HOWTO: Run Console Applications from IIS6 on Windows Server 2003


I need some help on the following: I am trying to exectute the netstat comand in side a PHP script using PHP on a wnidows server 2003. The problem is that i am haveing a problem getting the netstat command to exec since it requires adminstration privage but PHP does not have such privage and runs as anumaliuse user - if i change the PHP to run as a adminstitor it will open up security holes on the system. I have tried to rename the netstat comand to another name and moved it to another folder given the new exec admistrator privages - and then change my script to exec()  that file unstead - This solution how ever did not work so what can i do to get around the problem. Anyone have any ideas what and how i should go about doing this and not open my server to interent hackers.

But let me explain - the command netstat is running in a PHP script as a shell exec function but since PHP as a anonymous user - the netstat comand requires administator access we are get file permison problems - ANY IDEAS OR WORK AROUND this one any one have a idea how one can do in Microsoft Server 2003.

> netstat -n | find "" | find /C "ESTABLISHED"


Actually, NetStat.exe, along with most console programs in the Windows System32 directory, does NOT require administrator privileges to execute. For example, I run NetStat.exe as an unprivileged user all the time.

What you are actually observing is a Security enhancement of NTFS ACLs made in Windows Server 2003 against remote anonymous exploitation of the server.

If you look at the ACLs of most console programs in System32 on Windows Server 2003, you will see combinations of the following NTFS ACLs:

  • Interactive:R
  • Service:R
  • Batch:R
  • TelnetClients:R
  • Administrators:F
  • System:F

How this interacts with IIS6 is very simple. IIS runs as an unprivileged user account and performs an unprivileged, non-interactive NETWORK_CLEARTEXT user login for the authenticating user account, and this user identity is used to execute the request. Now, this user identity is usually not included in any of the aforementioned ACLs. This means that if you login via IIS, you MUST be an Administrator to be able to read and execute those programs.

Meanwhile, if you login via the console or remote desktop, it would be considered an interactive login and the Interactive:R ACL will grant that user, even if unprivileged, permission to read and execute those programs.

This is why an unprivileged local console login of the anonymous user can run NetStat.exe while the network login of the same anonymous user cannot run NetStat.exe.

In short, your solutions include:

  1. Keep File's ACLs the same and somehow run PHP exec() as an Administrator or System
  2. Change File's ACLs to include your unprivileged user and run PHP exec() as the unprivileged user

Both actions have their pros and cons. You can weigh them and decide the best choice for your situation. The first option is a security vulnerability because your applications needlessly run with elevated privileges all the time. The second option weakens system security by allowing unprivileged remote user ability to run certain console applications on the server. But, such is the security decision that you must make - every permission and program granted to remote anonymous users opens up a new attack surface - IIS6 and Windows Server 2003 merely brings that to your attention front-and-center.


Comments (10)

  1. jhony111 says:

    David please help me. We started a site . But it is not getting rank at google.Our site gives idea about kerala tours and kerala travel etc.

    Please suggest a good answer how to get ranked on google.



  2. David.Wang says:

    Jhony – I’d love to be able to help, but I don’t even know how and why my blog is getting indexed and ranked by Google… much less how to do this for any website. So, sorry, I cannot help with this…


  3. Hulikal says:

    Hi David,

    I have a similar problem – creating scheduled tasks from an asp. When i try to create a scheduled tsk frm an asp on Win 2k Server, tsk gets created hassle free; but on Win 2k3 Server the creation fails. I have tried to change the permissions on both system32 dir and schtasks.exe and its still not working.

    Any ideas why this is happening??

  4. David.Wang says:

    Hulikal – I have no idea.

    Maybe like the Event Log on Windows Server 2003, which is also inaccessible to ASP and anonymous user by default, Task Scheduling requires elevated privileges (or at least requires configuration to allow non-privileged identities to schedule Tasks).

    If so, then regardless of how you change user permissions on System32 dir or schtasks.exe, it will not work.

    It is easy to figure this out with FileMon – the only time that changing file ACLs is the "solution" is when the original failure is due to lack of ACLs, and FileMon will flag these as ACCESS_DENIED

    If the issue is a matter of privileges, then regardless of what FileMon says, if the user does not have privileges, then execution fails. In those cases, FileMon can report successful access to the file, but you still fail.

    Personally, I prefer the hassles on Windows Server 2003. We are making the secure choice by default, so it simply reminds you that you are doing something potentially insecure and you need to make a choice.

    For example, allowing non-elevated user to schedule a task that can run as LocalSystem is basically an elevation-of-privilege security attack. You may have relied on this functionality to be hassle free before, but we are simply telling you it is not secure and hence not allowing you to do it by default.

    Yes, we know that it breaks "compatibility" for your application, but we will continue to make such changes to improve security.


  5. David Wang says:

    I finally have enough blog entries about various portions of IIS6 request processing that I can stitch…

  6. Sachin says:


    Needed your help – we are trying to run dirquota with command strings from ASP.NET using system.diagnostic method but it seems to do nothing and fail with access denied…

    Any ideas?



  7. Raffee says:

    Hello, thanks for the article.

    I am also trying to run dirquota from ASP.NET and I am not able to. I am not getting an error, but the quota is simply not set. I have created a batch file, that has other commands (CD. MD) and finally dirquota, but for some reason all the commands are executed except for the dirquota. I tried just to run notepad.exe or CMD.exe and again it is not running without giving any errors. What should I do?

  8. David.Wang says:

    Raffee – please determine the required permissions to run dirquota, and then ensure that ASP.Net executes that command with an account with the necessary permissions.

    You should find the answers to all those questions in other posts on my blog.


  9. Johnson says:

    Great post! Very useful and reliable, thank you for sharing your knowledge…with us…David please advice how can I improve in Google.

Skip to main content