Ask a Question related to ASP.NET Security, Design and Development.
-
S Hayes #1
Access Denied executing Batch File from CreateProcessAsUser
I am trying to run a batch file from within an Asp.net webservice and am
receiving an Access Denied error. I have verified that the impersonated user
has proper rights to the directory that the batch file is in by executing a
program from the same directory. It seems that everything works fine for non
batch file execution, but batch files return an error.
I'm currently running under IIS 5.
--
STH
S Hayes Guest
-
access denied to file
When installing a java program from my computer the install shield brings up and error message saying that it needs to access a file inside... -
Executing .cfm template within a batch file
Is this possible?? We are limited on tools that are flexible, so I thought I would see if this is possible. Such as... GET... -
Access denied to file from ServicedComponent
I would greatly appreciate help on issue that looks as have been resolved before: I wrote a ServicedComponent that reads and writes files to a... -
#9954 [Com]: php.exe hangs when executing external batch file
ID: 9954 Comment by: kkpmanju at yahoo dot com Reported By: dave973 at netzero dot net Status: Closed Bug... -
A failure occurred writing to the resources file. Access is denied. -- RESX file is locked? -- WHY?
Hi. This is an error that comes up fairly regularly when trying to run the "Rebuild All" command in a Solution that contains more than one... -
Yunus Emre ALPÖZEN [MCP] #2 Re: Access Denied executing Batch File from CreateProcessAsUser
The batch file executed under IIS user account. You should define rights for
it. Impersonation doesn't work for your scenario
"S Hayes" <SHayes@discussions.microsoft.com> wrote in message
news:C178C869-2CD6-426B-9A89-C11D0B30C500@microsoft.com...>I am trying to run a batch file from within an Asp.net webservice and am
> receiving an Access Denied error. I have verified that the impersonated
> user
> has proper rights to the directory that the batch file is in by executing
> a
> program from the same directory. It seems that everything works fine for
> non
> batch file execution, but batch files return an error.
>
> I'm currently running under IIS 5.
>
> --
> STH
Yunus Emre ALPÖZEN [MCP] Guest
-
S Hayes #3 Re: Access Denied executing Batch File from CreateProcessAsUser
I don't understand what you mean by "The batch file executed under IIS user
account". I am using the CreateProcessAsUser which will create the process
using the credentials of the passed in Token which I am getting from the
Impersonated user. Again, I have verified this works when executing a
program file, but fails when executing a batch file.
"Yunus Emre ALPÖZEN [MCP]" wrote:
> The batch file executed under IIS user account. You should define rights for
> it. Impersonation doesn't work for your scenario
>
>
> "S Hayes" <SHayes@discussions.microsoft.com> wrote in message
> news:C178C869-2CD6-426B-9A89-C11D0B30C500@microsoft.com...>> >I am trying to run a batch file from within an Asp.net webservice and am
> > receiving an Access Denied error. I have verified that the impersonated
> > user
> > has proper rights to the directory that the batch file is in by executing
> > a
> > program from the same directory. It seems that everything works fine for
> > non
> > batch file execution, but batch files return an error.
> >
> > I'm currently running under IIS 5.
> >
> > --
> > STH
>
>S Hayes Guest
-
Yunus Emre ALPÖZEN [MCP] #4 Re: Access Denied executing Batch File from CreateProcessAsUser
do u develop an ASP.NET web service ???
"CreateProcessAsUser property specifies whether a CGI process is created in
the system context or in the context of the requesting user"
not a batch application.
My advice u to use System.Diagnostics.Process...
Do u have any sample code to cause error again??
"S Hayes" <SHayes@discussions.microsoft.com> wrote in message
news:9416D77B-8EC7-43BC-94A2-E7EBE59F176A@microsoft.com...>I don't understand what you mean by "The batch file executed under IIS user
> account". I am using the CreateProcessAsUser which will create the
> process
> using the credentials of the passed in Token which I am getting from the
> Impersonated user. Again, I have verified this works when executing a
> program file, but fails when executing a batch file.
>
> "Yunus Emre ALPÖZEN [MCP]" wrote:
>>> The batch file executed under IIS user account. You should define rights
>> for
>> it. Impersonation doesn't work for your scenario
>>
>>
>> "S Hayes" <SHayes@discussions.microsoft.com> wrote in message
>> news:C178C869-2CD6-426B-9A89-C11D0B30C500@microsoft.com...>>>> >I am trying to run a batch file from within an Asp.net webservice and am
>> > receiving an Access Denied error. I have verified that the
>> > impersonated
>> > user
>> > has proper rights to the directory that the batch file is in by
>> > executing
>> > a
>> > program from the same directory. It seems that everything works fine
>> > for
>> > non
>> > batch file execution, but batch files return an error.
