Question
· Dec 27, 2023

Operating system command execution and Windows Console

I just realized that operating system command execution does not work on Windows console if the IRIS service is started using a different user than Local System account (the default).

I always change the user configured in the IRIS service and I believe this is a standard good practice, particularly in "real" environments (be it production, stage, test or development) that are part of Windows Active Directory Domain.

When IRIS service starts using any user, including Administrators members, using "!" or "$" from the terminal prompt to run a OS command fail, nothing happen.
Even more problematic is that $ZF(-100) (including "old" $ZF(-1) and $ZF(-2)) does not work too:

USER>!dir
 
USER>s x=$ZF(-100,"/SHELL","dir")
 
S x=$ZF(-100,"/SHELL","dir")
^
<NOTOPEN>
USER>

The same commands work fine from a console opened using "iris console <InstanceName>" or from telnet terminal (if/when enabled).

So, when IRIS service is configured, using the console terminal can be problematic for some application, including ZPM that, depending on manifest, needs/uses $zf(-100) and does not correctly handle the error, so nothing is reported.

I've tested this in latest IRIS 2023.3 and Caché 2018.1.2.
Has anyone encountered this issue?

Product version: IRIS 2023.3
Discussion (1)1
Log in or sign up to continue

I found the problem.

The issue does not happen if the service user is changed using:

IRISinstall.exe setserviceusername <instance-name> <username> <password>

When that command is issued two groups are created:

IRISServices
IRIS_Instance_<InstanceNme>

and the service user is added as member of there two groups.

The reason that it works using this way is that to the IRISServices group, in Local Security Policy is assigned the "Replace a process level token" user right.

In other words, the user that stars IRIS need the "Replace a process level token" right assigned via Local Security Policy (or GPO in an AD Domain).

Lesson learned:
- Use IRISinstall.exe to change the user for the IRIS service
or
- Assign "Replace a process level token" right to the user of IRIS service