2

The context here is that we have a C# service that normally runs scheduled jobs, but an executable was created that allows jobs to be triggered manually via command line. We put that executable on a separate IIS server, and did NOT install it as a service. The code inside the app to determine how it's being run is simply:

if (Environment.UserInteractive)
{
     //parse the parameters and run the specified job
}
else
{
     //start the service jobs
}

I made an API as a wrapper to call that executable, which uses the following code to run the executable with arguments as a user of the machine.

var proc = new Process
{
     StartInfo = new ProcessStartInfo
     {
          WorkingDirectory = (absolute path of the folder that contains the exe),
          FileName = (absolute path to the exe),
          Arguments = (args),
          UseShellExecute = false,
          RedirectStandardOutput = true,
          RedirectStandardError = true,
          CreateNoWindow = true,
          Domain = (domain),
          UserName = (username),
          Password = (password),
          Verb = "runas"
     }
};
proc.Start();
proc.WaitForExit();

The API and the exe live in the same base folder. The API runs in IIS under an app pool user that is the same user it is running the process with. This user has Full Access permissions to the folder and executable, as well as the app pool user. We also added the user to the Administrator's group on that machine.

Running the exe via command line locally on that machine works fine. Only when calling from this application do we get the following error:

System.ComponentModel.Win32Exception (5): Access is denied
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start()

I've confirmed that we are targeting the right file, that my SessionId is not 0 (I would get an error saying the service was not installed whenever I didn't start the process as a specified user), and that the app pool user and windows user have permissions to execute the file. UAC is off, and the API and exe are not on the C:/ drive. After hours of googling and trying different things, I'm out of ideas. Any help would be very appreciated.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
EPalm22
  • 45
  • 2
  • 6
  • The normal user on a IIS Server does not have access to read/write on the server. So either you have to do all the read/writes on the client PCs (or Network drive) or run the application with Admin Privileges. – jdweng Aug 10 '18 at 18:05
  • When you say "run the application with Admin Privileges", do you mean have the API in IIS running with admin privs, or do you mean run the executable with admin privs? – EPalm22 Aug 10 '18 at 18:09
  • The API. Although I don't like recommending running with Admin on IIS. Better to make sure you aren't reading or writing on the server. Use folders that users have access privilege. – jdweng Aug 10 '18 at 18:15
  • I see. The API is currently running under a user that has domain admin privilege, which is overkill, but I've been trying to grant all the permissions I can just to get it working and will scale back afterwards. Could it be a problem if the user that the application is running under is the same user specified in ProcessStartInfo? That's how it is currently set up. And this user does have access to the folder that contains the exe – EPalm22 Aug 10 '18 at 18:34
  • what files and folders does the program use? This isn't about the startup folder. does the program run when the user runs from the IIS and not over the network? Does the user have admin privilege on the startup PC. Is the user in the same Group on both local PC and IIS? Are the Group Policy set properly to let the user execute remotely? – jdweng Aug 10 '18 at 21:47
  • The program lives on W:/Sites/[MyProgram]/[Version] – EPalm22 Aug 13 '18 at 14:07
  • The exe lives on W:/Sites/[MyProgram]/[exe]/myexe.exe The API program itself runs fine locally or from over the network, but either way it gets the same error when trying to run the exe. The user does have admin privilege on the server, it belongs to the Administrators group, and the API program uses this user in its IIS App Pool. I'm not sure about the group policy being able to execute remotely, I will look into that – EPalm22 Aug 13 '18 at 14:16
  • Usually to run with admin privilege you need to add a dollar sign the the drive W$:/Sites – jdweng Aug 13 '18 at 16:58

0 Answers0