IIS and Web Servers
Unload IIS AppPool without Admin Privilege
Gravatar is a globally recognized avatar based on your email address. Unload IIS AppPool without Admin Privilege
  Markus Winhard
  All
  Sep 18, 2021 @ 06:19am

Is it possible to force unloading of an IIS AppPool when I'm not a member of the Administrators group? E.g., by creating some file on disk or by changing the timestamp of some file?

I need this to update a vfp mtdll that's loaded by a asp.net webforms page.

I used to call iisreset but now I have to update my vfp mtdll on a machine where I'm not a member of the Administrators group.

TIA,

Markus

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Rick Strahl
  Markus Winhard
  Sep 18, 2021 @ 02:10pm

You can't unload the app pool without admin, but you can unload the application, which should be enough to unload any loaded DLLs including COM DLLs unless they are locked. To do this 'touch' the web.config file. I think you can also change or add a DLL file in the /bin folder which has the same effect.

Note that your account has to have rights to write in the Web folder for this to work too, so you already need to have some elevated security that allows the local account running the site to modify files in the web folder...

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Markus Winhard
  Rick Strahl
  Sep 19, 2021 @ 03:58am

Hi Rick,

just tested your suggestion. I opended web.config in notepad, inserted and removed a space character, then saved it.

Unfortunately my vfp mtdll is still locked. I cannot rename or overwrite it. The "file in use" messagebox says "The action can't be completed because the file is open in IIS Worker Process".

Is there another way to unload/restart/recycle the IIS AppPool?

Can the asp.net webforms page unload/restart/recycle it's own AppPool on purpose?

More ideas?

TIA, Markus

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Rick Strahl
  Markus Winhard
  Sep 19, 2021 @ 10:52am

Only using the IIS Admin objects, which requires admin rights. You could also kill the process, but that too requires Admin rights.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Markus Winhard
  Rick Strahl
  Sep 21, 2021 @ 02:19am

My new idea is a c# windows service that uses these IIS Admin objects. And a c# exe that calls some method of the windows service, that accepts the IIS AppPool to restart as a parameter.

The admins will install the service for me if I show them my source code.

The only sample of using IIS Admin objects I'm aware of is https://west-wind.com/presentations/WebServerConfig/WebServerConfig.htm Using c#, is there a better way in the meantime?

The second problem is I have no idea of windows services and how to call them from an exe with less privilege. 😉

TIA,

Markus

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Rick Strahl
  Markus Winhard
  Sep 21, 2021 @ 11:36am

Yeah external process with messaging is the way to go.

.NET has some built in support for services. There's a library called TopShelf that helps with that if you don't want to do it by hand. There are built in classes but you have to handle the service registration yourself.

I think I have an ancient blog post on this (for hosting a SignalR server as a Windows Service):

https://weblog.west-wind.com/posts/2013/Sep/04/SelfHosting-SignalR-in-a-Windows-Service

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Markus Winhard
  Rick Strahl
  Sep 22, 2021 @ 08:15pm

Let's say I have built a windows service using c#. It's installed and running with SYSTEM privilege.

I assume "external process with messaging" is the way how I can call methods on that service from a c# client exe running under a limited user account on the same machine.

Can you please talk a bit more on this?

TIA,

Markus

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Rick Strahl
  Markus Winhard
  Sep 23, 2021 @ 12:31pm

I don't think you can use SendMessage to kill Application Pools - they are control by the IIS Host manager that manages the running services. If you hard kill it that manager will just fire up a new one right away again, so in order to do this you need to use the IIS Admin object to shut it down.

Here's a really old post that shows you how you can do this:

A tiny Utility to recycle an IIS Application Pool.

There are also Powershell objects that you can use from the WebAdministration Module:

Import-Module WebAdministration
Stop-WebAppPool "WebConnection"

# Do what you need to

Start-WebAppPool "WebConnection"

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Markus Winhard
  Rick Strahl
  Sep 25, 2021 @ 11:53pm

Nice little code snippet. 😃 Thank you very much!

Let's assume I have my windows service up and running. It's running under the SYSTEM account. It has a method with your code to recycle an AppPool.

Now I have to trigger this method from a c# exe, that's running under a non-privileged interactive user account. How do I do this?

TIA,

Markus

Gravatar is a globally recognized avatar based on your email address. re: Unload IIS AppPool without Admin Privilege
  Rick Strahl
  Markus Winhard
  Sep 27, 2021 @ 10:21am

You need some sort of interprocess messaging to make this work. I like Named Pipes for this.

Here are a few blog posts:

Single Instance WPF applications with Named Pipes for forwarding (for .NET)

10 uses for wwDotnetBridge (look for the Named Pipe Section in the PDF) (for FoxPro)

Another - perhaps simpler - option is to use one or more files in a special folder both the service and your app have access to and write a file that the service checks for every few seconds (or whenever). If the file is found it can read the app pool and shut it down. Problem with this is that it's constantly churning at the file system - named pipes will be much quicker.

+++ Rick ---

© 1996-2021