Although the theory is that by the time we deploy a finished application it's already fully debugged we all know that in practice things rarely go that smoothly. So what happens if you deploy a partial trust ClickOnce application that starts to crash when it's run? Well, if you're lucky enough to have the problematic application stay alive for as long as it takes you to attach a debugger you're golden.
However if the crash occurs somewhere along the startup path, or if the debugger shows that something went wrong and got you into a bad state before you could attach it you might want to have the debugger run before the process even starts.
That's where things start to get tricky -- since ClickOnce is responsible for starting up your application, you can't just tell it to run the debugger for you. Instead, you can use the gflags tool from the Debugging Tools for Windows to intercept the start of your process. For a partial trust application, AppLaunch will be the real entry point, so you'll want to launch your debugger when AppLaunch starts.
In the gflags Image File section, set AppLaunch.exe as the image, check the debugger box, and put the full path to your debugger in the debugger field. I tend to use either Mdbg or WinDbg for this, depending on what kind of error I'm debugging.
Once you've got that setup you can launch your ClickOnce application normally and the debugger will start ready to run the application. If your app no longer starts up, make sure that the full path to the debugger is correct, since if Windows fails to find it, it will fail the CreateProcess for AppLaunch as well.
Finally, when you've solved the problem, you'll probably want to go back to gflags and uncheck the debugger box so that your partial trust applications no longer run under the debugger.
A couple of quick notes on this -- since all partial trust code runs through the same AppLaunch entry point, setting this up will cause all partial trust ClickOnce apps to run under the debugger, not just the one you're debugging. The same technique can be used for a FullTrust ClickOnce application as well; in that case you'd use the name of your application's .exe file instead of AppLaunch.