Share via


How to: Override the Caspol.exe Self-Protection Mechanism

The Code Access Security Policy tool (Caspol.exe) contains a self-protection mechanism that prevents security policy changes that would cause it to cease functioning. You can override this self-protection mechanism, if necessary. For example, an administrator might need to override the self-protection mechanism to update security, even though Caspol.exe might not function properly afterward.

To override the Caspol.exe self-protection mechanism

  • Use the –force option before the policy change option that would otherwise be rejected by Caspol.exe.

    The following command changes the user policy's root code group to associate it with the Nothing permission set.

    caspol –force –user –chggroup 1 Nothing
    

    Warning

    Use this option only with extreme caution. It can cause Caspol.exe to fail or cease functioning, in which case the –recover option cannot be applied because Caspol.exe cannot run.

    Note

    If this occurs, you can perform the manual equivalent of a –recover operation. The backed-up machine and user policy are written to Security.cfg.old files. Simply delete the Security.cfg file at the policy level where you made the change, and rename the Security.cfg.old file to Security.cfg. For more information about where these files are located, see Security Configuration Files.

See Also

Concepts

Security Policy Model

Reference

Code Access Security Policy Tool (Caspol.exe)

Other Resources

Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe)