Cfexecute worked 3 years to run DOS batch files ... now it doesn't work (ISSUE RE-OPENED)

I have a program called backups.cfm that I wrote years ago. I recently upgraded to Lucee both my dev machine (Windows 10) and my customer’s machine (Windows Server 2016). The program allows the user to choose what to backup (or restore) and then uses cfexecute to run a DOS batch file to backup the appropriate directories. It has run for three years just fine. Now it’s running fine on my customer’s machine but causing permission access problems on my dev machine. Same code. The code has not changed in all this time.

Don’t forget to tell us about your stack!
OS: Windows 10
Java Version: 11.0.16
Tomcat Version: 9.0.78
Lucee Version:

The first thing I did was use the CF Administrator to upgrade my dev machine to Lucee to be sure I was running on the highest stable Lucee 5. But that didn’t fix it.

I’m not sure what to include here except for a brief description of what the program does. First it presents the user with a choice of what to do:


Then it presents a table of backups already created:

While the table is displayed, the operator can backup now, look at the setup (toggle docs), display the folder where a backup is stored, or restore.

Toggle Docs displays the following:

This shows the session variables the program has set up:
Repository / Zone shows the operators choice of what to backup or restore, in this case Intranet Data. It then shows the absolute paths of where the bat files are stored and where the files are that will be backed up or restored (backup destination).

Next it shows the absolute paths of the files that the batch file Backup.bat will copy from and to. Then it shows the absolute paths of the files that the batch file Restore.bat will copy from and to.

The DeleteBackup.bat file is no longer called. It was replaced by a purge backup program.

The code that calls the Backup.bat batch file is as follows:

The <cfexecute> in that code snippet produces the “Access denied. System error 5 has occurred.” error, on my dev machine. NOT on my client’s production machine. And that is the part that is throwing me.

Here is the batch file it is trying to run:

We’re both using Chrome browser, though I’ve tried running this on my machine using Firefox. Same error results. I don’t know where to start looking for the difference in permissions. Remember, this code used to run on my machine too. Why it doesn’t anymore, I have no idea.

Does anyone have any suggestions for me?

Some hints:

Have you tried launching the backup.bat program directly from the Windows command prompt?
It works?

I don’t use Lucee under Windows, but… who is the user Lucee runs under?
Still from the command prompt, try doing something like this:

runas /user:LUCEE_USER “C:\full\path\of\backup.bat”

It works?

Hello @Roberto_Marzialetti,

  1. It would be difficult to launch it directly from a command prompt, but I’m sure I could figure it out. The batch file incorporates batch script variables that the <cfexecute> builds and passes on to the batch file as %1, %2, etc. But more to the point, it ran on my machine for 3 years. It still runs on my customer’s machine. So I’m quite sure there is nothing wrong with the bat file. The real question is, what has changed? And in asking that, know the CFM has not changed and the bat file has not changed. So what else is there? Java? Lucee itself?

  2. I don’t know who the user is Lucee runs under. Perhaps someone in DEV can answer that for us. The user I am logged in as is a Windows Supervisor. But again, no code or script has changed between when it was working and now, when it’s not. (On my machine only.) The identical code and script works fine on my customer’s machine.

This is extremely puzzling.

Try running the command as suggested, even without the parameters. If it is a permission issue, you see the same “permission denied” error.
If you do, you can try opening command line in administrator mode and see if it then runs (it will prob complain that params not provided).
If you go into windows system services, you should see Lucee listed and it will tell you what user it’s running as


@psarin, I did what you suggested. Here are the results:
Running backup.bat from a standard command line does give the System Error 5 Access Denied. So it is a permission issue.

Running it with the command line opened in Administrator mode runs fine. It doesn’t complain that params are not provided. It just copies them to the wrong directory. (Looks like since %1 isn’t specified, it ignores that part of the path.)

Windows system services reports that Apache Tomcat 9.0 Lucee is reporting “Log On As” Local Service.

There are still two things I don’t know:

  1. Why it worked before for years, and now it doesn’t work.
  2. How to fix it.

You can check to see if the directories Lucee is trying to access has permissions. See c# - Workaround for 'Access is denied' for LocalService - Stack Overflow .

Hard to say why now it’s happening. Maybe a Windows security update, maybe reinstallation or upgrade of Lucee, or maybe you created the directory/files elsewhere and then moved them (thus keeping its original permissions).

@psarin That is a GREAT article from Stack Overflow. Thank you for the link. I haven’t achieved 100% what I want yet, but I do have a good direction to work from and toward. It never occurred to me that permissions could be granted to folders! I was afraid I would have to assign greater permissions to LOCAL SERVICE, which I really didn’t want to do. This is truly an elegant workaround.

So far the System Error 5 Access Denied error has disappeared. So I’m closer. The problem now is something new and I’m debugging it now. (0 files are getting copied!)

