HOWTO: Access the Desktop from ASP, CGI, or ISAPI

ID: Q241170

The information in this article applies to:

Microsoft Internet Information Server version 4.0

SUMMARY

There are a number of ways to access the interactive desktop using CGI, ISAPI extensions and ISAPI filters. The method you choose is important and requires consideration. This is article is a guide to help you decide what process to use. Three main settings dictate whether accessing the desktop will be successful or not:

CreateProcessAsUser

The CreateProcessAsUser metabase setting dictates whether Internet Information Server (IIS) invokes a CGI application under the user context specified in the Internet Service Manager, or executes the CGI application to run in the System context. Keep in mind, when an application is running in the context of the System, it has complete control over the computer and any security holes in your CGI application can compromise your system. It is suggested that you toggle this setting only on the CGI application and not an entire Virtual Directory within IIS. See the "More Information" section for information on how to use this setting.

Interact with Desktop

This property, a part of the IIS Admin Service, allows IIS (and all applications spawned by IIS with CreateProcess()) to interact with the default desktop. You may not want to allow all applications running on your Web server to have access because of potential additional message boxes being displayed. There is a way to allow applications running under the System context to programmatically access the default desktop. See the "More Information" section for information on how to configure this checkbox and programmatically access the default desktop.

IIS Security Settings

Whether the security set on a CGI Application is "Anonymous" or "NTLM" can have affects on whether the application can access the desktop. See the following table for information specific to ISAPI or CGI.

CGI

	CreateProcessAsUser	Interact With Desktop	NTFS Only?	Can Interact With Desktop	User Context
CGI Applications	FALSE	No	FALSE	Programmatically (1)	System
	FALSE	No	TRUE	Programmatically (1)	System
	FALSE	Yes	FALSE	Yes	System
	FALSE	Yes	TRUE	Yes	System
	TRUE	No	FALSE	No	IUSR_MACHINENAME (Anonymous User)
	TRUE	No	TRUE	Yes (2)	NTML User ID
	TRUE	Yes	FALSE	No	IUSR_MACHINENAME (Anonymous User)
	TRUE	Yes	TRUE	Yes (2)	NTML User ID
ISAPI Extensions	N/A	No	FALSE	No	IUSR_MACHINENAME
	N/A	No	TRUE	No	NTLM User
	N/A	Yes	FALSE	Yes	IUSR_MACHINENAME
	N/A	Yes	TRUE	Yes	NTLM User
ISAPI filter	N/A	No	N/A	Programmatically	N/A
	N/A	Yes	N/A	Yes	N/A

N/A = Not applicable

An example of how to programmatically interface the Interactive Desktop when running in the context of the system is located in the "More Information" section.

Only the user who is logged into the IIS server will have access to its desktop. All other NTLM users will get Access Denied messages.

MORE INFORMATION

CreateProcessAsUser

To change the CreateProcessAsUser setting in the metabase, you must take a few things into consideration. Only files in the Web root, folders in the Web root, and the Web root itself can be set to have this property. Any attempt to set the properties on a file in a subfolder of the root will fail. If this property is set on an entire folder, then any CGI executables will be launched in the context of the system. This can be a potential security threat. It is recommended that you keep your CGI application in the Web's root, and only allow it to have system privileges.

The ADSUTIL administrative script will allow you to change the file. The command syntax is as follows:

ADSUTIL SET W3SVC/WEB ID/ROOT/CGI application/CreateProcessAsUser 0


WEB ID - If there is only one Web running on IIS, this is always "1", otherwise, the Webs are numbered in the order that they were created.

CGI Application - the name of the executable file.

Example:

ADSUTIL SET W3SVC/1/ROOT/cgiapp.exe/CreateProcessAsUser 0

ADSUTIL.vbs is typically located on Windows NT 4.0 computers at:


C:\WINNT\SYSTEM32\ADMINSAMPLES\ADSUTIL.vbs

ADSUTIL.vbs is typically located on Windows 2000 computers at:


C:\InetPub\AdminScripts\ADSUTIL.vbs

Interact with Desktop

Steps to set the IISADMIN service to interact with the desktop:

Open the Windows Control Panel (From the Start button select Settings and then Control Panel.)

Select Services.

Select IIS Admin Service.

Select Allow Service to Interact with Desktop checkbox.

Stop and restart the IIS Admin Service.

How to Programmatically Access the Desktop

The following code demonstrates how to switch to the interactive user's desktop in order to manipulate windows. Note, this only works if the user account that is logged in has permission to access the desktop. By default, the System always has access. The code has no error-handling and is meant merely as a concise example of what functions that are called when attempting to access the desktop.


#include <windows.h>

...


HDESK               hdesk;
HWINSTA             hwinsta;

// 
// obtain a handle to the interactive window station
// 
hwinsta = OpenWindowStation("winsta0", FALSE, WINSTA_READATTRIBUTES);

// 
// set the window station to winsta0 so that you obtain the
// correct default desktop
// 
SetProcessWindowStation(hwinsta);

// 
// obtain a handle to the "default" desktop
// 
hdesk = OpenDesktop(
	"default",
	0,
	FALSE,
	0
	);
	
// 
// set the desktop for the thread
// 
SetThreadDesktop(hdesk);

/*
INSERT ANY WINDOW CODE YOU WANT INTO THIS SECTION
*/ 

// 
// close the handles to the interactive window station and desktop
// 
CloseWindowStation(hwinsta);
CloseDesktop(hdesk);

REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

Q173687 HOWTO: Access the Application Desktop from a Service

Additional query words: Service, ISAPI, Internet Information Server, IIS, desktop, interactive, window, ASP, Active Server Pages

Keywords : kbASP kbASP400 kbCGI kbISAPI300 kbISAPI400 kbiis300 kbiis400 kbiis500
Version : winnt:4.0
Platform : winnt
Issue type : kbhowto