>> >
>> > I'm currently running under IIS 5.
>> >
>> > --
>> > STH
>>
>>
Yunus Emre ALPÖZEN [MCP] Guest
-
S Hayes #5 Re: Access Denied executing Batch File from CreateProcessAsUser
I can't use System.Diagnostics.Process in my case since this class ALWAYS
creates the process with the underlying process security context, not the
impersonated users security context.
This code is being executed within a ASP.NET web services.
The following is the function that is being called. When the executable
parameter passed in is a batch file, I get the 'Access Denied' error on the
CreateProcessAsUser call. If the executable parameter is a program, then
everything works nicely. As stated in earlier Threads, both the batch file
and the program file are in the same directory and the impersonated user has
Full rights.
<<**********************************
#region Win32 declarations
[StructLayout(LayoutKind.Sequential)]
private struct STARTUPINFO
{
public int cb;
public String lpReserved;
public String lpDesktop;
public String lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
private struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
private struct SECURITY_ATTRIBUTES
{
public int Length;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
}
[DllImport("kernel32.dll")]
private static extern bool GetExitCodeProcess(IntPtr hProcess, out uint
lpExitCode);
[DllImport("kernel32", SetLastError=true, ExactSpelling=true)]
private static extern Int32 WaitForSingleObject(IntPtr handle, Int32
milliseconds);
[DllImport("kernel32.dll", EntryPoint="CloseHandle", SetLastError=true,
CharSet=CharSet.Auto, CallingConvention=CallingConvention.StdCall)]
private extern static bool CloseHandle(IntPtr handle);
[DllImport("advapi32.dll", EntryPoint="CreateProcessAsUser",
SetLastError=true, CharSet=CharSet.Ansi,
CallingConvention=CallingConvention.StdCall)]
private extern static bool CreateProcessAsUser(IntPtr hToken, String
lpApplicationName, String lpCommandLine, ref SECURITY_ATTRIBUTES
lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, int
dwCreationFlags, IntPtr lpEnvironment,
String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out
PROCESS_INFORMATION lpProcessInformation);
[DllImport("advapi32.dll", EntryPoint="DuplicateTokenEx",
SetLastError=true)]
private extern static bool DuplicateTokenEx(IntPtr ExistingTokenHandle,
uint dwDesiredAccess,
ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType,
int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);
#endregion
public static int RunProcessAsUser(string executable,string cmdLine,int
timeOut)
{
int errorCode = 0;
bool ret;
IntPtr token = new IntPtr(0);
IntPtr dupedToken = new IntPtr(0);
SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
sa.bInheritHandle = false;
sa.Length = Marshal.SizeOf(sa);
sa.lpSecurityDescriptor = (IntPtr)0;
token = WindowsIdentity.GetCurrent().Token;
const uint GENERIC_ALL = 0x10000000;
const int SecurityImpersonation = 2;
const int TokenType = 1;
ret = DuplicateTokenEx(token, GENERIC_ALL, ref sa, SecurityImpersonation,
TokenType, ref dupedToken);
if (ret == false)
{
errorCode = Marshal.GetLastWin32Error();
throw new Exceptions.SecurityException("Unable to duplicate User
Security Token",new Win32Exception(errorCode));
}
STARTUPINFO si = new STARTUPINFO();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = "";
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
ret = CreateProcessAsUser(dupedToken, executable, cmdLine, ref sa, ref
sa, false, 0, (IntPtr)0, null, ref si, out pi);
if (ret == false)
{
errorCode = Marshal.GetLastWin32Error();
throw new Exceptions.SecurityException("Unable to Create Process for
User",new Win32Exception(errorCode));
}
if(WaitForSingleObject( pi.hProcess, timeOut ) != 0)
throw new Exceptions.WarningException("Timeout running User Process");
uint ec;
GetExitCodeProcess(pi.hProcess,out ec);
errorCode = (int)ec;
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(dupedToken);
return errorCode;
}
**********************************>>
"Yunus Emre ALPÖZEN [MCP]" wrote:
> do u develop an ASP.NET web service ???
>
> "CreateProcessAsUser property specifies whether a CGI process is created in
> the system context or in the context of the requesting user"
> not a batch application.
>
> My advice u to use System.Diagnostics.Process...
>
> Do u have any sample code to cause error again??
