How do I overcome the "The symbolic link cannot be followed because its type is disabled." error when getting the target of a symbolic link?
Asked Answered
L

8

60

Following on from a previous question, I am creating a symbolic link on a Server 2008 from a Vista machine using UNC paths. I can create the link just fine. I can go to the Server 2008 box and double click on the link in explorer to open the target file. What I cannot do though is use FileCreateW to get a handle to the UNC path link (from the Vista box). When I try it, it fails and GetLastError() returns error code 1463 (0x5B7), which is:

The symbolic link cannot be followed because its type is disabled.

How to enable its "type" in Server 2008 (assuming the error means what it says)?

Liebknecht answered 23/10, 2008 at 13:8 Comment(1)
This was useful and I only add that the client, as well as the server hosting the symbolic link, needs to have R2R:1 set and enabledSingsong
J
55

To add to @David Arno's helpful answer, based on W7:


fsutil.exe can be made to show what arguments it takes by simply running:

fsutil behavior set /?

To report the current configuration, run fsutil behavior query SymlinkEvaluation - see @Jake1164's answer, particularly with respect to how a group policy may be controlling the behavior.

The symbolic-link resolution behavior is set on the machine that accesses a given link, not the machine that hosts it.

The behavior codes for fsutil behavior set SymlinkEvaluation - namely L2L, L2R, R2L, and R2R - mean the following:

  • L stands for "Local", and R for "Remote"
  • The FIRST L or R - before the 2 - refers to the location of the link itself (as opposed to its target) relative to the machine ACCESSING the link.
  • The SECOND L or R - after the 2 - refers to the location of the link's target relative to the machine where the LINK itself is located.

Thus, for instance, executing fsutil behavior set SymlinkEvaluation R2L means that you can access links:

  • located on a remote machine (R)
  • that point to targets on that same remote machine (L)

Unlike what David experienced on Vista, I, on W7, was able to resolve a remote link that pointed to a resource on another remote machine by enabling R2R alone (and not also having to enable R2L).

Josey answered 31/3, 2010 at 20:29 Comment(2)
Is there a known reason, why not all evaluation types are enabled by default?Shaky
Unfortunately, I don't know, @Shaky - it sounds like it's security-related somehow.Josey
L
73

Well I found the answer, though to describe it as badly documented is an understatement!

First of all, this TechEd article highlights the fact that users can "enable or disable any of the four evaluations that are available in symbolic links". Those four "evaluations" include remote to local and local to remote. It doesn't give any clue as to how to do this.

However a further search revealed this fsutil help page, which does actually document how to "enable or disable any of the four evaluations that are available in symbolic links". So to fix the problem I was having, I need to issue the following command on the Vista box:

fsutil behavior set SymlinkEvaluation L2L:1 R2R:1 L2R:1 R2L:1

in order to allow full access to where symlinks are pointing on both local and remote machines.

Liebknecht answered 23/10, 2008 at 14:53 Comment(1)
This page has some more information fsutil: technet.microsoft.com/en-us/library/cc785435(WS.10).aspxSchwaben
J
55

To add to @David Arno's helpful answer, based on W7:


fsutil.exe can be made to show what arguments it takes by simply running:

fsutil behavior set /?

To report the current configuration, run fsutil behavior query SymlinkEvaluation - see @Jake1164's answer, particularly with respect to how a group policy may be controlling the behavior.

The symbolic-link resolution behavior is set on the machine that accesses a given link, not the machine that hosts it.

The behavior codes for fsutil behavior set SymlinkEvaluation - namely L2L, L2R, R2L, and R2R - mean the following:

  • L stands for "Local", and R for "Remote"
  • The FIRST L or R - before the 2 - refers to the location of the link itself (as opposed to its target) relative to the machine ACCESSING the link.
  • The SECOND L or R - after the 2 - refers to the location of the link's target relative to the machine where the LINK itself is located.

Thus, for instance, executing fsutil behavior set SymlinkEvaluation R2L means that you can access links:

  • located on a remote machine (R)
  • that point to targets on that same remote machine (L)

Unlike what David experienced on Vista, I, on W7, was able to resolve a remote link that pointed to a resource on another remote machine by enabling R2R alone (and not also having to enable R2L).

