Technical Details of Adobe Reader X “Protected Mode”

Update: Since this blog was written, Adobe Reader has been updated to 10.1 More details here.

——————

Adobe Reader X is now available for download. You can get it here. If you are using Reader X or Acrobat X, also make sure that LiveCycle ES2 is on SP2.

There has been significant security-related enhancements to Reader in version X. One of them is “Protected Mode”. The details are available in the following links:

Part 1
Part 2
Part 3

Also, see MAX 2010 presentation titled “Sandboxing Adobe Reader: Protected Mode” by Suchit Mishra, Lead Security Researcher at Adobe.

The Enterprise Administration Guide for Acrobat is available here. Adobe’s Acrobat portal for IT is here.

Public forums for discussing Reader-related issues and sharing solutions is available here.

VN:F [1.9.22_1171]
Was this helpful? Please rate the content.
Rating: 2.4/10 (5 votes cast)
Technical Details of Adobe Reader X "Protected Mode", 2.4 out of 10 based on 5 ratings
This entry was posted in Adobe LiveCycle ES2 (9.0.x), General Interest and tagged , . Bookmark the permalink.

46 Responses to Technical Details of Adobe Reader X “Protected Mode”

  1. Garry O'Driscoll says:

    Hi i am sure you already know but there is a slight problem with the “Protected Mode” in Adobe Reader X when installed on my citrix servers (Server 2k3) you cant open a PDF that is stored on a network share you get the error “There was an error opening this document. Access denied.” to work arround this i have had to dissable the protected mode in the registy following information in the adobe forum http://forums.adobe.com/message/3292065
    Regards
    Garry

    • Jayan Kandathil says:

      Garry:

      Thanks. Also, it looks like we have documented this in the FAQ here. Citrix is currently (as of Nov 25, 2010) not supported with Reader “protected mode”.

  2. Since upgrading to Reader X on my Windows 7 64-bit PC, no PDF file can be opened, including those being opened from my local NTFS disk.
    Disabling Protected Mode allows PDFs to be opened.
    Something is obviously broken here.

    • Joel Geraci says:

      Are you using any 3rd party plug-ins?

      • Larry Gitlitz says:

        I am also using Reader X on Windows 7 64-bit. I am not using any plug-ins that I know about, possibly if any installed in an old version on their own. I found that anytime I tried to open a “(secured)” pdf, adobe would open, display only a white window, drive my CPU to 100% and not respond. At least the application would close immediately when I click on the top-right corner close button. Opening a non-secure pdf would work fine. I then disabled protected mode and all the secure pdfs work no problem….
        I then uninstalled Acrobat X and reinstall but still same problem. I am only using MS security essentials and Windows Firewall, disabled everything but it didn’t help. Hope this helps you track down the issue.

  3. Andrew James Riemer says:

    We’re seeing the same issues with Reader X. As soon as it is installed (to Windows XP clients in a Windows 2003 Server AD domain), those clients receive the error whenever they try to open PDF files that are on our local LAN when using mapped drives. The files will open using UNC paths. The only setting that has worked for us is to disable protected mode. I, too, think this needs to be fixed. I’d like protected mode up and running, but I don’t want to do it at the expense of easy access to the files we have on our internal network.

  4. Seymour Kellerman says:

    The protected mode also appears to break communication to Adobe Reader via an Adobe plug-in. Printing stopped when I installed Adobe Reader X.

    Programmatically disabling the protection mode by modifying the Privileged\bProtectedMode Registry key seems to circumvent the problem.

    • Joel Geraci says:

      Seymour:

      Plug-ins that worked in Reader 9 or lower may need to be rewritten for Reader X when in Protected Mode if they use any functions that need to interact with the OS. Reader Protected Mode shields the OS from security risks by forcing plug-ins to go through a broker process before executing certain functions. Without that code in place, the plug-in won’t work as it did in earlier versions of Reader. If you can let me know the plug-in that you are using, I can be sure the author has the relevant samples to rewrite their plug-in.

      Please see my article linked to below for more details.

      http://blogs.adobe.com/pdfdevjunkie/2010/10/what-developers-need-to-know-about-acrobat-x.html

    • wemic says:

      This key fixed the problem for me. Thanks to Seymour Kellerman’s post.
      HKEY_CURRENT_USER\software\adobe\acrobat reader\10.0\privileged
      bProtectedMode REG_DWORD 0x0

  5. Tim Coburn says:

    Any attempt to print from Adobe Reader X to any of our network printers results in the reader locking up after sending the print job. Clicking on Adobe afterwards results in the Reader crashing out completely. Behaviour has been observed on all XP 32-bit and Win7 X64 installs (50+ total). In every case we turn off protected mode and the problem is solved.

    Judging by the previous comments this feature could have used extensive testing and improvements before inflicting it upon users.

  6. Suchit Mishra says:

    Hello,

    I am very sorry to hear about the issues you are facing. The Reader X sandbox is a very restrictive environment and so if there are custom plugins being used in your workflows then things may not work as expected. To circumvent these issues we have implemented a configurable policies feature that allows IT administrators and end users to tweak and customize the policies inside the broker and bypass the restrictions imposed by the default application. That way you don’t have to turn off protected mode. So, please turn on the logging (as shown in section 2.2.1 Figure 1, page 16) and then refer to sections 2.2.5 and 2.2.6 (pages 17-19) of the Application Security Guide on how to troubleshoot workflows by turning on logging and then configuring custom policies for compatibility issues.

    http://learn.adobe.com/wiki/download/attachments/64389123/AcrobatApplicationSecurity.pdf?version=1

    Hope this helps. If you can please send me more details of the setup, printer, plugins and environment and the sample PDFs that are failing to print with Reader X I can try and help with the troubleshooting.

    thanks

    Suchit Mishra
    Lead Security Researcher, Adobe Acrobat & Reader Engineering

  7. Tim Coburn says:

    There is nothing unusual about our environment, and I found the solution to my issue posted on message boards from people in basically the exact same situation. We have a Windows Domain with 2008 and 2003 print servers, workstations running XP32 and Win7 x64. Adobe Reader 7 8 and 9 printed fine up to the point they had the “poison patch” for 9, oddly enough just before Adobe X came out. Everyone who installed the patch started getting DDE server errors, forcing us to upgrade to ReaderX so people could at least run Adobe Reader again. We don’t do anything fancy with our print jobs, the most complicated thing Adobe Reader does is open a PDF from an e-mail and send it directly to the print server, there has been no changes at our end and the process has worked flawlessly until Reader 9 had the bad patch.

