Mapped drives can't be created after Microsoft Security Update from code running under Network Service account

Mapped drives can't be created after Microsoft Security Update from code running under Network Service account

MS09-012: Description of the security update for Windows Service Isolation: April 2009

 

Possible scenario: You are using a web application which is running under Network Service account and the code creates mapped drives using WNetAddConnection* APIs. It can fail stating ERROR_ALREADY_ASSIGNED error 85.

 

With this update installed on the machine, you will not be able to create mapped drive from the Network Service account. This is intentionally blocked for the Network Service account.

Uninstalling the security update, Network Service account would be able to create the mapped drive through WNetAddConnection* API successfully.

 

To verify if you have this problem:

• 1) see if the update is installed on your machine. Check though Control Panel Installed Programs and updates or type "systeminfo" on command prompt.
• 2) To make sure this is the issue, see if you can uninstall the update. If after uninstalling the update, if your code in Network Service is able to create the mapped drive, then security update was causing it to fail.

 

Recommendation is to try using a different account to run the application which will make the application and security update to co-exist on the machine. If it is not at all possible then try below registry change to revert back the changes of update in this regard.

 

Key-       "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager"

                                ProtectionMode              DWORD                0

 

Restart the machine to take it in effect.

 

Nitin Dhawan

Windows SDK - Microsoft