Access denied running sn.exe on Windows 7

I'm trying to build / sign an assembly on a Windows 7 machine and I get the following exception:

x:\> SN -q -Vr "x:\someassembly.dll"
Failed to open registry key -- Access is denied.

I've found the following thread that appears to be the same problem, and it ment开发者_开发百科ions that he fixed it by changing permissions on a registry key, however it doesnt mention which registry key.

http://social.msdn.microsoft.com/Forums/en-US/tfsbuild/thread/e84e015b-41c8-4170-8686-2474832fcd28

Has anyone encountered this before?

Ok, I identified the key in question using Process Mon, which lists the following:

sn.exe
RegCreateKey
HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName
ACCESS DENIED
Desired Access: Maximum Allowed

Giving write access for the current user to the following key fixed this problem

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft

Note that giving write access to the root HKLM node didnt fix my problem (apparently permissions of folders in the registry aren't recursive?)

If that is the case you may use Process Monitor to see which registry key sn.exe is trying to access. This is not really programming related though.

Using -Vr with sn.exe is considered a potential security risk, as it disables signature validation. That's why you cannot run sn.exe -Vr from an unprivileged command prompt.

Open an elevated command prompt (with administrative privileges) before trying to execute sn.exe -Vr.

By the way, using -Vr registers a verification entry (which indicates that the specified assembly or assemblies should not be verified) and should only be used temporarily while executing instrumented binaries (which have not been signed after instrumentation).

Don't forget to use -Vu to unregister the entry when you are done.

As others and myself have pointed out, -Vr (register an assembly for strong name validation skip, system-wide) is indeed a privileged operation, and the "access denied" you get is legitimate.

According to Sn.exe (Strong Name Tool) - MSDN, you can add a user name to specify the user to disable the check for. This shouldn't require administrative privileges:

sn -Vr <Assembly> %USERNAME%