Diagnose "Access Denied" error on Assembly Loading

I posted a rather long reply in newsgroup microsoft.public.dotnet.framework.clr, to help diagnose "Access Denied" error on Assembly Loading.

https://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx?&lang=en&cr=US&guid=&sloc=en-us&dg=microsoft.public.dotnet.framework.clr&p=1&tid=62dde23c-3bbd-4eaa-99a6-72a37711d8c0&mid=62dde23c-3bbd-4eaa-99a6-72a37711d8c0

The error is actually very typical and I saw it quite often internally.

I posted the full text below. Hope it is useful to you.

----------------------------------------------------------------------------------------------------------
"Junfeng Zhang[MSFT]" wrote in message ...

> It is very hard to diagnose this kind of problems. I have debugged many
> access denied errors. And most of them boil down to the following scenario:
>
> 1. You enabled shadow copy on the AppDomain.
> And,
> 2. You have either Anti-Virus or index service enabled.
> And,
> 3. You may have run the applications many times in a relatively short time.
>
> The reason is related to how fusion does shadow copy. Here is exactly what
> happens.
>
> 1. Say you enabled shadow copy on the AppDomain, and you load an assembly.
> Fusion will first copy the assembly to a temporary directory under the
> shadow copy directory, then call MoveFile to move the temporary directory to
> the final location under shadow copy directory. The reason is that we want
> the shadow copy to be atomic. And MoveFile gives us the atomicity.
>
> 2. If you have Anti-Virus and index service enabled, and you are unlucky,
> after we have copied your assembly to the shadow copy directory, and about
> to call MoveFile, Anti-Virus or index service decides to poke around the
> temporary directory. Now when we call MoveFile, we get the access denied
> error.
>
> Condition (3) is not necessary. But it greatly increases the possiblity of
> the error. When you read/write the same file many many times, it will alert
> the anti-virus.
>
> The fix is easy, excluding the shadow copy directory from Anti-Virus or
> index service.

>
> How do you know if you are hitting this scenario?
>
> First, download File Monitor from https://www.sysinternals.com. Run
> filemon.exe and set the filter to only trace file accesses under shadow copy
> directory. Now run your applications. If you see the Access Denied
> exception, you can stop the filemon tracing. Now search the filemon log for
> "ACCESS DENIED". When you find it, look at the a few lines above. If the
> application on the a few lines above is Anti-Virus or index service
> (cisvc.exe), you know you are hitting this problem.
>
> If this is not your case, sorry, I don't know why. You have to debug it
> yourself. And you should start with filemon.
>
> --
> Junfeng Zhang
> https://blogs.msdn.com/junfeng
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Gursharan" <Gursharan@discussions.microsoft.com> wrote in message
> ...
>> My app supports en and ja cultures. The app fails on an Application Center
>> cluster and the fusion log shows 0x80070005 error (access denied). I have
>> checked permissions/ACLs on the assemblies, used tlist -m to check process
>> locks and we don't use impersonation.
>>
>> Any other way to find out which access is denied?
>>
>> Thanks
>
>