Search code examples
phpcommand-lineexecpsexecrunas

How to run executable from PHP website as a specific Windows user?


By default PHP runs under IUSR account. When executed directly:

$lastline = exec('D:\\MyProgram.exe', $output, $return_var);

It runs, but the program is unable to do it's tasks due to insufficient privileges. My question is: How do I run an executable under a specific Windows account from a PHP website?

I've tried:

When executed through Sysinternals PsExec:

$lastline = exec('D:\\PsExec.exe -u UserName -p Password -accepteula "D:\\MyProgram.exe"', $output, $return_var);

MyProgram.exe does not even execute at all. PHP throws empty output and return_var is -1073741502. I assume this is some sort of unhandled exception.


When executed through lsrunas:

$lastline = exec('D:\\lsrunas.exe /user:UserName /password:Password /domain:DOMAIN /command:"D:\\MyProgram.exe" /runpath:D:\\', $output, $return_var);

MyProgram.exe does not execute either. PHP throws empty output and return_var is 0.


Microsoft's built in runas command doesn't work because it doesn't accept password as a parameter.


Tried using different PHP functions like shell_exec, system and passthru


Tried creating a new Application Pool under IIS, to run the website under LOCAL SERVICE, SYSTEM, or a specific user. EDIT: This is where I went wrong. It should work, but fails when Load User Profile setting is not enabled (step 3 in my answer).

Does anyone have working suggestions?

Note: All commands are working and tested through command line directly.


Solution

  • I kept digging and found out that the only thing that works is a dedicated application pool.

    1. Create a new Application Pool under IIS
    2. Set username and password in Advanced Settings > Identity > Custom account
    3. Set Advanced Settings > Load User Profile to true (this one is important)
    4. Choose this pool under Basic Settings of a site,

    -or- for a better security:

    . 5.Move all command-relatied code to one section within your website, convert it to application and apply that Application Pool to it. Then you can restrict any public access to that part and safely call that functionality from the other parts of your site.

    Important note (!):

    If you're running PHP via FastCGI, you must set fastcgi.impersonate = 0 in php.ini file.


    Test batch file:

    To test who is running the process you can save the following code to a *.bat file and call it from PHP.

    @echo off
    SET now=%date% %time%
    SET out=[%now%] %userdomain%\%username%
    echo %out%
    echo %out% > D:\hello.txt
    ::msg * "%out%"
    
    if %username%=="SpecificUser" (
      exit /B 100
    ) else (
      exit /B 200
    )
    

    Replace SpecificUser with your desired user name. Sometimes you'll see no output. The exit codes will help you then.

    In case you can't see any output or exit code at all, this script will output the username to a text file. Replace D:\hello.txt with your desired path.