>
> "S Hayes" <SHayes@discussions.microsoft.com> wrote in message
> news:9416D77B-8EC7-43BC-94A2-E7EBE59F176A@microsoft.com...>> >I don't understand what you mean by "The batch file executed under IIS user
> > account". I am using the CreateProcessAsUser which will create the
> > process
> > using the credentials of the passed in Token which I am getting from the
> > Impersonated user. Again, I have verified this works when executing a
> > program file, but fails when executing a batch file.
> >
> > "Yunus Emre ALPÖZEN [MCP]" wrote:
> >> >> The batch file executed under IIS user account. You should define rights
> >> for
> >> it. Impersonation doesn't work for your scenario
> >>
> >>
> >> "S Hayes" <SHayes@discussions.microsoft.com> wrote in message
> >> news:C178C869-2CD6-426B-9A89-C11D0B30C500@microsoft.com...
> >> >I am trying to run a batch file from within an Asp.net webservice and am
> >> > receiving an Access Denied error. I have verified that the
> >> > impersonated
> >> > user
> >> > has proper rights to the directory that the batch file is in by
> >> > executing
> >> > a
> >> > program from the same directory. It seems that everything works fine
> >> > for
> >> > non
> >> > batch file execution, but batch files return an error.
> >> >
> >> > I'm currently running under IIS 5.
> >> >
> >> > --
> >> > STH
> >>
> >>
> >>
>
>S Hayes Guest
-
Joe Kaplan \(MVP - ADSI\) #6 Re: Access Denied executing Batch File from CreateProcessAsUser
Did you see some of the references to previous threads that suggested using
WMI to accomplish this? Apparently that solution works well. I can't
remember what the problem is with CreateProcessAsUser, but you seem to have
the same symptoms that others have complained of in the past.
Just a thought...
Joe K.
"S Hayes" <SHayes@discussions.microsoft.com> wrote in message
news:40231BD9-C0F1-46B8-B542-0F1C7F31C976@microsoft.com...>I can't use System.Diagnostics.Process in my case since this class ALWAYS
> creates the process with the underlying process security context, not the
> impersonated users security context.
>
> This code is being executed within a ASP.NET web services.
>
> The following is the function that is being called. When the executable
> parameter passed in is a batch file, I get the 'Access Denied' error on
> the
> CreateProcessAsUser call. If the executable parameter is a program, then
> everything works nicely. As stated in earlier Threads, both the batch
> file
> and the program file are in the same directory and the impersonated user
> has
> Full rights.
>
> <<**********************************
> #region Win32 declarations
>
> [StructLayout(LayoutKind.Sequential)]
> private struct STARTUPINFO
> {
> public int cb;
> public String lpReserved;
> public String lpDesktop;
> public String lpTitle;
> public uint dwX;
> public uint dwY;
> public uint dwXSize;
> public uint dwYSize;
> public uint dwXCountChars;
> public uint dwYCountChars;
> public uint dwFillAttribute;
> public uint dwFlags;
> public short wShowWindow;
> public short cbReserved2;
> public IntPtr lpReserved2;
> public IntPtr hStdInput;
> public IntPtr hStdOutput;
> public IntPtr hStdError;
> }
>
> [StructLayout(LayoutKind.Sequential)]
> private struct PROCESS_INFORMATION
> {
> public IntPtr hProcess;
> public IntPtr hThread;
> public uint dwProcessId;
> public uint dwThreadId;
> }
>
> [StructLayout(LayoutKind.Sequential)]
> private struct SECURITY_ATTRIBUTES
> {
> public int Length;
> public IntPtr lpSecurityDescriptor;
> public bool bInheritHandle;
> }
>
> [DllImport("kernel32.dll")]
> private static extern bool GetExitCodeProcess(IntPtr hProcess, out uint
> lpExitCode);
>
> [DllImport("kernel32", SetLastError=true, ExactSpelling=true)]
> private static extern Int32 WaitForSingleObject(IntPtr handle, Int32
> milliseconds);
>
> [DllImport("kernel32.dll", EntryPoint="CloseHandle", SetLastError=true,
> CharSet=CharSet.Auto, CallingConvention=CallingConvention.StdCall)]
> private extern static bool CloseHandle(IntPtr handle);
>
> [DllImport("advapi32.dll", EntryPoint="CreateProcessAsUser",
> SetLastError=true, CharSet=CharSet.Ansi,
> CallingConvention=CallingConvention.StdCall)]
