Killing and Starting a Process on a Remote Machine

[Yosh]

I am developing an application that will stop and start a process on a
remote machine. What security rights are needed for my application to be
able to do this?

Hope this makes sense.

Yosh

 

[Willy Denoyette [MVP]]

I am developing an application that will stop and start a process on a
remote machine. What security rights are needed for my application to be
able to do this?

Hope this makes sense.

Yosh

What kind of application are you starting remotely? How do you intend to
start/stop a remote application, what mechanism/API are you using in your
code?


Willy.

 

[Yosh]

Willy,

The application is IIS and the file that I am wanting to Stop and Start is
inetinfo.exe. Right now, I am using the System.Diagnostics.Process class to
get a list of running processes and find the inetinfo.exe process to kill
it.

Unfortunately, I don't see a way to start a process remotely and I am
concerned about what security access rights are required to start and stop
processes on a remote machine.

Thanks,

Yosh

 

[Willy Denoyette [MVP]]

Willy,

The application is IIS and the file that I am wanting to Stop and Start is
inetinfo.exe. Right now, I am using the System.Diagnostics.Process class
to
get a list of running processes and find the inetinfo.exe process to kill
it.

Unfortunately, I don't see a way to start a process remotely and I am
concerned about what security access rights are required to start and stop
processes on a remote machine.

Thanks,

Yosh

IIS runs as a service, so you have to issue a Start/stop command through the
Service Control Manager (SCM).

There are several ways to do this:
1. The easiest is to use the sc.exe commandline utility, but here you need
to run as a local administrator on IIS the server, or a Domain admin .
2. Using System.Management namespace classes and the WMI IISWebService class
http://msdn.microsoft.com/library/d...html/af1a277b-e67a-41b3-9947-91c9304f8ec7.asp.
Note that this requires IIS6 on the server (w2k3)
3. Using System.Management namespace classes and the WMI Win32_Service
class. Can be used for all IIS 5 and IIS6.

Here is a sample for option 2, option 3 is quite similar, consult MSDN for
details about WMI.

using System;
using System.Management;
using System.Diagnostics;

public class Wmis {
public static void Main() {

ConnectionOptions co = new ConnectionOptions();
//get user and password
co.Username = "domain\\administrator"; // here domain can be the IIS
servername or a domain name
co.Password = "hispwd";
co.Authentication = AuthenticationLevel.PacketPrivacy; // This is the
minimum authentication level allowed

ManagementScope ms = new
ManagementScope(@"\\YourIISServer\root\MicrosoftIISv2", co);
ServiceAction(ms, "StopService"); // Stop IIS
ServiceAction(ms, "StartService"); // Start IIS
}
static void ServiceAction( ManagementScope ms, string ServiceAction)
{
string mp = String.Format("IIsWebService.Name='W3SVC'");
using(ManagementObject oW3SVC = new ManagementObject(ms, new
ManagementPath(mp), null))
{
ManagementBaseObject outParams = oW3SVC.InvokeMethod(ServiceAction, null,
null);
// Handle the return code, here simply display the return value
Console.WriteLine
((System.UInt32)(outParams.Properties["ReturnValue"].Value));
}
}
}


Willy.

 

[Guest]

Willy,

I don't mean to hijack this thread, but I have an issue that revolves around
this topic that I'm hoping you'll know the anser to. Basically, I can access
root\cimv2 classes from ASP.NET (and VBScript), but using the same methods, I
can't access root\MicrosoftIISv2. I get an Access Denied just trying to do a
..Get or .CreateInstance.

Any ideas?

Thanks,
Anton

Willy,

The application is IIS and the file that I am wanting to Stop and Start is
inetinfo.exe. Right now, I am using the System.Diagnostics.Process class
to
get a list of running processes and find the inetinfo.exe process to kill
it.

Unfortunately, I don't see a way to start a process remotely and I am
concerned about what security access rights are required to start and stop
processes on a remote machine.

