VB.net Prog will not run on a network share

Well, I finally broke down and started using VB.NET 2005 instead of VB6. Lemme say first that I am more confused now then ever. HEHE

Anyway, I have written an application that will take all of the windows updates (KB's) and install them at one at a time until the end of the list. The app works fine... Until i copied it to one of my network server and then I get the dreaded "This application will have to close" dialog. In the past when I have written utilities like this they have always worked on a share. What is different with .NET? Or am I putting blame in the wrong place?

Any help is greatly appreciated.

.NET has a partial trust system that can restrict the actions a program can take (like spawning off a new process or calling into native libraries that can alter the OS environment). The default security policy is to only fully trust applications that are on the local computer. So when an app tried to do something against the CAS policy, it gets terminated.

In the control panels for the system you'll find mscorcfg.msc, where you can alter the security policy. For a corp or imaging situation you would have the network share in question locked to domain admins or trusted IT people, and then either roll out policy to trust that share, or simply alter the local CAS polity on the machine that you use for creating the image.

OK I have been able to narrow the problem a little more. I have a class that allows me to read and write to an INI file. I have given the "everyone" group permissions to the file to no avail.

Here is the exact error:

"An error occurred creating the form. See Exception.InnerException for details. The error is: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."

EDIT: BTW, I am on a Windows 2003 domain at my house which is where I am testing this. What policy would I have to modify. I have changed policies in the past I just never heard of this before.

Thanks for your help.

I know it doesnt solve your issue, but if you have the update files stored somewhere locally on your network I have a batch file thatll do what youre looking to do.

Windows has user permissions (like the permission to debug other users processes);
The file system has ACL\ACE permissions (like read\write\delete), which are separate;
.NET has CAS which is an additional security layer beyond user or file system permissions.

Code Access Security (CAS) enforces security limitations on code running on the .NET runtime. For example, you could force a program to load in a way that it had no write access to the file system and registry, and had no permissions to talk to the network (even in the user that launched it had greater those rights). So, it's a way to execute code in a way that prevents it from damaging your system.

That FileIOPermission exception is a CAS failure, where your app was trying to load a file from a location it didn't have CAS rights to read from. That occured because code loaded and run from outside the local computer is restricted to lesser rights.

To change it, go into your control panels, administrative tools.
launch ".NET Framework 2.0 Configuration"
expand the nodes on the left, especially the ones under "My computer\Runtime Security Policy\Machine"

There you will see permission sets, as well as the rules (Code Groups) that govern what permission set applies to a given piece of code.

The best way to tell the .NET runtime to trust that share is to right click "All code" under the machine node, and select "new". Give the new rule a name, like "my trusted share", and click next. For the condition, select "URL" and type in the location, like "\\servername\share\*", then click next. Tell it to map that condition to the "Full Trust Permissions" and your pretty much done.

[MS] Thanks for the reply. I found this out as you were replying. I didn't realize all of the underlying security implimented in .NET. I have also figured out how to push the permissions down through GPO. Now my head hurts. Again, thanks for all of the replies.

No prob...

CAS is a real thing of beauty to paranoid computer security people everywhere . But it does require some reading to use it properly.

So why aren't you deploying these updates via the server? Why rely on a script/program when you can have windows do it.

I work on client PC's on site and I may or may not have access to my servers and / or may not want to connect client PC's to my network. I need something that is portable, and flexible. I have one HDD that I allow a client PC to connect to in order to run the updates. Much quick than Windows Update Site...

EDIT: BTW, I do have all of my boxes update through SUS.