How to: Override the Caspol.exe Self-Protection Mechanism

  • Article

The Code Access Security Policy tool (Caspol.exe) contains a self-protection mechanism that prevents security policy changes that would cause it to cease functioning. You can override this self-protection mechanism, if necessary. For example, an administrator might need to override the self-protection mechanism to update security, even though Caspol.exe might not function properly afterward.

To override the Caspol.exe self-protection mechanism

  • Use the –force option before the policy change option that would otherwise be rejected by Caspol.exe.

    The following command changes the user policy's root code group to associate it with the Nothing permission set.

    caspol –force –user –chggroup 1 Nothing
    Caution noteCaution

    Use this option only with extreme caution. It can cause Caspol.exe to fail or cease functioning, in which case the –recover option cannot be applied because Caspol.exe cannot run.

    Note

    If this occurs, you can perform the manual equivalent of a –recover operation. The backed-up machine and user policy are written to Security.cfg.old files. Simply delete the Security.cfg file at the policy level where you made the change, and rename the Security.cfg.old file to Security.cfg. For more information about where these files are located, see the Security Configuration Files section in Configuration Files.

See Also

Reference

Caspol.exe (Code Access Security Policy Tool)

Concepts

Security Policy Model

Other Resources

Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe)