locked
.BAT and .vbs Files does not run anymore from Classic ASP (was running on Win 2003 Server) RRS feed

  • Question

  • User374894602 posted

    UPDATE : *** I'VE FOUND A SOLUTION : Look for the very last Post of this thread - I Marked it as Answer *** Tongue Out


    Hello,

    I've got an Issue since my (forced) switch from Server 2003 to Server 2008.
    I'm using ASP Classic Websites for 15 years approx (i'm 30).


    I managed to successfully configure the IIS 7 server which now serves my ASP Classic websites. I allowed everything needed for my components (Read rights on dll), and all work well (PersitsEmail, AspUpload, etc.).

    Except that I would like to ask for your help .. Indeed, I've been searching all over the web for more than 3 days, but I get stuck on one point: I can no longer run any . BAT or. VBS file from an ASP page (using the wshell object)..

    I've the execution rights on the IWAM_xxx, IWPD_xxx, IUSER_xxx, IUSR, IIS_USERS (and also approximately the half of the server hard drive (!);

    I' have also set the permissions Mapping (IIS> ASP) "Execute". But my Bat files, which were launched sucessfukky on Win 2003 still does not run. IWPD, IUSER or IWAM are not more gifted than the other one, nothing ... I can't run EXE's ? I can't believe it !

    This is very annoying because I have several professional websites blocked because of this ..

    Do you have an idea, or a short clue, and the full Magick thing i have forgotten ?

    I'm willing for your help,
    ... and I wish you an happy New Year !
    (Mine will juste start when a BAT file will be run ^^)

    Wednesday, January 2, 2013 1:36 AM

Answers

  • User374894602 posted

    *** I HAVE FOUND THE SOLUTION *** Cool

    I really really hope my POST, and this SOLUTION will Help and save a lot of time to a alot of people !

    3 days spent on this... I was so Stuck !


    So, Here is the solution for having Classic ASP pages running Bat, VBS or EXE files, with such a VbScript Code:

        BAT_Filename = "C:\folder1\folder2\etc\yourBatFile_hh_mm_ss.bat"
        Dim oShell
        Set oShell = Server.CreateObject("Wscript.Shell")
        Call oShell.Run("cmd /c cmd /c """ & BAT_Filename & """")
        Set oShell = Nothing


    To avoid getting Permission Denied, The trick resides in TWO Parts :

    1. In IIS Manager, navigate to your Website.
    2. Under the IIS section, click on "Authentication"
    3. Select and highlight the first item of the list , named "Anonymous authentication"
    4. In the "Actions Panel" (located at the right of your window), click on "Edit ..."
    5. HERE IS the first part of the trick:
      By default, the first option is selected ("Specific User"), and your should see here your IWPD user.
    6. You have to select the SECOND option : "Application Pool Identity"

    We have finished with the "Website part"
     Here starts the second part, concerning th "Application Pool".

    1. In IIS Manager, navigate to "Application Pools".
    2. Select and highlight your Website Application Pool
    3. In the "Actions Panel" (located at the right of your window), click on "Advanced Settings ..."
    4. HERE IS the second part of the trick:
      By default, the selected Identity for your pool is still your IWPD user.
    5. You have to change this, and select "LocalSystem" as "Integrated Account" option.
      As 'LocalSystem' is a user having high privileges on the filesystem, including Execute permissions, it now can run Bat files.
      ** Be WARNED that doing this will potentially be harmful for your security policy.. So you have to be very very SURE and Confident about your ASP code (test everything, prevent SQL injection , etc ...) ***

    This way, you CAN now successfully call BAT VBS or Exe files from your Classic Asp Pages under IIS 7.0, Windows 2008 Server (no Service Pack).

    I really really hope my POST, and this solution will Help and save a lot of time to a alot of people !
    Feel Free to Reply to this post if you have additionnal information and tips for thoses numerous Classic ASP coders... and still loving it ! Money Mouth

    Many thanks goes to Fab777 and Murtaza_t who have taken some time to exchange real information with me, human-to-human, through this cold and technical forum tool :-) Kiss

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, January 2, 2013 9:04 PM

All replies

  • User-597491400 posted

    Hello,

    Can you provider some information on error that is thrown at you..?

    Wednesday, January 2, 2013 8:25 AM
  • User-1499466209 posted

    Hi, I think you should have a look to Request Filtering configuration

     

    appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.bat',allowed='false']"

    appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.vbs',allowed='false']"

    Wednesday, January 2, 2013 9:14 AM
  • User374894602 posted

    murtaza_t

    Hello,

    Can you provider some information on error that is thrown at you..?

