Overriding the Caspol.exe Self-Protection Mechanism

Caspol.exe contains a self-protection mechanism that prevents security policy changes that would cause it to cease functioning. You can override this self-protection mechanism, if necessary. For example, an administrator might need to override the self-protection mechanism to patch a security hole, even though Caspol.exe might not function properly afterward.

To override the Caspol.exe self-protection mechanism

• Use the –force option before the policy change option that would otherwise be rejected by Caspol.exe.

  The following command changes the user policy's root code group to associate it with the Nothing permission set.

  caspol –force –user –chggroup 1 Nothing
  

  CAUTION   Use this option only with extreme caution. It can cause Caspol.exe to fail or cease functioning, in which case the –recover option cannot be applied because Caspol.exe cannot run.

  If this occurs, you can perform the manual equivalent of a –recover operation. The backed-up machine and user policy are written to Security.cfg.old files. Simply delete the Security.cfg file at the policy level where you made the change, and rename the Security.cfg.old file to Security.cfg. For more information about where these files are located, see Security Configuration Files.

See Also

Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe) | Security Policy Model | Code Access Security Policy Tool (Caspol.exe)