Thanks,

Yosh

IIS runs as a service, so you have to issue a Start/stop command through the
Service Control Manager (SCM).

There are several ways to do this:
1. The easiest is to use the sc.exe commandline utility, but here you need
to run as a local administrator on IIS the server, or a Domain admin .
2. Using System.Management namespace classes and the WMI IISWebService class
http://msdn.microsoft.com/library/d...html/af1a277b-e67a-41b3-9947-91c9304f8ec7.asp.
Note that this requires IIS6 on the server (w2k3)
3. Using System.Management namespace classes and the WMI Win32_Service
class. Can be used for all IIS 5 and IIS6.

Here is a sample for option 2, option 3 is quite similar, consult MSDN for
details about WMI.

using System;
using System.Management;
using System.Diagnostics;

public class Wmis {
public static void Main() {

ConnectionOptions co = new ConnectionOptions();
//get user and password
co.Username = "domain\\administrator"; // here domain can be the IIS
servername or a domain name
co.Password = "hispwd";
co.Authentication = AuthenticationLevel.PacketPrivacy; // This is the
minimum authentication level allowed

ManagementScope ms = new
ManagementScope(@"\\YourIISServer\root\MicrosoftIISv2", co);
ServiceAction(ms, "StopService"); // Stop IIS
ServiceAction(ms, "StartService"); // Start IIS
}
static void ServiceAction( ManagementScope ms, string ServiceAction)
{
string mp = String.Format("IIsWebService.Name='W3SVC'");
using(ManagementObject oW3SVC = new ManagementObject(ms, new
ManagementPath(mp), null))
{
ManagementBaseObject outParams = oW3SVC.InvokeMethod(ServiceAction, null,
null);
// Handle the return code, here simply display the return value
Console.WriteLine
((System.UInt32)(outParams.Properties["ReturnValue"].Value));
}
}
}


Willy.

 

[Yosh]

Sounds like a permission problem. Are you the admin?

Willy,

I don't mean to hijack this thread, but I have an issue that revolves
around
this topic that I'm hoping you'll know the anser to. Basically, I can
access
root\cimv2 classes from ASP.NET (and VBScript), but using the same
methods, I
can't access root\MicrosoftIISv2. I get an Access Denied just trying to
do a
.Get or .CreateInstance.

Any ideas?

Thanks,
Anton

Willy,

The application is IIS and the file that I am wanting to Stop and Start
is
inetinfo.exe. Right now, I am using the System.Diagnostics.Process
class
to
get a list of running processes and find the inetinfo.exe process to
kill
it.

Unfortunately, I don't see a way to start a process remotely and I am
concerned about what security access rights are required to start and
stop
processes on a remote machine.

Thanks,

Yosh

IIS runs as a service, so you have to issue a Start/stop command through
the
Service Control Manager (SCM).

There are several ways to do this:
1. The easiest is to use the sc.exe commandline utility, but here you
need
to run as a local administrator on IIS the server, or a Domain admin .
2. Using System.Management namespace classes and the WMI IISWebService
class
http://msdn.microsoft.com/library/d...html/af1a277b-e67a-41b3-9947-91c9304f8ec7.asp.
Note that this requires IIS6 on the server (w2k3)
3. Using System.Management namespace classes and the WMI Win32_Service
class. Can be used for all IIS 5 and IIS6.

Here is a sample for option 2, option 3 is quite similar, consult MSDN
for
details about WMI.

using System;
using System.Management;
using System.Diagnostics;

public class Wmis {
public static void Main() {

ConnectionOptions co = new ConnectionOptions();
//get user and password
co.Username = "domain\\administrator"; // here domain can be the IIS
servername or a domain name
co.Password = "hispwd";
co.Authentication = AuthenticationLevel.PacketPrivacy; // This is the
minimum authentication level allowed

ManagementScope ms = new
ManagementScope(@"\\YourIISServer\root\MicrosoftIISv2", co);
ServiceAction(ms, "StopService"); // Stop IIS
ServiceAction(ms, "StartService"); // Start IIS
}
static void ServiceAction( ManagementScope ms, string ServiceAction)
{
string mp = String.Format("IIsWebService.Name='W3SVC'");
using(ManagementObject oW3SVC = new ManagementObject(ms, new
ManagementPath(mp), null))
{
ManagementBaseObject outParams = oW3SVC.InvokeMethod(ServiceAction,
null,
null);
// Handle the return code, here simply display the return value
Console.WriteLine
((System.UInt32)(outParams.Properties["ReturnValue"].Value));
}
}
}


Willy.

