4 Replies Latest reply on Feb 22, 2012 9:36 PM by copenhagenmail

    Protected Mode 10.1.1 on Windows Server 2003 TS - Domain Controller

    IdRul3r Level 1

      In the past we had issues with

       

      Adobe 10.0 running on Windows Server 2003 Standard Edition (32-bit) using Terminal Services with the "Protected Mode" problem that a number of people ran into.  So as a company we avoided upgrading any of the 2k3 TS machines beyond 9.4.  Recently, we read some articles about the issues with Protected Mode being resolved with Adobe Reader 10.1.0.  We installed Adobe Reader 10.1.0 on three 2k3 TS machines without issues.   They run fine and gave us the impression the issue was truly resolved.  So I recently installed it onto another 2k3 TS and it is bringing up the radio prompt message for "Adobe Reader Protected Mode" on every account including the Domain Admin account.

      • Open with Protected Mode disabled
      • Always open with Protected Mode disabled
      • Do not open with Protected Mode disabled

       

      I've verified the AntiVirus software that is running on this most recent 2k3 Server is the same version running on the other servers.  I even disabled the ESET Antivirus just to see and it still has the same issue.  I would rather not disabled Protected Mode for all users, but have found a number of posts where people suggest this.  While tracing the issue using ProcMon.exe (Sysinternals tool) I found AcroRd32.exe dies right after the following:

      HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\DINXOptions\USER32.dll (NAME NOT FOUND)

      This lookup occurs on a working 2k3 TS machine as well as the one in question.  In both cases the NAME NOT FOUND is in the Result column.

      On the working 2k3 TS machine you see HKLM\System\CurrentControlSet\Control\Session Manager - Reparse and everything continues on working.  On the failing 2k3 TS machine you instead see the HKLM\SystemCurrentControlSet\Control\Error Message Instrument - Reparse.

       

      I compared a lot of settings on these servers and the key deferences are all related to how the failing 2k3 server is a Domain Controller, and all the others are simiply members.  Does anybody know how to get Adobe Reader 10.1.1 to work correctly on a Windows 2003 Server that is a Domain Controller?

        • 1. Re: Protected Mode 10.1.1 on Windows Server 2003 TS - Domain Controller
          copenhagenmail Level 1

          ProtectedUnsupportedConfig.png

           

          1) According to: http://kb2.adobe.com/cps/860/cpsid_86063.html

           

          When Protected Mode cannot launch due to an unsupported configuration, a dialog alerts the user that Protected mode is not available and offers to open Reader without Protected Mode:

          “Adobe Reader cannot open in Protected Mode due to a problem with your system configuration. Would you like to open Adobe Reader with Protected Mode disabled?”

           

          That is what you are seeing.

           

          To avoid that, use this info from Adobe's help file:

           

          Protected mode (Windows)
          By default, Adobe Reader X runs in protected mode to provide an added layer of security. In protected mode, malicious PDF documents can’t launch arbitrary executable files or write to system directories or the Windows Registry.
          To check the status of protected mode, choose File > Properties > Advanced > Protected Mode.
          Protected mode is enabled by default. To turn off protected mode:
          1 Choose Edit > Preferences.
          2 In the Categories list on the left, select General.
          3 Deselect Enable Protected Mode at startup.

           

          I have also found that unchecking the default "Enable hardware rendering for legacy video cards" setting in Adobe Reader X's 3D & Multimedia settings and changing from the preferred renderer mode of DirectX9 to the alternative Software setting there solves many issues, and may also solve the issue you are experiancing too.

           

            2) Adobes Protected Mode troubleshooting kb article http://kb2.adobe.com/cps/860/cpsid_86063.html (referred to previously) mentions that "certain configurations of anti-virus software that have not yet white-listed AcroRd32.exe" are "Unsupported configurations for Reader running in Protected Mode".

           

          Therefore I suggest also excluded AcroRd32.exe from virus scanning.

           

          3) There are also printing issues on Citrix and Terminal Services and a new hotfix for that: see http://kb2.adobe.com/cps/928/cpsid_92870.html

          • 2. Re: Protected Mode 10.1.1 on Windows Server 2003 TS - Domain Controller
            ayurkowski

            Gee, copenhagenmail, that's about as patronizing a response as I remember seeing recently. The poster is obviously technically astute enough to realize that you've just quoted verbatim from Adobe's documentation. He's done some quality research to identify a potential source of the problem, and is looking for some other ideas or corroboration...

             

            We, too, have identified this problem (with ver 10.1.2) on W2K3 servers. We have a number of machines, with almost identical builds, and the only ones that experience this problem are the domain controllers - not ones running terminal services explicitly, but ANY DC. We, too, have experimented with AV configurations, and excluding AcroRd32.ese from on-access scanning DOES NOT resolve this issue.

             

            The point in running this rev is to ENSURE that protected mode is enabled as a security function. Turning it off isn't an option from a policy perspective - ESPECIALLY on a DC.

             

            Anyone else out there (ideally, from Adobe) that can provide additional corroboration and/or troubleshooting details?

            • 3. Re: Protected Mode 10.1.1 on Windows Server 2003 TS - Domain Controller
              copenhagenmail Level 1

              ayurkowski I was replying to a thread from Sep 30, 2011 10:33 AM which had gone unanswered and was posted several months PRIOR to the release of the Adobe Protected Mode troubleshooting kb article I have quoted.

               

              This suggestion is NOT from any Adobe's documentation, as the first part of it (regarding the legacy video cards setting) was provided to me recently by a one-time participant here (who may be an anonymous Adobe staff member) and the second part (regarding the DirectX9 setting) is my own discovery:

               

              I have also found that unchecking the default "Enable hardware rendering for legacy video cards" setting in Adobe Reader X's 3D & Multimedia settings and changing from the preferred renderer mode of DirectX9 to the alternative Software setting there solves many issues, and may also solve the issue you are experiancing too.

               

              BTW That method actually works with the protected mode sandbox still running.

               

              Adobe staff members have participated in several threads about this issue but have stopped participating recently.

              • 4. Re: Protected Mode 10.1.1 on Windows Server 2003 TS - Domain Controller
                copenhagenmail Level 1

                I forgot to mention that the printing issue hotfix bit is also from this month. There is also a recent Announcement about it, which I quote here:

                 

                Announcement: Adobe Reader 10.1.2 Printing Issues   
                Crashing or printer doesn't print?

                 

                1. Log in to your computer as an Administrator.

                2. Click the link to download the AdobeReaderPatch10.1.2_cpsid_92870.zip file.

                3. Unzip the file to extract the executable AdobeReaderPatch10.1.2_cpsid_92870.exe.

                4. Do one of the following to run the AdobeReaderPatch10.1.2_cpsid_92870.exe file:

                a. Double-click the AdobeReaderPatch10.1.2_cpsid_92870.exe file.

                b. Run the AdobeReaderPatch10.1.2_cpsid_92870.exe file in silent mode by specifying the -silent flag on the command line. Open the command prompt ‘As Administrator’ to avoid UAC prompt dialog.

                Example: <path to AdobeReaderPatch10.1.2_cpsid_92870.exe> -silent

                 

                5. Once the process is completed, you receive a prompt stating the result of the operation.

                NOTE: When run in silent mode, all dialog boxes are suppressed. No success message or error message appear.

                6. A log is created in the temp directory (%temp%) with the name AcroPatchApplication1012.log. (The changes sometimes only takes effect only after you restart your computer.)

                 

                http://kb2.adobe.com/cps/928/cpsid_92870.html