PHP doesn't run shell_exec() RRS feed

  • Question

  • User-353904631 posted

    Hello all,

    I'm running PHP 5.2.5 on Windows 2003 32bit with IIS 6.0 FastCGI

    Everything is working perfect except the shell_exec() command. It seems that PHP ignores the complete command line and junps into the next process step. No errors within the Event-Log and the PHP-Error-Log. I have tracked the process and the desired executable file will not be executed.

    When I reconfigure IIS running without FastCGI (CGI only with php-cgi.exe) shell_exec() works!

    Any help is greatly apprecated!

    Thursday, February 7, 2008 1:31 PM

All replies

  • User1356161706 posted

    This is probably a security issue. Are you trying to execute cmd.exe or the like?

    There are a couple of articles out there about this. Here is one of them: http://www.somacon.com/p255.php

    Hope this helps.

    P.S: FastCGI works because it is executing as the process identity (usually NetworkService) and not the authenticated user (IUSR_<machinename>).


    Monday, February 11, 2008 3:14 AM
  • User-353904631 posted

    Thank you very much for reply!

    I know the security issue with cmd.exe and it works in standard CGI-Mode, but your information regarding the "process identity" let me hope to find the solution.

    I will report my test result here.

    Tuesday, February 12, 2008 8:46 AM
  • User-353904631 posted

    I have tested again without success.

    It doesn't seem to be a security issue. When I remove the access rights of IUSR_<machinename> for cmd.exe, I receive an entry in the PHP error log which contains the message that PHP was "unable to execute". This is an understandable behavior. When I add the access right, shell_exec() will be executed by PHP without problems. This is the behavior in standard cgi-mode with php-cgi.exe

    When I configure IIS with the FastCGI-Handler, shell_exec() will be "jumped over". Nothing happens and no entry can be found within the error log of PHP. At last I gave "Everyone" the access right for cmd.exe - just for a test - but the behavior was the same.

    PS: My PHP Application runs some small VB6-Applications for producing specific PDF files with Active Reports 2 (integration of existing modules from other Win32 Applications for cost effectiveness). With Apache 2, it is not neccessary to give cmd.exe access rights for the apache user even though the apache user is extremely delimited regarding access rights (user is not part of a group, user has no right to sign in to Windows, user has only access to the application directory for reading an execution and to an individual temp-directory).

    My next step is to set up another server with Windows 2003 to reproduce the effect.

    Any ideas are welcome!

    Thursday, February 14, 2008 4:31 AM
  • User-353904631 posted

    Problem is solved! I have added SERVICE with EXECUTE permissions to the directory where my executables resides (php-cgi.exe runs also under SERVICE).

    Sunday, May 18, 2008 6:29 PM
  • User-158859612 posted

    Can you be more specific.  What do you mean by SERVICE?

     I am trying to execute gnuplot using mediaWiki.  I can execute gnuplot via the dos command line on the server.  I wrote a quick php script and can execute through it while on the server.  But when I try to have it execute through the Web it seems to just pass over it the shell_exec.

    The cmd.exe has the correct permissions (READ & EXECUTE, READ) for IUSR_<machibe_name>.

    The directory and subfolders/files have the correct persmissions for IUSR_<machibe_name>.

    Monday, May 19, 2008 2:42 PM
  • User-353904631 posted

    I returned to this problem few days ago and examined the processes within the Windows Task Manager. When php-cgi.exe was running, the User Name was always SERVICE within the processes window. Before this detection, I thought IUSR_<machine_name> is the related user for php-cgi.exe as defined in IIS.

    Therefore I added the user SERVICE with READ & EXECUTE, READ to the directories where the executables of my application resides. Since this alteration, the problem is gone. Nevertheless, it's also neccessary to grant the permissions READ & EXECUTE, READ for IUSR_<machine_name>  to cmd.exe.

    I hope this is more clear! Sorry for my limited english. If it's not clear, I can provide a link with some screenshots.





    Monday, May 19, 2008 5:02 PM
  • User-353904631 posted


    well, it's strange. I swear that I have seen php-cgi.exe running with identity SERVICE !!

    After a complete re-installation, php-cgi.exe runs with identity NETWORK SERVICE...

    Anyway, I can add SERVICE or NETWORK SERVICE with READ & EXECUTE, READ to the executable folder and it works.

    Wednesday, May 21, 2008 5:15 AM
  • User2093557029 posted

    By default your IIS 6 application pool will run under the Network Service account. You can esculate this to use the Service or System accounts (or custom accounts), but isn't advised as they have elevated priviledges to your system over the Network Service account (especially your System account). What you have done is correct. You should permission the Network Service account with the specific permissions you need rather than using an account with elevated rights to your entire system.

    Wednesday, May 21, 2008 5:31 AM