And I remembered something after reading that article. This computer I’m working on now is a clone of the original computer I was using since a couple years ago. That accounts for the “ownership” problem of the previous backup files and folders created and stored on the original machine. I have fixed that now. Ownership has been changed to the primary user of THIS computer on all previously created files and folders associated with backups.

Thanks for your help. I’ll post again when this new bug is fixed (0 files copied) so that we can kiss this issue goodbye as resolved and closed!

I decided to come back and document another problem I had while changing the Ownership of those older files created on another computer, in case anyone reads this thread in the future.

I got this error:

I Googled “Failed to enumerate objects in the container. Access is denied.” and found several solutions. The one I used is It gives 3 methods to correct this problem. The first of the three worked for me.

“0 files copied” bug fixed. It also had to do with ownership. I had used the /o switch in the xcopy in the batch files. This attempted to copy ownership, etc. This being unnecessary, I removed it.

Now everything is working. Issue resolved.

Special thanks again to @psarin.

~ Zy


Unfortunately, I’m still having trouble. :frowning_face:

I guess I didn’t test enough. In any case, I’ve been working on it all weekend without success. I was still getting the System Error 5 Access Denied. Now I’m not, but the last approach I took isn’t working. Please read on.

It’s not the batch file that is causing it. The batch file is running fine. It is the following two lines inside the batch file that cause it:

Things I have tried so far:

  1. Taking Ownership of everything in C:\wamp, its subdirectories, and files. This is the root directory which contains the wampmysqld.exe program.
    Result: no effect

  2. Setting folder permission for c:\bkmdos, its subdirectories and files, so that user LOCAL SERVICE has full control. This is the root directory where the batch file resides that is being run by <cfexecute>.
    Result: no effect

  3. I came across this article Block remote callers who are not local administrators from starting/stopping services from Microsoft Support. I tried both registry changes suggested.
    Result: no effect

  4. I decided that maybe the batch file should be “runas” my user Zy, which is an Administrator. But I’m having trouble getting runas.exe to work with <cfexecute>.

The remainder of this post refers to where I am with this last attempt at #4 (using runas).

I ran this code:

There was no System Error 5 Access Denied. However I don’t know if the batch file really ran or not. The xcopy certainly didn’t create the backup directory and didn’t copy anything anywhere.
So I dumped the variables RunasArg and Results.
and got:

The RunasArg looks right to me. But the Results variable is certainly wrong.

I found an article here on this board: Escaping quotes for cfexecute. In it, @justaguy, the OP, was trying to run a third party program using <cfexecute> and wasn’t getting any data returned as output. Is this related to why I’m not getting anything in the Results variable?

@Zackster repied:

Write out a batch file and execute it is a workaround I’ve used in the past

This worked for the OP. But unfortunately I don’t know what @Zackster meant or what he was getting at.

I’m exhausted. I think the best thing I can do is go to bed! I’ll be back to check for replies after a good night’s sleep and a strong cuppa coffee!

I am guessing he could have meant; instead of trying to directly execute the dynamic commands that are getting built using strings, write that output to a .bat file, and then use cfexecute to just run the .bat file? It’s one way to work around these kinds of issues with args and quotes, etc.

I’d also double check the arguments value here, perhaps it needs to be wrapped in quotes so that the value is passed, rather than a string that looks like a variable name?

I think you can also use an array of strings as the arguments instead of just a string, again to avoid issues with quotes/escaping as it should be handled for you:

Wait… First get some sleep and time off. Sometimes, when we get tired, our brain starts playing tricks on us. It’s always good to take some time and do something else. You might be overlooking something that may be simple, but your brain is focusing on the wrong part of the issue. Get some rest first.

You are saying “it works on your client’s machine” but NOT on your dev’s. It may have been a security update on your OS.

That’s what I’d do:

    1. Check if your OS is the same as your client’s (I suppose not).
    1. Run the batch file as an administrator from a command line. First, you said there are variables that are passed to the console and you can’t test it in a console outside. To make your code “debuggable,” you need to change your code in such a manner as to make it testable outside Lucee in a manually openable console. At least echo/output ALL the vars passed, output and save it. You need to know exactly what Lucee’s cfexecute is executing, so you can copy & paste all needed vars 1:1 and 100% equally to your manual console to not guess any variable that is being passed. Your batch file must be 100% reproducible in an outside console.
    1. Is your Windows event viewer telling you some added information? Check it!
    1. Because you are running Lucee locally on your dev machine, what happens if you change the User running the Tomcat service to “Local System”? Important Reminder: You MUST never run Lucee as “Local System” on prod or on a remote dev. This is purely and only for debugging purposes to see if your code runs correctly with the highest running privileges and to know that the access denied is 100% a permission issue.