By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
460,022 Members | 1,212 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 460,022 IT Pros & Developers. It's quick & easy.

Calling a batch file from IE using asp and vbscript

P: n/a
I'm trying to call a batch file that I've built using the FileSystemObject
and CreateObject("Wscript.Shell"), oShell.Run... in an asp script.
Naturally, I can get the script to work from a command line but not from a
browser. The page does not throw an error but the oShell.Run... portion of
the script doesn't run. Any help would be appreciated. Thanks.
Jul 22 '05 #1
Share this Question
Share on Google+
14 Replies


P: n/a
The problem is that IIS runs ASP pages by default in the context of
IUSR_machineName, a very low-level user with few privileges and virtually no
system access.

You need to either set the IIS application to run in the context of a
privileged user, change the application to run as windows authenticated and
not anonymous (and then authenticate as a privileged user), or add
IUSR_machineName to a group with enough privileges to execute the batch
file.

Of course, each of these options can potentially become a security hole
without proper precautions.

So, what I tend to recommend in cases like this is to add the requested task
to a queue (e.g. in a database), and have a scheduled task wake up and pick
up new tasks from the queue. Then you don't have to worry about the
privileges you're exposing directly to your web page, and you can easily set
the job to run in the context of any user you like and on any schedule you
like...

--
http://www.aspfaq.com/
(Reverse address to reply.)


"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:73**********************************@microsof t.com...
I'm trying to call a batch file that I've built using the FileSystemObject
and CreateObject("Wscript.Shell"), oShell.Run... in an asp script.
Naturally, I can get the script to work from a command line but not from a
browser. The page does not throw an error but the oShell.Run... portion of the script doesn't run. Any help would be appreciated. Thanks.

Jul 22 '05 #2

P: n/a
Aaron,

Thanks very much for your response. Unfortunately, I had already tried
using Windows Integrated Authentication while using a privileged account and
I tried changing the account from IUSR_MachineName to a privileged network
account and neither option worked. The app seems to run, the batch file is
created, but it fails to run. As a workaround I have been using a scheduled
task to run the file at the top of every hour but now a different sort of
security concern having to do w/ our portal software renders my scheduled
task obsolete. Could you be kind enough to elaborate on your solution w/ the
database/queue and the scheduled task. I'm not quite sure that I understand
what you're getting at. Thanks again.

"Aaron [SQL Server MVP]" wrote:
The problem is that IIS runs ASP pages by default in the context of
IUSR_machineName, a very low-level user with few privileges and virtually no
system access.

You need to either set the IIS application to run in the context of a
privileged user, change the application to run as windows authenticated and
not anonymous (and then authenticate as a privileged user), or add
IUSR_machineName to a group with enough privileges to execute the batch
file.

Of course, each of these options can potentially become a security hole
without proper precautions.

So, what I tend to recommend in cases like this is to add the requested task
to a queue (e.g. in a database), and have a scheduled task wake up and pick
up new tasks from the queue. Then you don't have to worry about the
privileges you're exposing directly to your web page, and you can easily set
the job to run in the context of any user you like and on any schedule you
like...

--
http://www.aspfaq.com/
(Reverse address to reply.)


"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:73**********************************@microsof t.com...
I'm trying to call a batch file that I've built using the FileSystemObject
and CreateObject("Wscript.Shell"), oShell.Run... in an asp script.
Naturally, I can get the script to work from a command line but not from a
browser. The page does not throw an error but the oShell.Run... portion

of
the script doesn't run. Any help would be appreciated. Thanks.


Jul 22 '05 #3

P: n/a
Does your batch file call any code that raises a prompt or other kind of
visible GUI? Have you looked at http://www.aspfaq.com/2059 ?

I don't know if I can explain the scheduled task process better without
actually building it. That's on my to do list...

--
http://www.aspfaq.com/
(Reverse address to reply.)


"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:74**********************************@microsof t.com...
Aaron,

Thanks very much for your response. Unfortunately, I had already tried
using Windows Integrated Authentication while using a privileged account and I tried changing the account from IUSR_MachineName to a privileged network
account and neither option worked. The app seems to run, the batch file is created, but it fails to run. As a workaround I have been using a scheduled task to run the file at the top of every hour but now a different sort of
security concern having to do w/ our portal software renders my scheduled
task obsolete. Could you be kind enough to elaborate on your solution w/ the database/queue and the scheduled task. I'm not quite sure that I understand what you're getting at. Thanks again.

"Aaron [SQL Server MVP]" wrote:
The problem is that IIS runs ASP pages by default in the context of
IUSR_machineName, a very low-level user with few privileges and virtually no system access.

