xp_cmdshell runs as administrator but not with access

[robertkjr3d]

Let's start with the bottom line:
I can login to the machine as Administrator... and the command line product works.

When I run the same command line app from xp_cmdshell running as the same user 'administrator' it does not.

Long Description:
I have this software that I'm calling from xp_cmdshell (for your awareness it is imageconverter plus). However the product annoyingly when you buy a registration license it only works for the user that you activate the license for on the machine.

In this case I registered the product for the Administrator user. And I can run on the command line logged into the machine as 'Administrator' and it works fine.

However when I run the product from XP_CmdShell, it tells me that the product is in trial mode.

Yet when I run this query:

declare @cmd varchar(5000)
set @cmd = 'whoami'
exec master..xp_cmdshell @cmd

It comes back saying it is 'Administrator', the same user that I registered the license for. Is it prevented from reading the registry or something?

I am also trying to get tech support from the folks at imageconverter but he is just trying to get me to buy a more expensive product from them that licenses the whole machine.

 

[gmmastros]

I think xp_cmdshell runs under the security context of the user used to start the sql server service.

Click Start -> Run
Type Services.msc
click OK

If you are using SQL2000...
Scroll to MSSQLSERVER

If you are using SQL2005...
Scroll to SQL SERVER

Right Click -> Properties
Click "Log On" tab

The default log on is 'Local System'. You could try changing this to Administrator.

After making this change, test again. If this works for you, I strongly encourage you to convince this company to allow you to change the account that it is registered for. You should NOT allow the SQL Server service to start using Administrator. Instead, you should create another account on this machine. Use that account to start the service and register your 3rd party tool.

If the machine is breached, and SQL Server is started with Local System, only the server is compromised. If you use an administrator account, then your entire network would be vulnerable.

Make sense?

-George

"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom

 

[robertkjr3d]

Ok got it!!!

I'm guessing the ImageConverter guys are comparing the entered username and possibly ignoring the domain of the user logged in.

For I originally had activated the account in when I logged in with 'Administrator' as the username and in the domain box {our domain}. However If I login using 'Administrator@{ourdomain}.com' which windows then brings me to the same account. However ImageConverter then came up 'trial mode'...LOL

So I activated it when logged in with the @{ourdomain.com} method. Then it also worked in SQL Server xp_cmdshell.

I discovered this issue when I used a .NET application that used a Process.Start() method to invoke the application as Administrator@{Ourdomain.com}. Then the trial gui came up, and I was surprised. Because I was just checking to see if it worked before I tried invoking that from SQL Server.