Gotchas: Using SN.EXE on Vista

Thursday, September 27, 2007 – 10:23 AM

Software development is full of pitfalls. Sometimes it’s the little things that can have you up burning the midnight oil. The dumb stuff that in the cold light of day you wonder how you ever missed. So when you read some of these posts you may end up thinking “Who could be that stupid?”, well it was me and I’m sure I’m not the only one… hence the post.

Using SN.EXE on Vista

So here’s something we ran into the other day while testing installers on Vista. Our installer currently contains delay signed binaries as we don’t do final signing for our nightly builds. We’re installing assemblies in the GAC and running one of them as a custom action as part of the MSI’s installation so before running the MSI we were disabling string name verification for all DLLs signed with our key.

SN.EXE -Vr *,############

Doing this from a Visual Studio command prompt as a (non-administrator) user seems to work just fine – no errors and no Vista security prompt and SN.EXE - Vl lists the verification skipping entry correctly.

Running SN.EXE in a non-admin shell.

But… the installer fails when it tries to execute assemblies or putting them in the GAC. Similarly if I try and use GACUTIL.EXE /i to install an assembly from a shell running as administrator it fails.

Gacutil fails even after strong name verification has been disabled.

So disabling strong name verification without administrator rights fails in some way. If I run SN.EXE from an administrator prompt to disable verification I see exactly the same thing but… the installer works and running GACUTIL /i on my assembly is fine. 

In retrospect this seems a bit odd. A normal user can simply turn off strong name verification!? Obviously not, that would break the Vista security model big time. The trick here is that really all SN.EXE is doing is editing the registry. It accesses the following key to update the list of strong names that should be skipped:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName\Verification

If you run as administrator this key is accessible and is updated correctly. When you run this as a (non-administrator) user then the registry is virtualized and the following key is used:

HKEY_USERS\<User SID>_Classes\VirtualStore\MACHINE\
  SOFTWARE\Microsoft\StrongName\Verification

Ooops! Clearly not what was intended. This key isn’t going to be found when I try and add something to the GAC. So to all intents and purposes I have not really disabled anything. All I’ve done is written to a registry key that will be ignored. 

Personally I think SN should fail here, but there you go. It’s not like I had anything better to do right?

This is fixed in Visual Studio 2008 – more details in my updated post:

  1. 2 Responses to “Gotchas: Using SN.EXE on Vista”

  2. Great!
    I built another tool that will handle all sn.exe activities.It can be downloaded free at
    http://sourceforge.net/projects/securemyapp/.
    Still in beta but works.I have more tools to add.
    Talley
    Raleigh,NC

    By Talley on Sep 29, 2009

  1. 1 Trackback(s)

  2. Mar 18, 2008: #2782 » Blog Archive » Gotchas: SN.EXE problem on Vista fixed in VS 2008!

Sorry, comments for this entry are closed at this time.