> private extern static bool CreateProcessAsUser(IntPtr hToken, String
> lpApplicationName, String lpCommandLine, ref SECURITY_ATTRIBUTES
> lpProcessAttributes,
> ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, int
> dwCreationFlags, IntPtr lpEnvironment,
> String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out
> PROCESS_INFORMATION lpProcessInformation);
>
> [DllImport("advapi32.dll", EntryPoint="DuplicateTokenEx",
> SetLastError=true)]
> private extern static bool DuplicateTokenEx(IntPtr ExistingTokenHandle,
> uint dwDesiredAccess,
> ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType,
> int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);
>
> #endregion
>
> public static int RunProcessAsUser(string executable,string cmdLine,int
> timeOut)
> {
> int errorCode = 0;
> bool ret;
> IntPtr token = new IntPtr(0);
> IntPtr dupedToken = new IntPtr(0);
>
> SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
> sa.bInheritHandle = false;
> sa.Length = Marshal.SizeOf(sa);
> sa.lpSecurityDescriptor = (IntPtr)0;
>
> token = WindowsIdentity.GetCurrent().Token;
> const uint GENERIC_ALL = 0x10000000;
>
> const int SecurityImpersonation = 2;
> const int TokenType = 1;
>
> ret = DuplicateTokenEx(token, GENERIC_ALL, ref sa,
> SecurityImpersonation,
> TokenType, ref dupedToken);
>
> if (ret == false)
> {
> errorCode = Marshal.GetLastWin32Error();
> throw new Exceptions.SecurityException("Unable to duplicate User
> Security Token",new Win32Exception(errorCode));
> }
>
> STARTUPINFO si = new STARTUPINFO();
> si.cb = Marshal.SizeOf(si);
> si.lpDesktop = "";
>
> PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
> ret = CreateProcessAsUser(dupedToken, executable, cmdLine, ref sa, ref
> sa, false, 0, (IntPtr)0, null, ref si, out pi);
>
> if (ret == false)
> {
> errorCode = Marshal.GetLastWin32Error();
> throw new Exceptions.SecurityException("Unable to Create Process for
> User",new Win32Exception(errorCode));
> }
>
> if(WaitForSingleObject( pi.hProcess, timeOut ) != 0)
> throw new Exceptions.WarningException("Timeout running User
> Process");
>
> uint ec;
> GetExitCodeProcess(pi.hProcess,out ec);
> errorCode = (int)ec;
>
> CloseHandle(pi.hProcess);
> CloseHandle(pi.hThread);
>
> CloseHandle(dupedToken);
>
> return errorCode;
> }
>
> **********************************>>
>
> "Yunus Emre ALPÖZEN [MCP]" wrote:
>>> do u develop an ASP.NET web service ???
>>
>> "CreateProcessAsUser property specifies whether a CGI process is created
>> in
>> the system context or in the context of the requesting user"
>> not a batch application.
>>
>> My advice u to use System.Diagnostics.Process...
>>
>> Do u have any sample code to cause error again??
>>
>> "S Hayes" <SHayes@discussions.microsoft.com> wrote in message
>> news:9416D77B-8EC7-43BC-94A2-E7EBE59F176A@microsoft.com...>>>> >I don't understand what you mean by "The batch file executed under IIS
>> >user
>> > account". I am using the CreateProcessAsUser which will create the
>> > process
>> > using the credentials of the passed in Token which I am getting from
>> > the
>> > Impersonated user. Again, I have verified this works when executing a
>> > program file, but fails when executing a batch file.
>> >
>> > "Yunus Emre ALPÖZEN [MCP]" wrote:
>> >
>> >> The batch file executed under IIS user account. You should define
>> >> rights
>> >> for
>> >> it. Impersonation doesn't work for your scenario
>> >>
>> >>
>> >> "S Hayes" <SHayes@discussions.microsoft.com> wrote in message
>> >> news:C178C869-2CD6-426B-9A89-C11D0B30C500@microsoft.com...
>> >> >I am trying to run a batch file from within an Asp.net webservice and
>> >> >am
>> >> > receiving an Access Denied error. I have verified that the
>> >> > impersonated
>> >> > user
>> >> > has proper rights to the directory that the batch file is in by
>> >> > executing
>> >> > a
>> >> > program from the same directory. It seems that everything works
>> >> > fine
>> >> > for
>> >> > non
>> >> > batch file execution, but batch files return an error.
>> >> >
>> >> > I'm currently running under IIS 5.
>> >> >
>> >> > --
>> >> > STH
>> >>
>> >>
>> >>
>>
>>
Joe Kaplan \(MVP - ADSI\) Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
