Share via

rescap Capability

Halifax Crosby 140 Reputation points
2025-12-08T17:36:30.2433333+00:00

Hello

My .NET Framework WinForms msix packaged app has declared runFullTrust Capability.

It works fine on my end when accessing the Internet to send/receive data.

But I've seen many similar apps on the store that declare both runFullTrust and internetClient.

The question is that do I need to declare internetClient and perhaps add firewall exceptions in the manifest?

Are there special cases/scenarios when .NET Framework WinForms packaged apps will need internetClient in addition to runFullTrust to use the Internet?

Thanks.

Windows development | Windows API - Win32
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raymond Huynh (WICLOUD CORPORATION) 3,800 Reputation points Microsoft External Staff Moderator
    2025-12-09T08:43:53.6966667+00:00

    Hello Halifax Crosby,

    Thanks for the question. Here’s a clarifying view:

    • runFullTrust: for a Win32 / .NET (WinForms/WPF) app packaged as MSIX, declaring <rescap:Capability Name="runFullTrust" /> tells MSIX that this is a full-trust desktop app (i.e. not sandboxed).
    • internetClient: in the MSIX/app-capability model this is the “formal” declaration that the package intends to use internet/network access.

    Because “full-trust desktop” and “network access” are separate in the MSIX manifest schema, runFullTrust alone does not formally guarantee that MSIX recognises or authorises network capability.

    So while your app may “work fine” without internetClient, it’s not guaranteed, and many MSIX packages include both for completeness and to avoid future edge-cases or restrictions.

    Even for full-trust packaged WinForms apps, MSIX still expects you to declare both if you need both. That’s why many apps include:

    <rescap:Capability Name="runFullTrust" />
<Capability Name="internetClient" />

    Relevant docs:
    https://learn.microsoft.com/en-us/uwp/schemas/appxpackage/uapmanifestschema/element-rescap-capability

    https://learn.microsoft.com/en-us/uwp/schemas/appxpackage/uapmanifestschema/element-capability

    Hope this clears it up.

  2. Darran Rowe 2,531 Reputation points
    2025-12-09T13:55:03.3166667+00:00

    The internetClient capability is for the AppContainer. This allows an application running inside an AppContainer to use internet client functionallity.

    The runFullTrust restricted capability is one of the pieces needed to indicate that an application is to run outside of an AppContainer. When a desktop application is packaged and properly declares that it doesn't run in an AppContainer, then the internetClient capability has no effect. This is because the application is running in an environment that is almost identical to just running the executable. Also no, MSIX doesn't expect you to declare internetClient if you are not using it. It is more of a courtesy, and end users should be aware that your application is full trust. This is because runFullTrust indicates that the package can use all of the system resources.

    The way to indicate that an application isn't running inside an AppContainer is with the Application element of the manifest file. If the uap10:RuntimeBehaviour attribute is set to packagedClassicApp and uap10:TrustLevel attribute is set to mediumIL, then the application will not run inside an AppContainer. Setting the EntryPoint attribute to windows.fullTrustApplication is equivalent to the above two settings and is also usable on pre 2004 versions of Windows.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.