c# - MVC: start process as different user - not working -

-

i need run executable on server mvc controller. problem: executable sits within program files folder , read value registry. have granted execution rights on respective folder application pool. here's problem:

running exe process.start(exe) start executable in turn exits error because cannot read registry value (no access).

assigning local admin user processstartinfo fails:

var exe = @"c:\program files (x86)\[path exe]";  var secstring = new securestring(); secstring.appendchar('character'); //... secstring.makereadonly();  var procinfo = new processstartinfo(exe, settingspath) {     useshellexecute = false,     username = "[username]",     domain = "[domain]",     password = secstring,     redirectstandarderror = true,     redirectstandardoutput = true,     redirectstandardinput = true,     verb = "runas" }; var proc = process.start(procinfo); proc.waitforexit();

this cause crash of conhost , executable.

using impersonation this:

var impers = new impersonationservice(); impers.performimpersonatedtask("[user]", "[domain]", "[password]", impersonationservice.logon32_logon_interactive, impersonationservice.logon32_provider_default, new action(runclient));

...with method runclient() using process.start(exe) absolutely nothing! method run process not being started. know method run because added line it:

_logger.debug("impersonated: {0}", environment.username);

which correctly gives me desired user name process shall use. user has local admin privileges, there should not issue there.

i have tried starting different executable controller , have that one use impersonation (both variants) start target executable - same outcome.

so right i'm @ dead end. can please tell me i'm doing wrong , have make work?

p.s: running target executable directly on server when logged in local admin user works fine, no prob exe itself.

edit:

it seems 1 part of description incorrect: impersonation , runclient method did not use process.start(exe) this:

var procinfo = new processstartinfo(exe, settingspath) {     useshellexecute = false, }; _logger.debug("impersonated: {0}", environment.username); var proc = process.start(procinfo);

out of desperation have circumvented procinfo(don't need it) , really called 

var proc = process.start(exe, argument);

and .exe starts! seems using processstartinfo overrides impersonation process??

still not ok though, "access denied" error. despite being local admin. weird.

edit 2: how latest attempt went:

  • switched calling helper .exe, passing same arguments later used actual target exe in program files
  • added manifest helper exe level="requireadministrator"
  • added impersonation helper exe according https://msdn.microsoft.com/en-us/library/w070t6ka(v=vs.110).aspx [permissionsetattribute(securityaction.demand, name = "fulltrust")] added before method starting target process.
  • started process providing processstartinfo jazz

resulting code:

try {     var secstring = new securestring();     //...     secstring.makereadonly();     var procinfo = new processstartinfo()     {         filename = path.getfilename(exe),         username = "[username]",         domain = "[domain]",         password = secstring,         useshellexecute = false,         redirectstandarderror = true,         redirectstandardoutput = true,         redirectstandardinput = true,         arguments = settingspath,         workingdirectory = @"c:\program files (x86)\[rest]"     };     var proc = process.start(procinfo);     proc.waitforexit();     if (proc.exitcode != 0)     {         using (var sw = new streamwriter(path.combine(appdomain.currentdomain.basedirectory, "error.log"), true))         {             sw.writeline("error running process:\r\n{0}", proc.exitcode.tostring());         }     } } catch (exception ex) {     using (var sw = new streamwriter(path.combine(appdomain.currentdomain.basedirectory, "error.log"), true))     {         sw.writeline("error running process:\r\n{0}\r\nrunning as: {1}", ex.tostring(), windowsidentity.getcurrent().name);     } }

resulting output error.log:

helper running! [passed argument] error running process: system.componentmodel.win32exception (0x80004005): access denied @ system.diagnostics.process.startwithcreateprocess(processstartinfo startinfo) @ system.diagnostics.process.start() @ system.diagnostics.process.start(processstartinfo startinfo) @ runclient.impersonationdemo.runclient(string settingspath) running as: [correct domain user in admin group]

so can start helper exe that cannot start real exe in program files due acess denied despite running under local admin account , files access locally, not on network drives.

the logic of eludes me.

edit 3

update: have added manifest target .exe also,

<requestedexecutionlevel level="requireadministrator" uiaccess="false" />

this means now:

  • call helper exe controller: works
  • the helper .exe has manifest run elevated rights (admin)
  • the helper .exe uses impersonation assume identity of local admin start process
  • said process started using processstartinfo in username, domain, , password additionally set same local admin user
  • the helper exe tries run target exe using process.start(startinfo) local admin user set, while still impersonating user's windows identity

and still error log spouts "access denied" while correctly returning windowsidentity.getcurrent().name of local admin.

and now, greatest of happened: created new local user on server, added him local admin group , used that user impersonation in case there problem domain users. guess what? error access denied ...\error.log - written effing error log.

really?

edit 4

i think i'll try topshelf convert shebang service. hope done on weekend.

according this article mvc controller thread should have full-trust permission run process:

this class contains link demand @ class level applies members. securityexception thrown when immediate caller not have full-trust permission. details security demands, see link demands.

seems problem not user full-trust. not know version of mvc use can read articles trust levels , code access find out best way configure application. seems can grant full-trust permission specific .exe file or grant full-trust permission application pool user (do not forget folder permissions).

but best approach write windows service , run instead of running .exe file directly.


Comments

Post a Comment

Popular posts from this blog

Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12:test (default-test) on project.Error occurred in starting fork -

-
i searched on internet provided answers did not in building project. the error starting fork. tried following methods: mvn clean install -u when searched, people said because of java 7 , should work java 6. using java 6 only. some said set surefire plugin this: <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-surefire-plugin</artifactid> <version>2.5</version> <configuration> <skiptests>false</skiptests> <testfailureignore>true</testfailureignore> <forkmode>once</forkmode> </configuration> the actual error is: [error] failed execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12:test (default-test) on project junitcategorizer.instrument: error occurred in starting fork, check output in log -> [help 1] org.apache.maven.lifecycle.lifecycleexecutionexception: failed execute goal org.apache.maven.plugins:maven-surefire-plugin:2...
Read more

windows - Debug iNetMgr.exe unhandle exception System.Management.Automation.CmdletInvocationException -

-
i fired windows 7 machine today , attempting start intemgr.exe process terminates immediately. started process under debugger. seems process terminating following exception: system.management.automation.cmdletinvocationexception . dumping exceptions on heap yields following results. heap has few more exception listed below. so based on research exception happens when cmdlet encounters terminating error. method call before processrecord(). provides record-by-record processing functionality cmdlet. windows powershell runtime calls method multiple times each instance of cmdlet in pipeline. how can inspect pipeline debugger? exception object: 0000000002702940 exception type: system.management.automation.itemnotfoundexception message: cannot find path 'c:\windows\system32\windowspowershell\v1.0\modules\applicationserver\applicationserver.dll' because not exist. innerexception: <none> stacktrace (generated): sp ip function 000000001...
Read more

configurationsection - activeMq-5.13.3 setup configurations for wildfly 10.0.0 -

-
hi new work on activemq, trying access messages send activemq in mdb onmsg() method unable things done here sample standalone-full.xml configuration. <subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0"> <jms-queue name="favouritesqueue" entries="queue/favouritesqueue"/> </server> </subsystem> mdb configuration <mdb> <resource-adapter-ref resource-adapter-name="activemq-ra.rar"/> <bean-instance-pool-ref pool-name="mdb-strict-max-pool"/> </mdb> <subsystem xmlns="urn:jboss:domain:resource-adapters:4.0"> <resource-adapters> <resource-adapter id="activemq-ra.rar"> <archive> activemq-rar-5.13.3.rar </archive> <transaction-support>xatr...
Read more