Vista UAC caspol administrative rights GetFolderPath RRS feed

  • Question

  • hi there..
    i have a problem i don't understand and hope someone can explain.
    the environment: win vista with uac enabled. a console application with an assembly manifest that requires administrative rights.
    the only thing the app does is
    . but the app is started from the network drive.

    when i start the app i get a security exception, as expected. now when i add a code_group with fulltrust permission (with caspol.exe) i still get the exception. why??

    policy works, because when i don't add requireadministrator the manifest (therefore the app runs as a normal user) i don't get the exception.

    when i evaluate the assembly through .net framework 2.0 configuration (mmc snap-in) i see that localintranet_zone is also related. but this should not deny some accesse explicitly or?

    with requireadministrator i can bringt the application to work, when i either set full trust to the localintranet_zone (bad idea) or when i select "This policy level will only have the permissions from the permission set associated with this code group" on my code group in .net fx configuration snap-in.

    would be really nice if someone can explain to me why i need to set this flag but only when running as administrator.

    thanks a lot
    Thursday, July 10, 2008 10:19 AM

All replies

  • You have a couple issues. Firstly, don't run an application from a share. This isn't VB6. The run-time considers this scenario especially dangerous and restricts everything. That behavior is modified in SP1 3.5 to work as VB6 btw. If you are running prior versions of the framework you need explicit policy. You should create a web app (if you are wanting easy deployment) or a smart client if you want windows type functionality. If you insist on doing it this way, read on.

    >now when i add a code_group with fulltrust permission (with caspol.exe) i still get the exception. why??

    This may not be a security related exception. The way to verify is to create your code group and then turn cas policy off on the machine > caspol -s off. Run the app. If you get a security error, it isn't related to your policy, it's something else (masquerading as a security exception perhaps) because policy is turned off. If it works, you know your code group is not targetting the correct assembly.

    The localintranet zone has direct influence on the app since it is running from a share (on the local network, i assume). So you will need to create a code group and move it into the localintranet zone so that it inherits the permissions from the localintranet. You may need a bit more than environment permissions because of where the exe is being run from. Review the security stack trace to determine exacty what permissions are required.

    UAC, as I understand it, runs the application under the user account. When administrative tasks are required, the security is raised to admin. Your network share app is running under user so the application will fail. It only works when you 'run as admin'.

    Policy is implemented as a union so make sure the other zones do not override or nullify your code policy. What I do when creating policy is to first 'reset all' permissions for all code groups and then start with a blank slate.


    3.5 SP1 should not require cas policy update for that scenario.

    Sunday, November 16, 2008 1:48 AM