You need to either set the IIS application to run in the context of a
privileged user, change the application to run as windows authenticated and not anonymous (and then authenticate as a privileged user), or add
IUSR_machineName to a group with enough privileges to execute the batch
file.

Of course, each of these options can potentially become a security hole
without proper precautions.

So, what I tend to recommend in cases like this is to add the requested task to a queue (e.g. in a database), and have a scheduled task wake up and pick up new tasks from the queue. Then you don't have to worry about the
privileges you're exposing directly to your web page, and you can easily set the job to run in the context of any user you like and on any schedule you like...

--
http://www.aspfaq.com/
(Reverse address to reply.)


"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:73**********************************@microsof t.com...
I'm trying to call a batch file that I've built using the FileSystemObject and CreateObject("Wscript.Shell"), oShell.Run... in an asp script.
Naturally, I can get the script to work from a command line but not from a browser. The page does not throw an error but the oShell.Run...
portion of
the script doesn't run. Any help would be appreciated. Thanks.


Jul 22 '05 #4

P: n/a
The batch file maps a drive and uses cacls to apply permissions to a folder.
It does not raise a prompt or any other GUI. And thanks for the reference to
www.aspfaq.com/2059, which I read. I've also tried simply maping a drive
w/out the attempt to apply permissions and the same thing happens, or, more
accurately, doesn't happen. Thanks again for your help.

"Aaron [SQL Server MVP]" wrote:
Does your batch file call any code that raises a prompt or other kind of
visible GUI? Have you looked at http://www.aspfaq.com/2059 ?

I don't know if I can explain the scheduled task process better without
actually building it. That's on my to do list...

--
http://www.aspfaq.com/
(Reverse address to reply.)


"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:74**********************************@microsof t.com...
Aaron,

Thanks very much for your response. Unfortunately, I had already tried
using Windows Integrated Authentication while using a privileged account

and
I tried changing the account from IUSR_MachineName to a privileged network
account and neither option worked. The app seems to run, the batch file

is
created, but it fails to run. As a workaround I have been using a

scheduled
task to run the file at the top of every hour but now a different sort of
security concern having to do w/ our portal software renders my scheduled
task obsolete. Could you be kind enough to elaborate on your solution w/

the
database/queue and the scheduled task. I'm not quite sure that I

understand
what you're getting at. Thanks again.

"Aaron [SQL Server MVP]" wrote:
The problem is that IIS runs ASP pages by default in the context of
IUSR_machineName, a very low-level user with few privileges and virtually no system access.

You need to either set the IIS application to run in the context of a
privileged user, change the application to run as windows authenticated and not anonymous (and then authenticate as a privileged user), or add
IUSR_machineName to a group with enough privileges to execute the batch
file.

Of course, each of these options can potentially become a security hole
without proper precautions.

So, what I tend to recommend in cases like this is to add the requested task to a queue (e.g. in a database), and have a scheduled task wake up and pick up new tasks from the queue. Then you don't have to worry about the
privileges you're exposing directly to your web page, and you can easily set the job to run in the context of any user you like and on any schedule you like...

--
http://www.aspfaq.com/
(Reverse address to reply.)


"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:73**********************************@microsof t.com...
> I'm trying to call a batch file that I've built using the FileSystemObject > and CreateObject("Wscript.Shell"), oShell.Run... in an asp script.
> Naturally, I can get the script to work from a command line but not from a > browser. The page does not throw an error but the oShell.Run... portion of
> the script doesn't run. Any help would be appreciated. Thanks.


Jul 22 '05 #5

P: n/a
Try using basic authentication for testing purposes. If that works, check
out:

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

With integrated authentication, you cannot "daisy-chain" that authentication
from the IIS server to another server, afaIk. So, if you're trying to run a
script on the server that's accessing another server, i.e. mapping a drive
(why?), I ~believe~ you cannot use integrated authentication then.

Ray at home
"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:EE**********************************@microsof t.com...
The batch file maps a drive and uses cacls to apply permissions to a
folder.
It does not raise a prompt or any other GUI. And thanks for the reference
to
www.aspfaq.com/2059, which I read. I've also tried simply maping a drive
w/out the attempt to apply permissions and the same thing happens, or,
more
accurately, doesn't happen. Thanks again for your help.


Jul 22 '05 #6

P: n/a
Thanks for your response. Unfortunately, I've tried Basic Authentication,
logging in w/ a privileged account, and the behavior is the same. That is,
nothing happens. Why I would want to map a drive is a good question. The
drive mapping is superfluous. I was just trying to get the script to do
something -- anything. The main purpose of the script is to apply
permissions through cacls, which won't work either, though the script works
fine from a command prompt. Thanks again.

