Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3a machine.
Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:
---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW047BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione: {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)
Privilegi -
---------------------------------------
(I'm sorry for the Italian text, but i think you can easily understand
the message)
ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.
What this could be?
I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.
Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.
Thnx i.a. for the answers,
Marco
7  1641 
Marco,
C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*******@gmail.com> wrote in message
news:11*********************@f14g2000cwb.googlegro ups.com... Hi, i'm always auditing ASPNET's account accesses on my webserver, a
WIN2K_SP4 + IIS5 + SQLServer2K_SP3a machine.
Nearly all the applications work correctly, but i constantly find a
message in the event viewer under the protection log, that says:
---------------------------------------
Apertura oggetto:
Server oggetto: Security
Tipo oggetto: File
Nome oggetto: C:\WINNT\KOSW047BFJNQUY26
Nuovo ID dell'handle: -
ID dell'operazione: {0,346018}
ID del processo: 2160
Nome utente primario: ASPNET
Dominio primario: WEBSERVER
ID di accesso primario: (0x0,0x3F5DE)
Nome utente client: -
Dominio client: -
ID di accesso client: -
Accessi SYNCHRONIZE
ReadData (o ListDirectory)
Privilegi -
---------------------------------------
(I'm sorry for the Italian text, but i think you can easily understand
the message)
ASPNET is part of the Users group, and the Users group has the READ,
EXECUTION and LIST permissions on C:\WINNT directory.
What this could be?
I followed all the MS KB to grant the rights priviledges to the ASPNET
account, and no application have a problem at the moment.
Only one application seems to go crazy when the number of users grows
up (we are waiting for another 1GB ram, because we think it's a
resource related issue), but we think it's an application issue not
related to this problem. Or at least, i don't think this warning in the
event viewer is related to that problem.
Thnx i.a. for the answers,
Marco
i forgot to say, the name KOSW047BFJNQUY26 changes every time.
i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use Crystal
Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't explicitly
create it.
how can i see if it is being created with explicit permission or other grant
? i can't even find that directory.
thank you,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl... Marco,
C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?
This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?
-- Sean M, who admittedly is not fond of changing the identity of the worker
process
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Od**************@TK2MSFTNGP10.phx.gbl... i forgot to say, the name KOSW047BFJNQUY26 changes every time.
i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use
Crystal Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't
explicitly create it.
how can i see if it is being created with explicit permission or other
grant ? i can't even find that directory.
thank you,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl... Marco,
C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
directory ?? Is it being created with explicit permissions that will
exclude Users or other grant that includes Dir List for AspNet ?
The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files" and
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Write, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of them
regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl... This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a different
account that perhaps doesn't have access to the proper directories?
-- Sean M, who admittedly is not fond of changing the identity of the
worker
process
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Od**************@TK2MSFTNGP10.phx.gbl... i forgot to say, the name KOSW047BFJNQUY26 changes every time.
i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use
Crystal Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write the
directory/file. at least, the programmer said me that he doesn't
explicitly create it.
how can i see if it is being created with explicit permission or other
grant ? i can't even find that directory.
thank you,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl... > Marco,
>
> C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
> directory ?? Is it being created with explicit permissions that will
> exclude Users or other grant that includes Dir List for AspNet ?
>
Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white boxes?
That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files" and
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Write, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of
them regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl... This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
cache directory. Are you running the ASP.NET worker process as a
different account that perhaps doesn't have access to the proper directories?
-- Sean M, who admittedly is not fond of changing the identity of the
worker
process
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Od**************@TK2MSFTNGP10.phx.gbl... i forgot to say, the name KOSW047BFJNQUY26 changes every time.
i still don't know who try to create that directory/file and when.
i didn't write the applications by myself, i only know that thy use
Crystal Reports, they're written in .NET 2002 and they use a component to draw
charts, dunno if it is that particular component that tryes to write
the directory/file. at least, the programmer said me that he doesn't
explicitly create it.
how can i see if it is being created with explicit permission or other
grant ? i can't even find that directory.
thank you,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2*************@tk2msftngp13.phx.gbl...
> Marco,
>
> C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
> directory ?? Is it being created with explicit permissions that will
> exclude Users or other grant that includes Dir List for AspNet ?
>
I can't see that items.
That directory (or files?) with the random name doesn't even seem to exists,
or at least i'm not able to see them, so i can't see the protection
settings.
The "Users" group has read only access to WINNT directory.
Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?
I don't think the programmers are creating a file in it, i talked with them
and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.
thanks for the help,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2**************@TK2MSFTNGP12.phx.gbl... Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white
boxes?
That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files" and
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files" ( no
FULL CONTROL, only Modify+Read+Write, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of
them regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl... > This sounds a lot like an attempt to get at the Temporary ASP.NET Pages
> cache directory. Are you running the ASP.NET worker process as a different > account that perhaps doesn't have access to the proper directories?
>
> -- Sean M, who admittedly is not fond of changing the identity of the
> worker
> process
>
> "M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in
> message
> news:Od**************@TK2MSFTNGP10.phx.gbl...
>> i forgot to say, the name KOSW047BFJNQUY26 changes every time.
>>
>> i still don't know who try to create that directory/file and when.
>> i didn't write the applications by myself, i only know that thy use
> Crystal
>> Reports, they're written in .NET 2002 and they use a component to draw
>> charts, dunno if it is that particular component that tryes to write the >> directory/file. at least, the programmer said me that he doesn't
> explicitly
>> create it.
