Software Restriction Policy Enforcement set to �All Software Files� causes checks against paths/files that are invalid

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

When you log onto a server running Windows Server 2003 with an account that has a home drive configured and you are using software restriction policy enforcement set to �all software files�, you may observe invalid path queries across the network when a DLL is loaded by Explorer.exe or MMC.exe, for example opening the Start menu, refreshing the Desktop or using any administrative tools.� The invalid path queries can be seen in a network trace or in a process monitor capture.

�

A network trace or process monitor capture will show the UNC path to the home drive appended with two question marks (??) and then the path to the DLL in the system 32 directory. The following are two �examples:

��������� \\Server\Share\UserName\??\C:\Windows\system32\DLLName.dll �

��������� H:\??\C:\Windows\system32\DLLName.dll

The request will fail with some type of invalid syntax or path not found error.

Additionally, if the home drive is across a WAN network you may experience a delay each time explorer.exe or MMC.exe loads a DLL.� The delay experienced will be dependent on the amount of network latency between the server you are logged into and the server holding the home drive.

This problem occurs when the software restriction policy enforcement is set to �all software files�, the reason is that the server will check each DLL to verify the user is allowed to run/load that DLL.

The invalid path names are caused by a problem in advapi32.dll

To work around this issue:

1.������������������ Go into the Group Policy Object that defines the software restriction policy.

2.������������������ Using Group Policy Object Editor navigate to the software restriction settings �User Configuration > Windows Settings > Security Settings > Software Restriction Policies�

3.������������������ Find the object named �Enforcement� in the right hand window pane, right click on it and select properties.

4.������������������ Under the section �Apply software restriction policies to the following:� select the first option �All software files except libraries (such as DLLs)� which is the default option.

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE �MATERIALS�) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.