"Ray Costanzo [MVP]" wrote:
Try using basic authentication for testing purposes. If that works, check
out:

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

With integrated authentication, you cannot "daisy-chain" that authentication
from the IIS server to another server, afaIk. So, if you're trying to run a
script on the server that's accessing another server, i.e. mapping a drive
(why?), I ~believe~ you cannot use integrated authentication then.

Ray at home
"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:EE**********************************@microsof t.com...
The batch file maps a drive and uses cacls to apply permissions to a
folder.
It does not raise a prompt or any other GUI. And thanks for the reference
to
www.aspfaq.com/2059, which I read. I've also tried simply maping a drive
w/out the attempt to apply permissions and the same thing happens, or,
more
accurately, doesn't happen. Thanks again for your help.


Jul 22 '05 #7

P: n/a
How do you know that it isn't mapping the drive? How about net
sending? Try a batch file like this:

net send theNameOfYourComputer "Hi, I'm your Web server."

I'm kinda jumping in after missing the beginning of this thread, so
I'm not sure what you've tried so far or what else is going on.
Sorry about that.

Ray at work

"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:D3**********************************@microsof t.com...
Thanks for your response. Unfortunately, I've tried Basic Authentication, logging in w/ a privileged account, and the behavior is the same. That is, nothing happens. Why I would want to map a drive is a good question. The drive mapping is superfluous. I was just trying to get the script to do something -- anything. The main purpose of the script is to apply
permissions through cacls, which won't work either, though the script works fine from a command prompt. Thanks again.

"Ray Costanzo [MVP]" wrote:
Try using basic authentication for testing purposes. If that works, check out:

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

With integrated authentication, you cannot "daisy-chain" that authentication from the IIS server to another server, afaIk. So, if you're trying to run a script on the server that's accessing another server, i.e. mapping a drive (why?), I ~believe~ you cannot use integrated authentication then.
Ray at home
"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:EE**********************************@microsof t.com...
The batch file maps a drive and uses cacls to apply permissions to a folder.
It does not raise a prompt or any other GUI. And thanks for the reference to
www.aspfaq.com/2059, which I read. I've also tried simply maping a drive w/out the attempt to apply permissions and the same thing happens, or, more
accurately, doesn't happen. Thanks again for your help.


Jul 22 '05 #8

P: n/a
I agree with Ray... start with calling a batch file that does something
incredibly simple and trivial, locally. THEN graduate to more complex
activities...

--
http://www.aspfaq.com/
(Reverse address to reply.)


"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:D3**********************************@microsof t.com...
Thanks for your response. Unfortunately, I've tried Basic Authentication,
logging in w/ a privileged account, and the behavior is the same. That is, nothing happens. Why I would want to map a drive is a good question. The
drive mapping is superfluous. I was just trying to get the script to do
something -- anything. The main purpose of the script is to apply
permissions through cacls, which won't work either, though the script works fine from a command prompt. Thanks again.

"Ray Costanzo [MVP]" wrote:
Try using basic authentication for testing purposes. If that works, check out:

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

With integrated authentication, you cannot "daisy-chain" that authentication from the IIS server to another server, afaIk. So, if you're trying to run a script on the server that's accessing another server, i.e. mapping a drive (why?), I ~believe~ you cannot use integrated authentication then.

Ray at home
"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:EE**********************************@microsof t.com...
The batch file maps a drive and uses cacls to apply permissions to a
folder.
It does not raise a prompt or any other GUI. And thanks for the reference to
www.aspfaq.com/2059, which I read. I've also tried simply maping a drive w/out the attempt to apply permissions and the same thing happens, or,
more
accurately, doesn't happen. Thanks again for your help.


Jul 22 '05 #9

P: n/a
After I run the script, which includes "net use T: \\<server name>\<share
name>" and go to a DOS prompt and try to access the T: drive, there is no T:
drive. If I manually run the script from a DOS prompt, no problem -- the
drive is mapped and the permissions are applied. If I alter the script and
omit the drive mapping and apply the permissions (w/ cacls) to a local folder
(that is, the web server) the thing works like a charm. It's only when I try
to do anything on another server that it refuses to work. Seems like it has
to be a permissions issue, but I've tried various authentication methods,
including running the app in IIS under a domain admin account, but nothing
works. Thanks for your help

"Ray Costanzo [MVP]" wrote:
How do you know that it isn't mapping the drive? How about net
sending? Try a batch file like this:

net send theNameOfYourComputer "Hi, I'm your Web server."

I'm kinda jumping in after missing the beginning of this thread, so
I'm not sure what you've tried so far or what else is going on.
Sorry about that.

