01/07/2010 3744 views
IIS6 and IIS7 support windows CGI applications (located in the cgi-bin folder)
These applictions are launched by IIS as a result of an HTTP request or can be launched by the administrator when logged in locally as the admin by double clicking them in the usual way.

I have written many CGI applications and they have all run perfectly (launched either way) until now. My latest app utilizes TLS encryption via a third party DLL called cryptlib.
This should not be any big deal in itself, as most of my CGI apps use MySQL/zlib/... etc dlls without problem.

In this case (probably due to the nature of creating an SSL/TLS session) the app runs fine if launched by double clicking as administrator, but will not run when launched by IIS as the result of an incoming request. IIS uses the account "Internet Guest Account... (... IUSR)" to execute the CGI application.

I have tried giving full control to IUSR account on the app, the dll and the folder but no joy. Next I broke out ProcMon and looked for an "ACCESS DENIED" result. The only one I could find was as a result of
Desired Access: Read Attributes, Delete, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert,

This is puzzling as my application is not writing to that log file.

Next I compared the ProcMon output for the successful Administrator launch against the IUSR launch and discovered that a "ReadFile" operation was not present in the failed launch. I do not get an ACCESS DENIED error, the operation just doesnt happen.

The sequence of sequntial operations for cl32.dll should be:
Load Image

I assume this is where the DLL is loaded into memory for use.

Instead of the ReadFile operation in the failed launch there is:

It quacked a little like the "Bypass traverse checking" problem described here
but that did not solve the problem.

At this point we have exceeded the limit of my knowledge of user accounts and permissions by a large margin.
One thing is clear, this a permissions problem. The question is, which permission?
0 Comments   [ + ] Show comments


Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

All Answers

Think your in the wrong forum. This is a msi packaging forum not IIS
Answered 01/07/2010 by: timmsie
Fourth Degree Brown Belt

I have been using Google all day and reading in this forum quite a bit. I realize it is not a perfect match, but any help would be greatly appreciated.
Answered 01/07/2010 by: MikeTrader
Yellow Belt

well you never know, there are some very clever people on here. Apart from me[;)]
Answered 01/07/2010 by: timmsie
Fourth Degree Brown Belt

I would suuspect that that log file isn't written/accessed because the Admin user would be expected to have the required access privileges. Have you tried assigning write permissions for 'Everyone' to the log file folder?

As to debugging the registry access, clearly the user hive is unavailable. Here's some script to help you with that.
Answered 01/07/2010 by: VBScab
Red Belt