There may be times when you’ll want your website or application to run commands while being served by IIS. In order to do so you’ll need to set permissions to the user that runs your website or application.

Before I move on, I should stress that setting incorrect permissions (or setting permissions when you don’t need them) to cmd.exe is a liability and should be avoided

A while ago I was working on a project that allowed users to run composer commands directly from the browser. In order to make it work I had to add permissions on cmd.exe to the IIS user. However, this was not the piece of cake I thought. Usually, when you want to give permissions (for instance to files of folders) you just have to add the IUSR user (or the IIS_IUSRS group) and everything goes smooth. That’s not the case when you try to set permissions on the cmd.exe and Windows is not so permissive (and this is a good thing!).

This is how I sorted this out.

1. Can’t change permissions to cmd.exe

The first issue was when I tried to change the permissions on cmd but the buttons were locked. Even starting Exporer as an Administrator the buttons kept being locked and greyed out.

Set cmd.exe permissions to applications or sites served by IIS images/25-atribuir-permissoes-cmd-exe-para-aplicacoes-sites-servidos-por-iis/unable-to-add-or-change-cmd-permissions.png

The solution to this issue is to force the file’s ownership to your used using the takeown command:

takeown /F c:\windows\system32\cmd.exe

Beware that this command will only be successfull if you run cmd as an Administrator. To accomplish that enter cmd on the Start Menu, right-click it and select “Run as Administrator”

Set cmd.exe permissions to applications or sites served by IIS images/25-atribuir-permissoes-cmd-exe-para-aplicacoes-sites-servidos-por-iis/run-cmd-as-administrator.png

Once you run cmd as Administrator and run the command, you should see a message similar to the following

Set cmd.exe permissions to applications or sites served by IIS images/25-atribuir-permissoes-cmd-exe-para-aplicacoes-sites-servidos-por-iis/takeown-cmd-exe-successfull.png
2. Setting permissions to the correct user

Now that you can change permissions to the cmd.exe, you need to select the correct user and, as I’ve said on the top, it is not the IUSR.

IIS uses specific users depending on the Application Pool that is used by your site. By default IIS has the DefaultAppPool which is used to run the Default Web Site. But when you create a new website a new Application Pool will be created with the same name you gave to the site.

So the user you need to set permissions to is the user that runs the Application Pool and not the generic IUSR. You can see the list of Application Pools directly on IIS Manager.

Set cmd.exe permissions to applications or sites served by IIS images/25-atribuir-permissoes-cmd-exe-para-aplicacoes-sites-servidos-por-iis/iis-manager-application-pools.png

In order to set permissions to that user you need to open cmd.exe properties adn click on “Add” on the “Security” tab. The thing is, if you look through the users in your local machine you won’t find the Application Pool users. So you need to manually enter the Application Pool user preceded by IIS AppPool\ and then click on “Check Names” (eg: IIS AppPool\DefaultAppPool).

Set cmd.exe permissions to applications or sites served by IIS images/25-atribuir-permissoes-cmd-exe-para-aplicacoes-sites-servidos-por-iis/set-permissions-to-cmd-exe-iis-application-pool-user.png

You can also set permission directly from the command line using either cacls or icacls as seen below.

cacls c:\windows\system32\cmd.exe /E /G "IIS AppPool\DefaultAppPool":F
icacls c:\windows\system32\cmd.exe /grant "IIS AppPool\DefaultAppPool":F