>>
>> how can i see if it is being created with explicit permission or other
> grant
>> ? i can't even find that directory.
>>
>> thank you,
>> Marco
>>
>>
>>
>> "Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
>> news:e2*************@tk2msftngp13.phx.gbl...
>> > Marco,
>> >
>> > C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
>> > directory ?? Is it being created with explicit permissions that
>> > will
>> > exclude Users or other grant that includes Dir List for AspNet ?
>> >
>>
>
>
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:Oh*************@TK2MSFTNGP14.phx.gbl... I can't see that items.
That directory (or files?) with the random name doesn't even seem to
exists, or at least i'm not able to see them, so i can't see the protection
settings.
It could be that the failure message is because of "file not found" ??
The "Users" group has read only access to WINNT directory.
Why is the protection event talks about READ/SYNCRONIZE deny, if the Users
( and then the ASPNET account too) has read grants on the WINNT directory?
That is why I first asked about explicit as compared to inherited grants.
Users Read allows just these. That it is a minimal request being made
and one within the inherited grants, makes it sound like something is
looking for a file in the wrong place (?)
I don't think the programmers are creating a file in it, i talked with
them and nobody has written code to create a file/directory in C:\WINNT, or at
least we don't know if Crystal Report tryes to.
I can't help you there, but it is good you have that info from the devs.
thanks for the help,
Marco
"Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
news:e2**************@TK2MSFTNGP12.phx.gbl... Well, they should not be able to write to c:\winnt at all !!
When you look at one of these in c:\winnt are the NTFS permissions
on it all inherited or are some or all explicit ? i.e. gray or white
boxes?
That dir name makes it sound like this was upgrade to W2k from NT4,
which would leave c:\winnt permissioned loose.
I would be the villan and first notify my web authors that use
crystal that c:\winnt will be altered and there apps will fail
if they do not use the temp environment var to locate their
file usage correctly, and I would set an implementation date
and hold to it. When that date comes you will find out who
is responsible. The alternative, of trying to loosening c:\winnt
permissions, if it is not an explicitly set permissions issue, so
that inherited permissions are sufficient is not an attractive
way to go.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... The ASPNET account has R/W access to
"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Tempor ary ASP.NET Files"
and "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Tempor ary ASP.NET Files"
( no FULL CONTROL, only Modify+Read+Write, it's ok? ).
The aspnet_wp process is running under the ASPNET account.
The aspnet_wp process i using 195MB of memory, with a peak of 312MB.
With a process viewer i can see it has abount 22 threads (nearly all of
them regarding mscorsvr.dll).
Marco.
"Sean M" <ta******@hotmail.com> ha scritto nel messaggio
news:Ol*************@TK2MSFTNGP09.phx.gbl...
> This sounds a lot like an attempt to get at the Temporary ASP.NET
Pages > cache directory. Are you running the ASP.NET worker process as a
different > account that perhaps doesn't have access to the proper directories?
>
> -- Sean M, who admittedly is not fond of changing the identity of the
> worker
> process
>
> "M. Simioni" <m.*****************@TOCONTACTMEgmail.com> wrote in
> message
> news:Od**************@TK2MSFTNGP10.phx.gbl...
>> i forgot to say, the name KOSW047BFJNQUY26 changes every time.
>>
>> i still don't know who try to create that directory/file and when.
>> i didn't write the applications by myself, i only know that thy use
> Crystal
>> Reports, they're written in .NET 2002 and they use a component to
draw >> charts, dunno if it is that particular component that tryes to write
the >> directory/file. at least, the programmer said me that he doesn't
> explicitly
>> create it.
>>
>> how can i see if it is being created with explicit permission or
other > grant
>> ? i can't even find that directory.
>>
>> thank you,
>> Marco
>>
>>
>>
>> "Roger Abell" <mv*******@asu.edu> ha scritto nel messaggio
>> news:e2*************@tk2msftngp13.phx.gbl...
>> > Marco,
>> >
>> > C:\WINNT\KOSW047BFJNQUY26 appears to be some temporary
>> > directory ?? Is it being created with explicit permissions that
>> > will
>> > exclude Users or other grant that includes Dir List for AspNet ?
>> >
>>
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: jano |
last post by:
Hi,
I am trying to install a web application on an AD domain controller (security risk I know but it is our client's requirement) and i need to give the aspnet account certain permissions....
|
by: Zeng |
last post by:
Hi,
I'm running ClrProfiler for the first time to profile my web app, and it
keeps getting stuck at this msg box: "Waiting for Asp.net to start common
language runtime - this is the time to load...
|
by: CESAR DE LA TORRE [MVP] |
last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005
client) to Server Tier through our Web...
|
by: musosdev |
last post by:
Hi guys
I've just noticed I don't have an ASPNET user account running on either my
Workstation or Server (both running .net2.0, workstation has vs2005 pro).
Simple question... should it be...
|
by: Paul Aspinall |
last post by:
Hi
I am trying to print, server side, from my web application.
I'm getting problems, as my ASPNET account is a local account, and is not
trusted on the domain to print to printers (ie. does not...
|
by: torus |
last post by:
Is the aspnet account called "aspnet" for all non-English versions of
Windows and IIS?
|
by: =?Utf-8?B?TWljaGFlbCBNaWxsZXI=?= |
last post by:
I created a walkthrough and couldn't connect to my sql server. I looked up
the problem and MSDN told me to create an ASPNET "User" in SQL Svr.
It worked, but is that right? Do I have to do that...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
| |
