Starting a "cmd.exe" process from ASP.NET permissions problem

Posted on 2004-11-18
Last Modified: 2010-05-18
I have to start a "cmd.exe" process from ASP.NET application running on the Windows 2003 server, and I have to use the Windows authentication only.

I use the following code:

ProcessStartInfo psi = new ProcessStartInfo("cmd.exe");
psi.UseShellExecute = false;
psi.RedirectStandardInput = true;
psi.RedirectStandardError = true;
psi.RedirectStandardOutput = true;

// Start the process
Process proc = Process.Start(psi);

This code works fine if (and only IF) a user that is accessing the application has Adminidtrators rights on the server.
I have these rights, I it worked fine for me.  But the application should be used by the limited number of other users.

In the web.config file for the application these users are listed in the <authorization> section:
 <allow users="username1,username2,username3,username4" />

In the <authentication> section mode is set to "Windows" /> and  <identity impersonate="true" />

However, if such a user try to run the application, it throws the Win32Exception "Access is denied" at the "Process.Start(psi);" line.   Somehow the application's catch block can't catch this exception (although it catches other exceptions;  I use several catch blocks here: catch (Win32Exception exc) { }, then catch (Exception exc) { }, then empty catch { } ), and the exception is displayed as unhandled.  This is the second problem: why the code does not catch the Process.Start exception.

And the first problem is to allow a limited group of domain users to run the application.
I tried to solve the problem by creating a Power Users group that has these users included.  I gave this group the full rights to all directories that I think are somehow related to the job:  current application directory, Windows and System32 directories, Program Files directory - it did not help.  I even added ASPNET account to this Power Users group - it did not help.

The program works OK on the Windows XP server, but I need it to run on 2003.

What else can I do???

Thank you in advance for your help.
Question by:pavelmed
    LVL 28

    Expert Comment

    Hi pavelmed,

    have you remove the anonymous access of the virtual directory/web site ?
    this can be done by IIS console->Properties on the virtual directory/web site->Directory Security->Edit button within the Authentication and access control-> uncheck the check box for enabling anonimous access


    Author Comment

    Hi mmarinov,

    Yes, the anonymous access is removed.  Only Integrated Windows Authentication is checked.
    Also please note that although this 2003 server has IIS 6.0, it runs in the 5.x isolation mode, so the application pooling is not enabled.
    And I can't change the setting because it may interfere with other applications.

    My point is: if it runs OK when the user who requests the site has administrators rights to the server, how can I substitute these rights by a custom Power Users group that may have full rights to any directory?  As I wrote, I tried this approach and assigned the Power Users rights to the current application directory, Windows and System32 directories, and Program Files directory, and it did not help.

    Almost all code in the application is commented out, only the Process starting code from above is left.

    Thank you.

    Author Comment

    Because of thorough security restrictions I have decide to abandon the idea of using cmd.exe process and running batch file statements in order to create and use network drive maps.

    Instead, I will be using the ideas from the following article:

    It works well.

    I am asking this question to be closed.

    Thank you

    Accepted Solution

    Question author has answered his onw problem, this question will now go into PAQ, with points refunded.

    Thank you,

    Wes Lennon
    Experts Exchange

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
    A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now