Ray at work

"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:D3**********************************@microsof t.com...
Thanks for your response. Unfortunately, I've tried Basic

Authentication,
logging in w/ a privileged account, and the behavior is the same.

That is,
nothing happens. Why I would want to map a drive is a good

question. The
drive mapping is superfluous. I was just trying to get the script

to do
something -- anything. The main purpose of the script is to apply
permissions through cacls, which won't work either, though the

script works
fine from a command prompt. Thanks again.

"Ray Costanzo [MVP]" wrote:
Try using basic authentication for testing purposes. If that works, check out:

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

With integrated authentication, you cannot "daisy-chain" that authentication from the IIS server to another server, afaIk. So, if you're trying to run a script on the server that's accessing another server, i.e. mapping a drive (why?), I ~believe~ you cannot use integrated authentication then.
Ray at home
"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:EE**********************************@microsof t.com...
> The batch file maps a drive and uses cacls to apply permissions to a > folder.
> It does not raise a prompt or any other GUI. And thanks for the reference > to
> www.aspfaq.com/2059, which I read. I've also tried simply maping a drive > w/out the attempt to apply permissions and the same thing happens, or, > more
> accurately, doesn't happen. Thanks again for your help.
>


Jul 22 '05 #10

P: n/a
How are you trying to access the T drive? Are you sitting at the
server? Have you tried taking things back a few steps as suggested?
When you get to the step of modifying ACLs, I suggest using UNC
paths. But for now, can you verify that your batch is running?

net send yourcomputer I ran
echo I
ran>C:\Path\Which\Has\FullControl\For\Everyone\Per missions\test.txt

Ray at work
"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:1C**********************************@microsof t.com...
After I run the script, which includes "net use T: \\<server name>\<share name>" and go to a DOS prompt and try to access the T: drive, there is no T: drive. If I manually run the script from a DOS prompt, no problem -- the drive is mapped and the permissions are applied. If I alter the script and omit the drive mapping and apply the permissions (w/ cacls) to a local folder (that is, the web server) the thing works like a charm. It's only when I try to do anything on another server that it refuses to work. Seems like it has to be a permissions issue, but I've tried various authentication methods, including running the app in IIS under a domain admin account, but nothing works. Thanks for your help

"Ray Costanzo [MVP]" wrote:
How do you know that it isn't mapping the drive? How about net
sending? Try a batch file like this:

net send theNameOfYourComputer "Hi, I'm your Web server."

I'm kinda jumping in after missing the beginning of this thread, so I'm not sure what you've tried so far or what else is going on.
Sorry about that.

Ray at work

"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:D3**********************************@microsof t.com...
Thanks for your response. Unfortunately, I've tried Basic

Authentication,
logging in w/ a privileged account, and the behavior is the same.
That is,
nothing happens. Why I would want to map a drive is a good

question. The
drive mapping is superfluous. I was just trying to get the
script to do
something -- anything. The main purpose of the script is to
apply permissions through cacls, which won't work either, though the

script works
fine from a command prompt. Thanks again.

"Ray Costanzo [MVP]" wrote:

> Try using basic authentication for testing purposes. If that

works, check
> out:
>
> http://support.microsoft.com/?kbid=287537
> http://support.microsoft.com/?kbid=264921
>
> With integrated authentication, you cannot "daisy-chain" that

authentication
> from the IIS server to another server, afaIk. So, if you're

trying to run a
> script on the server that's accessing another server, i.e.

mapping a drive
> (why?), I ~believe~ you cannot use integrated authentication

then.
>
> Ray at home
>
>
> "Mark C." <Ma***@discussions.microsoft.com> wrote in message
> news:EE**********************************@microsof t.com...
> > The batch file maps a drive and uses cacls to apply

permissions to a
> > folder.
> > It does not raise a prompt or any other GUI. And thanks
for the reference
> > to
> > www.aspfaq.com/2059, which I read. I've also tried simply

maping a drive
> > w/out the attempt to apply permissions and the same thing

happens, or,
> > more
> > accurately, doesn't happen. Thanks again for your help.
> >
>
>


Jul 22 '05 #11

P: n/a
I have a terminal server session to the web server, so that's how I know that
no drive is being mapped. As I mentioned in a previous thread, the drive
mapping is superfluous, and I am using a UNC path to attempt to apply
permissions (cacls \\<server name>\<share name>\<folder to which to apply
permissions> /T /E /G <domain>\<user name>:C. Also, as I mentioned earlier,
the script runs fine from a browser if the script that is called to apply
the permissions does so on a folder on the web server. The script is indeed
being called but it works only on the web server. The line above that
attempts to apply the permissions on another server, if called from a
browser, does not work. Thanks again for your help. I apologize for not
being specific enough.