 

[Guest]

Yes. I concur, I do believe it to be a security issue. I'm using a domain
admin account that is also in the local Administrator group on both machines.
I have no troubles accessing it locally, but remotely, I cannot access the
IIS WMI classes. From the same ASP.NET application, I can create directories
and access root\cimv2 classes remotely.

The environment is a W2K3 domain, with both servers running W2K3, SP1.

Sounds like a permission problem. Are you the admin?

Willy,

I don't mean to hijack this thread, but I have an issue that revolves
around
this topic that I'm hoping you'll know the anser to. Basically, I can
access
root\cimv2 classes from ASP.NET (and VBScript), but using the same
methods, I
can't access root\MicrosoftIISv2. I get an Access Denied just trying to
do a
.Get or .CreateInstance.

Any ideas?

Thanks,
Anton

Willy,

The application is IIS and the file that I am wanting to Stop and Start
is
inetinfo.exe. Right now, I am using the System.Diagnostics.Process
class
to
get a list of running processes and find the inetinfo.exe process to
kill
it.

Unfortunately, I don't see a way to start a process remotely and I am
concerned about what security access rights are required to start and
stop
processes on a remote machine.

Thanks,

Yosh



IIS runs as a service, so you have to issue a Start/stop command through
the
Service Control Manager (SCM).

There are several ways to do this:
1. The easiest is to use the sc.exe commandline utility, but here you
need
to run as a local administrator on IIS the server, or a Domain admin .
2. Using System.Management namespace classes and the WMI IISWebService
class
http://msdn.microsoft.com/library/d...html/af1a277b-e67a-41b3-9947-91c9304f8ec7.asp.
Note that this requires IIS6 on the server (w2k3)
3. Using System.Management namespace classes and the WMI Win32_Service
class. Can be used for all IIS 5 and IIS6.

Here is a sample for option 2, option 3 is quite similar, consult MSDN
for
details about WMI.

using System;
using System.Management;
using System.Diagnostics;

public class Wmis {
public static void Main() {

ConnectionOptions co = new ConnectionOptions();
//get user and password
co.Username = "domain\\administrator"; // here domain can be the IIS
servername or a domain name
co.Password = "hispwd";
co.Authentication = AuthenticationLevel.PacketPrivacy; // This is the
minimum authentication level allowed

ManagementScope ms = new
ManagementScope(@"\\YourIISServer\root\MicrosoftIISv2", co);
ServiceAction(ms, "StopService"); // Stop IIS
ServiceAction(ms, "StartService"); // Start IIS
}
static void ServiceAction( ManagementScope ms, string ServiceAction)
{
string mp = String.Format("IIsWebService.Name='W3SVC'");
using(ManagementObject oW3SVC = new ManagementObject(ms, new
ManagementPath(mp), null))
{
ManagementBaseObject outParams = oW3SVC.InvokeMethod(ServiceAction,
null,
null);
// Handle the return code, here simply display the return value
Console.WriteLine
((System.UInt32)(outParams.Properties["ReturnValue"].Value));
}
}
}


Willy.

 

[Guest]

I finally tracked it down. Turns out that each namespace in the CIM
repository has a security descriptor to control access. I was able to
access root\cimv2 just fine from ASP.NET and VBScript, but was getting Access
Denied when trying to access the root\MicrosoftIISv2 namespace. Luckily, an
error was generated in the EventViewer:

"Access to the root\MicrosoftIISv2 namespace was denied. The namespace is
marked with RequiresEncryption but the client connection was attempted with
an authentication level below Pkt_Privacy. Re try the connection using
Pkt_Privacy authentication level."

