IT:AD:Performance Counters:HowTo:Grant Permission to IIS AppPool Identity
Summary
To use Performance Counters in your app, there are two Permissions to consider:
- Permission to Add
- Permission to Update
To Add new Counters, and Update them, the application identity (often we're talking about the AppPool's Identity) needs to belong to a local group.
Process
To Create Performance Counters
In the past MSI installers – running as the User who had Admin rights – were used to create the Performance Counter.
Now we only have IT:AD:WebDeploy.
It's tricky.
According to: http://msdn.microsoft.com/en-us/library/bd20x32d.aspx one can do the following:
You can use impersonation with the ASPNET account to allow creation of new categories. The impersonation identity must have sufficient privileges to create categories. If your application needs performance counters that can be specified before deployment, they can be created by the deployment project. For more information, see ASP.NET Web Application Security.
In which case one would do something like:
using (XAct.Security.ImpersonationContext context = new ImpersonationContext(tracingService, username, domain, password){
//create ...
}
But that means AppSettings has to have quite a lot of information…
Alternatively:
Performance counters are stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry folder which is why writing custom counters is a challenge. Although Web and Worker roles run under full trust, these elevated permissions are limited to read-only access of the HKEYLOCALMACHINE registry location. To create a performance counter, this registry location must be written to and therefore requires sufficient permission to do so.
This will also help: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005653
Therefore, the steps (as defined here: http://blogs.msdn.com/b/john_pollard/archive/2007/03/07/performance-counters-fun.aspx) are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009- Added permissions for Network ServiceHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services- Added permissions for Network ServiceC:\WINNT\system32\perf*009.dat- Added full permissions for Network Service on all matching files.
Give Up...
The above is a bit of a pain… That's why we generally make the account an Admin, for the first run, so that the Performance Counters can be created.
Otherwise, consider granting temporarily giving Write permissions to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
To Update Performance Counters
net localgroup "Performance Monitor Users" "IIS AppPool\DefaultAppPool" /add
I don't think you need the following, but can't hurt…
net localgroup "Performance Log Users" "IIS AppPool\DefaultAppPool" /add
A restart/re-login is required after these changes (without it, you won't see any changes). IIS Restart also will do it.