    Hi Murtaza_T, the Error thrown to me is a "Denied Access" to the file. I can see it from the LOG FILE :
    '800a0046 Permission Denied'

    Obviously, if i manually click on the VBS or concerned BAT file, from RDP, it runs.
    But when IWAM or IUSER are calling them from an ASP page, i'm thrown a "Denied Access" error.

    It seems that I'm not able to run any EXEcutable. Even if I try to launch any EXE that resides on the Server disk. Does 2008 needs a special operation from me, to allow a Internet User to launch any Exe, Bat Vbs  ?
    Precision : I'm denied the right to run any "executables" at the moment, but I can have full Read Write access on any folder I specify on the disk. (in example : the Bat file I want to run was created by my ASP code, and successfuly written to the disk).

    Then the trouble comes when running it with WSH : Denied access .

    Wednesday, January 2, 2013 7:51 PM
  • User374894602 posted

    Hi, I think you should have a look to Request Filtering configuration

    appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.bat',allowed='false']"

    appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.vbs',allowed='false']"

    Hi Fab777,


    I've looked at th Request Filtering configuration as you suggested it to me.
    It seems that this tool filters URL served to the website visitor (the client);
    I may be wrong, but this filtering tool seems effectless on what file is run back-end on the server...
    The visitor NEVERS have to access my Bat file ! Only IUSER or IWAM (or God) have to be able to run it.

    Thank you for this tip, Fab, ... I don't know what to try by now..

    Wednesday, January 2, 2013 8:08 PM
  • User374894602 posted

    *** I HAVE FOUND THE SOLUTION *** Cool

    I really really hope my POST, and this SOLUTION will Help and save a lot of time to a alot of people !

    3 days spent on this... I was so Stuck !


    So, Here is the solution for having Classic ASP pages running Bat, VBS or EXE files, with such a VbScript Code:

        BAT_Filename = "C:\folder1\folder2\etc\yourBatFile_hh_mm_ss.bat"
        Dim oShell
        Set oShell = Server.CreateObject("Wscript.Shell")
        Call oShell.Run("cmd /c cmd /c """ & BAT_Filename & """")
        Set oShell = Nothing


    To avoid getting Permission Denied, The trick resides in TWO Parts :

    1. In IIS Manager, navigate to your Website.
    2. Under the IIS section, click on "Authentication"
    3. Select and highlight the first item of the list , named "Anonymous authentication"
    4. In the "Actions Panel" (located at the right of your window), click on "Edit ..."
    5. HERE IS the first part of the trick:
      By default, the first option is selected ("Specific User"), and your should see here your IWPD user.
    6. You have to select the SECOND option : "Application Pool Identity"

    We have finished with the "Website part"
     Here starts the second part, concerning th "Application Pool".

    1. In IIS Manager, navigate to "Application Pools".
    2. Select and highlight your Website Application Pool
    3. In the "Actions Panel" (located at the right of your window), click on "Advanced Settings ..."
    4. HERE IS the second part of the trick:
      By default, the selected Identity for your pool is still your IWPD user.
    5. You have to change this, and select "LocalSystem" as "Integrated Account" option.
      As 'LocalSystem' is a user having high privileges on the filesystem, including Execute permissions, it now can run Bat files.
      ** Be WARNED that doing this will potentially be harmful for your security policy.. So you have to be very very SURE and Confident about your ASP code (test everything, prevent SQL injection , etc ...) ***

    This way, you CAN now successfully call BAT VBS or Exe files from your Classic Asp Pages under IIS 7.0, Windows 2008 Server (no Service Pack).

    I really really hope my POST, and this solution will Help and save a lot of time to a alot of people !
    Feel Free to Reply to this post if you have additionnal information and tips for thoses numerous Classic ASP coders... and still loving it ! Money Mouth

    Many thanks goes to Fab777 and Murtaza_t who have taken some time to exchange real information with me, human-to-human, through this cold and technical forum tool :-) Kiss

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, January 2, 2013 9:04 PM
  • User-597491400 posted

    hello Alex,

    Thanks for the detailed step by step solutions.. I am sure it will help a lot of people with similar issues..

    Cheers,

    Thursday, January 3, 2013 1:34 AM
  • User-831597755 posted

    alexvb6, Very good this configuration ..
    It worked perfectly, it was the only place I found a full schedule of reasoning. !

    I just have a problem .. Do I need this config. in IIS 6, because I use windows server 2003 .. would you have any tips? I can not add the app pool as user!

    thank you

    Thursday, November 28, 2013 12:10 PM