. We have an ASP.NET WebService which runs under IIS7. The code in the WebService works 100%, however when the WebService tries to run a .BAT file, nothing happens. Nothing at all, the code doesn't crash, the server doesn't warn us about anything, nothing at all.

We have tried setting the User Permissions, we have attempted difference ways of running the BAT, we have tried playing around with the registry, cmd.exe has full rights as well.

We are now quite stumped as of what to do, any help would be appreciated.

jscott
  • 24,484
  • 8
  • 79
  • 100
Kyle Rosendo
  • 149
  • 1
  • 2
  • 9
  • How do you execute that .BAT file? Does the ASP.NET code execute it or is it called directly? And why would you even need to run a .BAT file? That seems like a real bad design to me. – Wim ten Brink Oct 14 '09 at 09:15
  • The execution is done via Code, however this is not the problem. The code works out of IIS 100%. The BAT file runs a command line process. The design is fine, this isn't your average ASP site. – Kyle Rosendo Oct 14 '09 at 09:40
  • And you're sure the .BAT file has enough access rights to execute correctly? Any applications it calls is set up correctly for the user account related to the IIS process? – Wim ten Brink Oct 14 '09 at 10:41
  • Yes, the BAT file has Full Control and the IIS process the same. The BAT file doesnt even open, any idea? – Kyle Rosendo Oct 14 '09 at 10:45
  • Did it work before? Did it work on IIS6? If not, it seems to me there's some flaw in the code. – Wim ten Brink Oct 14 '09 at 13:54

5 Answers5

3

(Note: The old answer was sort of correct, sort of not correct. Out of box, IIS can't execute cmd.exe instances, but it apparently is possible ... )

You can run batch files from within IIS, via ASP.NET, but it requires your impersonation settings to be 100% spot on.

I'm going to assume, for purposes of this post, that you are in a very secure environment and you've already considered all the potential attack vectors that could be opened by allowing IIS to execute batch files (which are in instances of cmd.exe.)

So the web process needs to be running as either Administrator (GAH!) or another account which can execute the batch process. I believe this will not be possible with the in-box ASPNET/IUSR_ accounts.

Activate impersonation is described here on MSDN, and give it a day in court.

John Rudy
  • 243
  • 3
  • 8
  • Thanks, I had done all of this and we eventually went with a different solution, however I feel this answer will get "googlers" on track the best, so I have marked it as accepted. – Kyle Rosendo Feb 22 '10 at 11:28
0

This should run as your app pool Identity user that the web service runs under. That is the user to ensure that it has adequate permissions to execute and run the batch file. It's likely not the anonymous user of the site unless you have impersonation turned on. That's my first guess.

Within the ASP.NET calling code, you should be able to get a return code or return message. If so, see if that gives any further clues.

Scott Forsyth
  • 16,449
  • 3
  • 37
  • 56
  • Unfortunately the WS just returns that it could not open the File that the batch file is meant to create. Cmd.exe simply doesnt open. Could you elaborate on the permissions; I am sure we have done everything we can there. – Kyle Rosendo Oct 15 '09 at 09:24
  • Check which app pool that the site is running under, then go to the Application Pools tab and confirm that the identity user that it's running under has enough access. By default it's 'Network Service' which likely doesn't have enough permissions. Additionally if you have Impersonation on it may run under the anonymous or authenticated user. My recommendation if you have 1 site per app pool, or all sites trust each other is to set the anonymous user on the site to run as the process identity (app pool user). Then you only have 1 user to worry about. – Scott Forsyth Oct 16 '09 at 13:28
  • Additionally, are you sure that the calling ASP.NET code is correct? Can you post the code that you're using? – Scott Forsyth Oct 16 '09 at 13:29
0

Suddenly I have a bright idea! Add a few "Echo sometext >>log.txt" lines in the code of the .BAT file so it will generate some logging. Then check if it does indeed write to this log file. It could be that the .BAT file is waiting for user input somewhere. Or it waits for the user to press a key to close the console window. Since this would be a server, there's no screen where it will display the console thus it waits forever for a user to press a key on the server.

Wim ten Brink
  • 1,055
  • 1
  • 6
  • 13
  • As I have said, the .BAT file never runs, do logging in it would be pointless, also to answer your other question, yes, it works out of IIS, so its not the code. – Kyle Rosendo Oct 14 '09 at 14:13
  • But how do you know it never runs the .BAT file? – Wim ten Brink Oct 14 '09 at 17:36
  • Because the BAT File never runs? I don't understand the question, how else would I know. – Kyle Rosendo Oct 15 '09 at 05:33
  • You seem sure that the .BAT file never executes, while I suspect the .BAT file just stops at some point, probably at one of the first statements. Is there a network/UNC path inside the .BAT file that is used? Is it calling some application that's located on a network share? – Wim ten Brink Oct 15 '09 at 06:44
  • The file never runs, ever. When you test it locally, the file runs, as in opens and does stuff. When done via the WebService, nothing, it never opens. The BAT file performs a single call on the local machine, thats it. – Kyle Rosendo Oct 15 '09 at 09:20
  • I suspect that the .BAT is executed but the first command inside it already fails. You might check this with the task manager or SysInternal's Process Explorer and just check if an additional process becomes active. Maybe the .BAT file can't find the executable or there could be something else going on. Just try to add logging to the .BAT file or else replace it with an empty one just to see what happens. – Wim ten Brink Oct 16 '09 at 08:07
0

Have you verified that the permissions of cmd.exe allow IIS to execute it? On my system, the default IIS account did not have the required permission.

Jeremy
  • 651
  • 3
  • 11
  • 17
0

Sounds like this was silently disabled probably because it seems like a popular malware attack vector.

Do you have another way of solving this problem?

Broam
  • 130
  • 6