Copy link to clipboard
Copied
If I install any version of flash higher than 11.1.102.63 it will not work on Windows 7 x64 under a LUA account. I have a very secure box using SRP policies. I've used the subinacl and reset_fp11.bat to no effect. Please advise.
Copy link to clipboard
Copied
I've got a few questions for you. Is a LUA account the same as a standard user account? If you create an admin account, does the player work properly? Can you elaborate on how your SRP policies might affect a Flash Player install? What browsers have you tried? If you haven't already, can you see if Flash works properly with Chrome (it's built in, so no need to install.) Finally, could you post a copy of your install log so we can see if anything is failing there?
Where do I find the Flash Player installation log on Windows?
Thanks,
Chris
Copy link to clipboard
Copied
Is a LUA account the same as a standard user account?
Yes
If you create an admin account, does the player work properly?
Yes, I install it from the admin account and it works fine there.
Can you elaborate on how your SRP policies might affect a Flash Player install?
Standard user accounts can not execute from directories they have permission to write to. No temp folders, desktop, etc.
What browsers have you tried?
IE 8 & 9. Both have the same reaction.
My testing:
The contents of C:\Windows\System32\Macromed\Flash\FlashInstall.log
=O====== M/11.2.202.235 2012-05-05+13-12-27.896 ========
0000 00000010 "C:\Windows\system32\Macromed\Flash\FlashUtil64_11_2_202_235_ActiveX.exe" -refreshIEElevationPolicies
=X====== M/11.2.202.235 2012-05-05+13-12-27.927 =========O====== M/11.2.202.235 2012-05-05+13-12-27.896 ========
0000 00000010 "C:\Windows\system32\Macromed\Flash\FlashUtil64_11_2_202_235_ActiveX.exe" -refreshIEElevationPolicies
=X====== M/11.2.202.235 2012-05-05+13-12-27.943 =========O====== M/11.2.202.235 2012-05-05+13-12-23.653 ========
000000001113 C:\Windows\system32\Macromed\Flash\\* 3
0001 00000010 "C:\Users\ADMINI~1\AppData\Local\Temp\{38334A5F-64C9-4F22-9451-F1B4DDC4BC5F}\InstallFlashPlayer.exe" -iv 6
000200001036 Software\Macromedia\FlashPlayer\SafeVersions/11.0 2
000300001036 Software\Macromedia\FlashPlayerActiveX/PlayerPath 2
000400001036 Software\Macromedia\FlashPlayerActiveX/PlayerPath 2
000500001036 Software\Macromedia\FlashPlayer\SafeVersions/11.0 2
000600001036 Software\Macromedia\FlashPlayerActiveX/PlayerPath 2
000700001036 Software\Macromedia\FlashPlayerActiveX/PlayerPath 2
0008 00000020 C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
000900001037 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX/ 2
0010 00000013 C:\Windows\system32\Macromed\Flash\Flash64_11_2_202_235.ocx
0011 00000015 C:\Windows\system32\Macromed\Flash\FlashUtil64_11_2_202_235_ActiveX.exe
0012 00000016 C:\Windows\system32\Macromed\Flash\FlashUtil64_11_2_202_235_ActiveX.dll
0013 00000019 C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
0014 00000011 1
0015 00000012
=X====== M/11.2.202.235 2012-05-05+13-12-49.596 ========
Copy link to clipboard
Copied
This shows up in the event viewer for Microsoft-Windows-UAC-FileVirtualization/Operational:
Operation on file "\Device\HarddiskVolume1\Users\jason\AppData\Roaming\Macromedia\Flash Player\macromedia.com" excluded from virtualization.
Copy link to clipboard
Copied
Thanks for the follow up information. I'm forwarding this to our installer team for their review.
Chris
Copy link to clipboard
Copied
Could you try running through the steps in this FAQ to see if it solves the problem?
Copy link to clipboard
Copied
The fix is to add a hash entry for the dll file in the Software Restriction Policy editor ... see http://wilderssecurity.com/showthread.php?t=321105.
Copy link to clipboard
Copied
I would ask the Flash developers to consider honoring a proper LUA environment. It is very important that a directory a user can write too also not be an executable location. Thus the flash dll needs to write to %userprofile% directories and not copy executable code there. On our systems those locations will not be allowed to execute. Thank you.
Copy link to clipboard
Copied
Thank you for the heads up. I've forwarded this thread to our installer team for their review. I'd like to see this fixed, would you mind opening a bug on this at bugbase.adobe.com and post the bug URL back here and at wilderssecurity.com so that others affected can add their votes and comments?
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Thank you
Copy link to clipboard
Copied
My bug was closed because it was a duplicate. The original bug has closed as NotABug. The latest version of flash 11.3.3000.257 ... still has this bug. I know ... writing secure software is very hard.
Copy link to clipboard
Copied
Flash version 11.4.402.265 no longer needs the SRP workaround. Thank you for the fix.