Josey answered 31/3, 2010 at 20:29 Comment(2)
Is there a known reason, why not all evaluation types are enabled by default?Shaky
Unfortunately, I don't know, @Shaky - it sounds like it's security-related somehow.Josey
A
14

I recently found this on all my corporate Windows 7 boxes when one of my legacy programs stopped working. After some searching and finding these settings I tried setting via the command line and via the registry with no relief.

I found that you can use the command from an elevated prompt:

fsutil behavior query SymlinkEvaluation

This will return the status of these links AND in my case that they are being controlled by a group policy! Thanks IT department (you f@$#%$rs)!

enter image description here

Anacreon answered 23/6, 2014 at 11:19 Comment(1)
in the GPO you can Change it in "Computer Configuration > Administrative Templates > System > Filesystem" and configure "Selectively allow the evaluation of a symbolic link"Cusk
U
8

These settings can also be manipulated directly via the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem: See SymlinkLocalToLocalEvaluation, SymlinkLocalToRemoteEvaluation, SymlinkRemoteToLocalEvaluation, SymlinkRemoteToRemoteEvaluation.

if with "fsutil behavior query SymlinkEvaluation" you get message .."is currently controlled by group policy"..., check HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Filesystems\NTFS or simply search throug registry for "Symlink"

Unpeopled answered 23/4, 2015 at 7:16 Comment(1)
changing HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Filesystems\NTFS worked for mePelton
G
5

Thanks David for the tip, I was becoming desperate to fix this problem which made symlinks mostly useless.

One should note that the default configuration for Vista is L2L and L2R enabled, but R2R and R2L disabled.

I first tried to enable only R2R, but this is not sufficient. R2L has to be enabled too.

The next question on my list: How to get rid of that stupid /D switch for the mklink command for directory links. The default link type should be inferred automatically from the target pathname type!

Grot answered 17/12, 2008 at 18:28 Comment(2)
"The default link type should be inferred automatically from the target pathname type!" Agreed!Zoophilia
Since a link can be to a link itself, this would require recursive evaluation all the way to the root object, at creation time, which would make a symbolic link non-portable between machines or even potentially non-portable on the same machine, if another link were made to it. That's kind of the point of a symlink - it's supposed to be a universal reference that is runtime-evaluated. It's impossible to infer from target type what you want, unless it is a UNC path, in which case, for NTFS, it MUST be a symlink. All other cases are ambiguous.Slumlord
D
4

These settings can also be manipulated directly via the registry (requires local admin to write):

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Registry values (name/data pairs):

Name                             Type       Data  (1: Enabled; 0: Disabled)
-------------------------------------------------
SymlinkLocalToLocalEvaluation    REG_DWORD     1
SymlinkLocalToRemoteEvaluation   REG_DWORD     1
SymlinkRemoteToLocalEvaluation   REG_DWORD     1
SymlinkRemoteToRemoteEvaluation  REG_DWORD     1

Official documentation is difficult to find, but this appears to be an official Microsoft page: Selectively allow the evaluation of a symbolic link

Depositor answered 19/5, 2014 at 20:24 Comment(1)
Nice find. Do you have a link to any MS documentation on this though? It would be worth adding IMO if you do.Liebknecht
S
2

FYI if you have Group Policies in place controlling SymlinkEvaluation settings you CAN still set them yourself from the command line. They will be overwritten by GP at next reboot/login but your settings will work during your user session.

So as a workaround if you need to set it to something other than what GP dictates you could even run a script at logon to set them after GP is applied.

Sohn answered 15/7, 2014 at 22:34 Comment(1)
GP do not only update with every new reboot/login, they are updated every 90 (+30) minutes by default.Shaky
P
1

Remote junction points work by default. For files you still need symlinks.

Possum answered 8/10, 2009 at 4:19 Comment(1)
Junction points are bad for performance in case of R2R, because then all traffic is routed over the server containing the junction point.Heroworship

© 2022 - 2024 — McMap. All rights reserved.