.NET Framework 3.5 SP1 Allows managed code to be launched from a network share!

  • Article

Hurray, its finally fixed!  manage code 'just works' from network file share!

Now I know that some of you are probably just saying 'who cares' or 'huh?' but for those of us who have hit this problem, this has been a major deployment headache, and I am happy to say that the end of this particular problem is in sight.

The problem scenario is this.  If you have a managed applications like 'MyApp.exe' it works great if you run it locally (eg C:\bin\MyApp.exe), but fails when you try to run it from a network location (eg \\Myhost\bin\MyApp.exe).   The problem is that the security system for the runtime treats network locations as less trustworthy than local locations, and thus throws an security exception.     The problem is that failing to run managed code WHILE STILL ALLOWING UNMANAGED EXE's to run, does not provide any security (because hackers will simply use unmanaged code) but does cause nontrivial deployment headaches (manage apps can't be run from network locations). 

Well, the better part of a year ago I ask Brad Abrams to do a poll on this issue and we found that there was quite a bit of customer deployment pain associated with this issue, and after much deliberation decided to fix it.    The exact details were covered in Shawn Farkas Blog, however the high level take-away is that for the vast majority of scenarios 'it just works' meaning that managed code acts just like unmanaged code as far as launching EXE from network shares are concerned. 

So I do encourage you to down load the .NET 3.5 SP1 service pack.  It is a very low risk, drop-in update for the runtime.  Once you do this, you get network launch for free.   Because it is a service pack, you can also simply just wait, and get the update automatically in the next several weeks via windows update.    Thus if you are software deployer, pretty soon now, with high probability your customers will have this newer runtime.

Have fun! 

P.S: for those of you who are concerned that we have opened security holes by doing this, we have tried to be VERY careful not to do this.  The basic rationale is that we are not opening any holes that were not already there because Windows allows non-managed exes to run from a network share.    By the way, if you WANT to lock down your network access (prevent exes from a network share from running, (or even just exes that are in speical locations), you can do this with Software Policies.  That is the proper way to lock down your computer.