Typically, web application is run using ApplicationPoolIdentity on IIS. However, for various reasons, it’s very common to find a large corporation uses a service account to run the application pool.
Sometimes the challenge comes when you need to move the website to a different server and you’re not given the proper credential to set it up on the new environment. What’s worse, it’s also not uncommon to hear that sometimes not one soul in the company knows the password.
At that point, your options are usually to either have the password reset (a big No-No for a production application), or have a new service account created (also another headache if the service account is tied to other applications or batch jobs for logical grouping).
But there’s a simple trick that’s quite handy to get password from iis application pool by using AppCmd that is commonly used to migrate IIS websites.
We know that the AppCmd can be used to export the Application Pool information to an XML file. And we can also export only a single AppPool. So in this case, just as an example, we want to export AppPool ITNOTA by typing the following in Command Prompt:
C:\> %windir%\System32\inetsrv\appcmd list apppool "ITNOTA" /config /xml > C:\Temp\ItnotaAppPool.xml
Once that was done, let’s open up ItnotaAppPool.xml file from C:\Temp folder. You would see something similar to the following:
<?xml version="1.0" encoding="UTF-8"?> <appcmd> <APPPOOL APPPOOL.NAME="ITNOTA" PipelineMode="Integrated" RuntimeVersion="4.0" state="Started"> <add name="ITNOTA" autoStart="true" managedRuntimeVersion="v4.0"> <processModel identityType="SpecificUser" userName="ITNOTA\Admin_Service_Account" password="###MyAccountPassword###" idleTimeoutAction="Suspend" /> <recycling> <periodicRestart> <schedule> </schedule> </periodicRestart> </recycling> <failure /> <cpu /> <environmentVariables> </environmentVariables> </add> </APPPOOL> </appcmd>
If you look at line 7 (highlighted), the password is there in clear text.
Note: This XML is modified and compacted just to demonstrate where you can find the password ONLY if you use custom identity. If you use ApplicationPoolIdentity, there’s no password associated with it in the XML file.
In theory, you don’t need to look at the password to make the website run. Because importing the XML will transfer all the information exactly the same way as the current setting. So other than updating the IP address, the identity most of the time doesn’t need any modifications. But this trick is always useful, when you also need to retrieve a “lost” password for a service account that’s been there for years.