Before Windows Server 2003 SP1, providers could not set namespace security
to require encryption before returning data. It looks like with SP1, the
RequiresEncryption is configurable and is also the default. You can change
this through the WMI control (globally) or programmatically per connection.

In VB, it would look like this:
set locatorObj = CreateObject("WbemScripting.SWbemLocator")
locatorObj.Security_.authenticationLevel = WbemAuthenticationLevelPktPrivacy

In C#, it would look like this:
ConnectionOptionsObject = new ConnectionOptions();
ConnectionOptionsObject.Username = UserName;
ConnectionOptionsObject.Password = Password;
ConnectionOptionsObject.Authentication = AuthenticationLevel.PacketPrivacy;

I have not tested this on other platforms outside of W2K3, SP1, as it
presumably wasn't needed.

Yes. I concur, I do believe it to be a security issue. I'm using a domain
admin account that is also in the local Administrator group on both machines.
I have no troubles accessing it locally, but remotely, I cannot access the
IIS WMI classes. From the same ASP.NET application, I can create directories
and access root\cimv2 classes remotely.

The environment is a W2K3 domain, with both servers running W2K3, SP1.

Sounds like a permission problem. Are you the admin?

Willy,

I don't mean to hijack this thread, but I have an issue that revolves
around
this topic that I'm hoping you'll know the anser to. Basically, I can
access
root\cimv2 classes from ASP.NET (and VBScript), but using the same
methods, I
can't access root\MicrosoftIISv2. I get an Access Denied just trying to
do a
.Get or .CreateInstance.

Any ideas?

Thanks,
Anton


:



Willy,

The application is IIS and the file that I am wanting to Stop and Start
is
inetinfo.exe. Right now, I am using the System.Diagnostics.Process
class
to
get a list of running processes and find the inetinfo.exe process to
kill
it.

Unfortunately, I don't see a way to start a process remotely and I am
concerned about what security access rights are required to start and
stop
processes on a remote machine.

Thanks,

Yosh



IIS runs as a service, so you have to issue a Start/stop command through
the
Service Control Manager (SCM).

There are several ways to do this:
1. The easiest is to use the sc.exe commandline utility, but here you
need
to run as a local administrator on IIS the server, or a Domain admin .
2. Using System.Management namespace classes and the WMI IISWebService
class
http://msdn.microsoft.com/library/d...html/af1a277b-e67a-41b3-9947-91c9304f8ec7.asp.
Note that this requires IIS6 on the server (w2k3)
3. Using System.Management namespace classes and the WMI Win32_Service
class. Can be used for all IIS 5 and IIS6.

Here is a sample for option 2, option 3 is quite similar, consult MSDN
for
details about WMI.

using System;
using System.Management;
using System.Diagnostics;

public class Wmis {
public static void Main() {

ConnectionOptions co = new ConnectionOptions();
//get user and password
co.Username = "domain\\administrator"; // here domain can be the IIS
servername or a domain name
co.Password = "hispwd";
co.Authentication = AuthenticationLevel.PacketPrivacy; // This is the
minimum authentication level allowed

ManagementScope ms = new
ManagementScope(@"\\YourIISServer\root\MicrosoftIISv2", co);
ServiceAction(ms, "StopService"); // Stop IIS
ServiceAction(ms, "StartService"); // Start IIS
}
static void ServiceAction( ManagementScope ms, string ServiceAction)
{
string mp = String.Format("IIsWebService.Name='W3SVC'");
using(ManagementObject oW3SVC = new ManagementObject(ms, new
ManagementPath(mp), null))
{
ManagementBaseObject outParams = oW3SVC.InvokeMethod(ServiceAction,
null,
null);
// Handle the return code, here simply display the return value
Console.WriteLine
((System.UInt32)(outParams.Properties["ReturnValue"].Value));
}
}
}


Willy.