What do you do if you need to make a webpage that runs batch files (For example .bat, .cmd, .vbs, .ps files)? And to run them with a different security context than IIS, or with access to resources that you don't want to expose to IIS directly?
A while back I had a task that I needed to be able to trigger from a web page. In this particular case the task involved running a few different scripts & command line operations – some of which had to be done with particular permissions (such as accessing a share on a different server).
What I didn’t want to do was give those permissions to the IIS process to allow the page to execute these commands directly, as I was worried that a mistake might happen that will allow the page to do a lot more than I wanted and become an easy attack vector.
Realizing that I could encapsulate all of the steps of the task and their necessary permissions into a Windows Scheduled Task, I then set out to see how I can kick off a specified task in the scheduler from an ASP page. This is what I came up with. It has three basic steps:
- Create your scheduled task that calls the script(s) that you want to run.
- Open up the folder where the task file is saved and change permissions on it so that the IIS process can run it.
- Create the web page that will access & run your task.
It’s actually a very simple process, but I’ll spell it out in detail here – because of that it may seem more complicated than it really is.
Create the Scheduled Task
The first step is to create the scheduled task, so log into your IIS webserver and open up the Windows Task Scheduler.
In this example, I’ve created a separate sub-folder called “WebTasks” (select & then right-click on Task Scheduler Library” in the left panel –> New Folder) for organization purposes.
I have a prepared script that I want to run called “mytask.bat” located in a folder at “
E:\Scripts\”. So lets start the Create Task dialog (right panel) to set up a task to run it, that we’ll call “
IIS_Task”
Enter the General parameters for the task, including setting up the appropriate user credentials that the task needs to run properly using the “Change User or Group” button. The sample is called IIS_Task |
In the Triggers tab, we’ll leave this blank in the example. A Trigger is a schedule that will activate the task. We will only run this task manually, so this isn’t needed. |
In the Actions tab, click the New button… |
… and create an action to run the script we want – in this case “E:\Scripts\mytask.bat” |
Switching to the Settings tab, make sure that the “Allow task to be run on demand” setting is checked. Click OK to save it. | |
Set Permissions on the Task
Next we have to change the permissions on this task so that the IIS process can run it. To do this go to the folder that the task files are saved in, by default that's:
C:\Windows\System32\Tasks\
In our case, since we earlier created this task in a sub-folder called “WebTasks”, we go here:
C:\Windows\System32\Tasks\WebTasks
You should see our new task in a file called “IIS_Task” (or whatever you named your version). Right-click on it & select Properties. Then add Read & Execute permissions for the IUSR account (the default account that IIS uses). If your install of IIS uses a different account, apply that one instead. Apply the change & close the dialog.
Now our task is created, and it’s permissions are changed so that the IIS process can call it, and IIS hasn’t been granted any unneeded permissions such as creating/changing tasks, or access to any of the resources that our task will use.
Create the web page
Finally, it’s time to create the web page that will do this.
I’ve actually looked to see how to call the Task Scheduler from .NET, but couldn’t find the reference in my brief poking around, but did see how to do it in VBScript, so this page is done in “Classic ASP”, rather than ASP.NET. Also, since it’s just an example, there is no security or controls on this demo page:
<%
Dim vRun, vMsg
vMsg = ""
vRun = Trim(Request("run")) 'get form input
'If form value was submitted, run the task
If vRun = "Run Task" Then
RunJob
End If
'Routine to execute our task
Sub RunJob
Dim objTaskService, objRootFolder, objTask
'create instance of the scheduler service
Set objTaskService = Server.CreateObject("Schedule.Service")
'connect to the service
objTaskService.Connect
'go to our task folder, use just "\" if you saved it under the root folder
Set objRootFolder = objTaskService.GetFolder("\WebTasks")
'reference our task
Set objTask = objRootFolder.GetTask("IIS_Task")
'run it
objTask.Run vbNull
vMsg = "Submitted"
'clean up
Set objTaskService = Nothing
Set objRootFolder = Nothing
Set objTask = Nothing
End Sub
%>
<html>
<body>
<form method="post" action="runtask.asp">
<p>Click to run the task: <input type="submit" value="Run Task" name="run" /></p>
<p>[<%= run %>]</p>
<p style="font-weight:bold; color:#006600;"><%= vMsg %></p>
</form>
</body>
</html>
Save that as
runtask.asp in your wwwroot folder & try it out.
As you can see, the code to actually run our task is really simple, the real work is done in only five lines of code in the RunJob subroutine.
Hope this helps.