By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,921 Members | 1,471 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,921 IT Pros & Developers. It's quick & easy.

ASPNET Account autiding alert

P: n/a
Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3a machine.

Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:

---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW047BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione: {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)

Privilegi -
---------------------------------------

(I'm sorry for the Italian text, but i think you can easily understand
the message)

ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.

What this could be?

I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.

Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.

Thnx i.a. for the answers,
Marco

Nov 19 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Marco,

C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*******@gmail.com> wrote in message
news:11*********************@f14g2000cwb.googlegro ups.com...
Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3a machine.

Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:

---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW047BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione: {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)

Privilegi -
---------------------------------------

(I'm sorry for the Italian text, but i think you can easily understand
the message)

ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.

What this could be?

I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.

Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.

Thnx i.a. for the answers,
Marco

Nov 19 '05 #2

P: n/a
i forgot to say, the name KOSW047BFJNQUY26 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't explicitly
create it.

how can i see if it is being created with explicit permission or other grant
? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl...
Marco,

C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?


Nov 19 '05 #3

P: n/a
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?

-- Sean M, who admittedly is not fond of changing the identity of the worker
process

"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Od**************@TK2MSFTNGP10.phx.gbl...
i forgot to say, the name KOSW047BFJNQUY26 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use Crystal Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't explicitly create it.

how can i see if it is being created with explicit permission or other grant ? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl...
Marco,

C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?

Nov 19 '05 #4

P: n/a
The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files" and
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Write, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of them
regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl...
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?

-- Sean M, who admittedly is not fond of changing the identity of the
worker
process

"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Od**************@TK2MSFTNGP10.phx.gbl...
i forgot to say, the name KOSW047BFJNQUY26 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use

Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't

explicitly
create it.

how can i see if it is being created with explicit permission or other

grant
? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl...
> Marco,
>
> C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
> directory ?? Is it being created with explicit permissions that will
> exclude Users or other grant that includes Dir List for AspNet ?
>


Nov 19 '05 #5

P: n/a
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white boxes?

That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files" and
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Write, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of them regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl...
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different account that perhaps doesn't have access to the proper directories?

-- Sean M, who admittedly is not fond of changing the identity of the
worker
process

"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Od**************@TK2MSFTNGP10.phx.gbl...
i forgot to say, the name KOSW047BFJNQUY26 changes every time.

i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use

Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the directory/file. at least, the programmer said me that he doesn't

explicitly
create it.

how can i see if it is being created with explicit permission or other

grant
? i can't even find that directory.

thank you,
Marco

"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl...
> Marco,
>
> C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
> directory ?? Is it being created with explicit permissions that will
> exclude Users or other grant that includes Dir List for AspNet ?
>



Nov 19 '05 #6

P: n/a
I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists,
or at least i'm not able to see them, so i can't see the protection
settings.

The "Users" group has read only access to WINNT directory.

Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?

I don't think the programmers are creating a file in it, i talked with them
and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.

thanks for the help,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2**************@TK2MSFTNGP12.phx.gbl...
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white
boxes?

That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files" and
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Write, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of

them
regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl...
> This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
> cache directory. Are you running the ASP.NET worker process as a different > account that perhaps doesn't have access to the proper directories?
>
> -- Sean M, who admittedly is not fond of changing the identity of the
> worker
> process
>
> "M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in
> message
> news:Od**************@TK2MSFTNGP10.phx.gbl...
>> i forgot to say, the name KOSW047BFJNQUY26 changes every time.
>>
>> i still don't know who try to create that directory/file and when.
>> i didn't write the applications by myself, i only know that thy use
> Crystal
>> Reports, they're written in .NET 2002 and they use a component to draw
>> charts, dunno if it is that particular component that tryes to write the >> directory/file. at least, the programmer said me that he doesn't
> explicitly
>> create it.
>>
>> how can i see if it is being created with explicit permission or other
> grant
>> ? i can't even find that directory.
>>
>> thank you,
>> Marco
>>
>>
>>
>> "Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
>> news:e2*************@tk2msftngp13.phx.gbl...
>> > Marco,
>> >
>> > C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
>> > directory ?? Is it being created with explicit permissions that
>> > will
>> > exclude Users or other grant that includes Dir List for AspNet ?
>> >
>>
>
>



Nov 19 '05 #7

P: n/a
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Oh*************@TK2MSFTNGP14.phx.gbl...
I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists, or at least i'm not able to see them, so i can't see the protection
settings.

It could be that the failure message is because of "file not found" ??
The "Users" group has read only access to WINNT directory.

Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?

That is why I first asked about explicit as compared to inherited grants.
Users Read allows just these. That it is a minimal request being made
and one within the inherited grants, makes it sound like something is
looking for a file in the wrong place (?)
I don't think the programmers are creating a file in it, i talked with them and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.
I can't help you there, but it is good you have that info from the devs.

thanks for the help,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2**************@TK2MSFTNGP12.phx.gbl...
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white
boxes?

That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files" and "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files" ( no FULL CONTROL, only Modify+Read+Write, it's ok? ).

The aspnet_wp process is running under the ASPNET account.

The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of

them
regarding mscorsvr.dll).

Marco.

"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl...
> This sounds a lot like an attempt to get at the Temporary ASP.NET Pages > cache directory. Are you running the ASP.NET worker process as a

different
> account that perhaps doesn't have access to the proper directories?
>
> -- Sean M, who admittedly is not fond of changing the identity of the
> worker
> process
>
> "M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in
> message
> news:Od**************@TK2MSFTNGP10.phx.gbl...
>> i forgot to say, the name KOSW047BFJNQUY26 changes every time.
>>
>> i still don't know who try to create that directory/file and when.
>> i didn't write the applications by myself, i only know that thy use
> Crystal
>> Reports, they're written in .NET 2002 and they use a component to draw >> charts, dunno if it is that particular component that tryes to write

the
>> directory/file. at least, the programmer said me that he doesn't
> explicitly
>> create it.
>>
>> how can i see if it is being created with explicit permission or other > grant
>> ? i can't even find that directory.
>>
>> thank you,
>> Marco
>>
>>
>>
>> "Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
>> news:e2*************@tk2msftngp13.phx.gbl...
>> > Marco,
>> >
>> > C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
>> > directory ?? Is it being created with explicit permissions that
>> > will
>> > exclude Users or other grant that includes Dir List for AspNet ?
>> >
>>
>
>



Nov 19 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.