"Ray Costanzo [MVP]" wrote:
How are you trying to access the T drive? Are you sitting at the
server? Have you tried taking things back a few steps as suggested?
When you get to the step of modifying ACLs, I suggest using UNC
paths. But for now, can you verify that your batch is running?

net send yourcomputer I ran
echo I
ran>C:\Path\Which\Has\FullControl\For\Everyone\Per missions\test.txt

Ray at work
"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:1C**********************************@microsof t.com...
After I run the script, which includes "net use T: \\<server

name>\<share
name>" and go to a DOS prompt and try to access the T: drive, there

is no T:
drive. If I manually run the script from a DOS prompt, no

problem -- the
drive is mapped and the permissions are applied. If I alter the

script and
omit the drive mapping and apply the permissions (w/ cacls) to a

local folder
(that is, the web server) the thing works like a charm. It's only

when I try
to do anything on another server that it refuses to work. Seems

like it has
to be a permissions issue, but I've tried various authentication

methods,
including running the app in IIS under a domain admin account, but

nothing
works. Thanks for your help

"Ray Costanzo [MVP]" wrote:
How do you know that it isn't mapping the drive? How about net
sending? Try a batch file like this:

net send theNameOfYourComputer "Hi, I'm your Web server."

I'm kinda jumping in after missing the beginning of this thread, so I'm not sure what you've tried so far or what else is going on.
Sorry about that.

Ray at work

"Mark C." <Ma***@discussions.microsoft.com> wrote in message
news:D3**********************************@microsof t.com...
> Thanks for your response. Unfortunately, I've tried Basic
Authentication,
> logging in w/ a privileged account, and the behavior is the same. That is,
> nothing happens. Why I would want to map a drive is a good
question. The
> drive mapping is superfluous. I was just trying to get the script to do
> something -- anything. The main purpose of the script is to apply > permissions through cacls, which won't work either, though the
script works
> fine from a command prompt. Thanks again.
>
> "Ray Costanzo [MVP]" wrote:
>
> > Try using basic authentication for testing purposes. If that
works, check
> > out:
> >
> > http://support.microsoft.com/?kbid=287537
> > http://support.microsoft.com/?kbid=264921
> >
> > With integrated authentication, you cannot "daisy-chain" that
authentication
> > from the IIS server to another server, afaIk. So, if you're
trying to run a
> > script on the server that's accessing another server, i.e.
mapping a drive
> > (why?), I ~believe~ you cannot use integrated authentication
then.
> >
> > Ray at home
> >
> >
> > "Mark C." <Ma***@discussions.microsoft.com> wrote in message
> > news:EE**********************************@microsof t.com...
> > > The batch file maps a drive and uses cacls to apply permissions to a
> > > folder.
> > > It does not raise a prompt or any other GUI. And thanks for the reference
> > > to
> > > www.aspfaq.com/2059, which I read. I've also tried simply
maping a drive
> > > w/out the attempt to apply permissions and the same thing
happens, or,
> > > more
> > > accurately, doesn't happen. Thanks again for your help.
> > >
> >
> >


Jul 22 '05 #12

P: n/a
io
> After I run the script, which includes "net use T: \\<server
name>\<sharename>"
G'day Mark,

You may be able overcome the problem by extending the NET command with
explicit name and password of the user who does have permissions to map a
drive to remote server (when you run your script from DOS prompt it uses
credentials of a currently logged user, most likely with administrative
privileges).

Your modified NET command will look like this:

NET USE X: \\<server name>\<share name> /USER:<user name> <password>
/PERSISTENT:[YES | NO]

It is, of course, not an ideal solution, but you can create a dedicated
local user account and refine its privileges as you like.

Cheers
Jul 22 '05 #13

P: n/a
hi:)
i'm also facing a similar issue in my project.
were you able to get any solution for the above issue
thanxs in advance,
Mike

************************************************** ********************
Sent via Fuzzy Software @ http://www.fuzzysoftware.com/
Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources...
Jul 22 '05 #14

P: n/a
mi********@yahoo.com wrote on 25 jan 2005 in
microsoft.public.inetserver.asp.general:
hi:)
i'm also facing a similar issue in my project.
were you able to get any solution for the above issue
thanxs in advance,


This is not mail, but usenet.

I see nothing "above".

according to netiquette, don'd expect us to look back to previous posts
that may or may not be kept on a local news server, but sparingly topquote
or interquote relevant text you are replying on.

--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)

Jul 22 '05 #15

This discussion thread is closed

Replies have been disabled for this discussion.