    It is fantastic that you have an involved process for working around the software’s defects, I look forward to investing more time in compensating for them. I am glad this “feature” seems to be absent in the Pro version, at least those users are operating problem free.

    I appreciate that this protected mode is supposedly a wonderful security feature but so far it’s like making a car safe by taking the tires off it. Sure it won’t go anywhere but boy is it safe!

  8. Suchit Mishra says:

    Hi,
    Again, really sorry to hear about all the troubles you have had to go through. If you would be kind enough to send me one or two sample files that are not printing now because of the latest Acrobat/Reader 9.4.1 patch that would go a long way in helping the engineering team with the root cause analysis.

    thanks
    Suchit

    suchitm@adobe.com

  9. Nick says:

    Hi Suchit,

    Is it possible to modify the Adobe Acrobat X install file so that protected mode is off by default. This would be a good temporary solution until Adobe engineers come up with an update to Acrobat X.

    We have 85 users in Los Angeles and Las Vegas and everyone is having the same problem when accessing network stored PDFs on the Domain. The registry modification seems to work but is very inefficient when deploying.

    Thank you,
    Nick

  10. Dark Helmet says:

    We had to turn off protected mode for the FileOpen plug-in to work. http://www.fileopen.com/products/fileopen_pdf_control/
    9.4.1 worked fine with the plug-in. Reinstalling the plug-in under X didn’t work in protected mode.

  11. Tom McClelland says:

    We’ve had two users of our product report this problem so far. Typically our users are not the kind of people who are going to be using any plug-ins. They were finding that they got the message depending on which folder the files were in. eg a PDF on the desktop could be opened, but the same PDF copied to the “Documents” folder could not!

    I installed Adobe X on my development PC (I also use no plug-ins) and within 3 minutes of first use I got a BSOD, on a PC which is previously worked completely smoothly for the last several months. But I don’t seem to have any problem displaying PDFs regardless of location.

    Our product creates PDFs and then asks the windows shell to display them. Is there any registry key that our product could remove or alter the setting from the registry if users report this problem so that they don’t have to find the security option themselves?

  12. Matt Heaton says:

    Our machines have just started auto-updating to Reader X and every user has the same problem with “Access Denied” when opening a PDF (which are all stored on network mapped drives).
    I cannot believe Adobe went a head and released this version when clearly feedback since November 2010 has been telling you of this SERIOUS BUG.
    Manual post-intervention to every deployment (deactivating Protected Mode) is not a satisfactory situation.
    You need to FIX this TODAY!

    • Andrew James Riemer says:

      I fully agree. We’re not using any plug-ins with ReaderX. It simply won’t open files that are located on the LAN. I’ve had to deactivate protected mode on every PC here, and that’s not what I prefer to do. I mean, at least give us an option to list trusted locations (like shared network drives).

  13. Terry Walker says:

    Good Day!!!

    You may already be aware of this issue, but Protected Mode also casues issues when trying to open a PDF that was embedded in a Word Document. When you try to open the embedded PDF it complains about AcroExch not being available. This is happening with a vanilla installation of Reader X, a vanilla install of Office 2010 or Office 2007. Since we are Win 7 we don’t want to move back to Reader 9 due to compatability concerns.

    Disabling Protected Mode allows the embedded PDF to open without issue.

    Cheers
    Terry

  14. johnlspouge says:

    I just uninstalled Reader X and reinstalled Reader 9. Everything works perfectly, just as before.

    • Andrew James Riemer says:

      We’ve started doing the same.

      • Tim S. says:

        Programs that generate a .pdf file no longer open them with X installed. I have a coulple programs that don’t think Reader is installed anymore. Weird. I have to uninstall X and find a version of 9.4 and VOILA! all works again. What a pain.

  15. David Wolfson says:

    The problem appears more widespread than comments above. We clean downloaded Reader X onto one of our user’s PCs (XP SP3) and then downlaoded PDFs from web pages (IE8). The error message reported above appeared. However, the same file downloaded by another user and sent through local network does open in Reader X. We have no time for the tortuous fix suggested above, so we have uninstalled Reader X and reinstalled Reader 9.4. All now works. So, Adobe, just FIX IT.

  16. R.L. Burnside says:

    We’re having the same issue: opening PDFs on a network share with Reader 10.0.1 results in “access denied” message, even after turning off “Enable Protected Mode at startup”. We’ve never had a similar issue before.
    Our environment is Windows XP Service Pack 3, Office 2007 Service Pack 2. No third-party plug-ins being used while testing Reader X.
    We definitely won’t be deploying this into any production environments until a fix is identified.

  17. Philippe Kapfer says:

    We have had the same problem with XP 32 in 2008 R2 domain.
    We have had a ADM files to a group policy to configure directly all PC without protected mode. You can foud this ADM file here : http://www.appdeploy.com/packages/detail.asp?id=1976
    in the section command line.

  18. Christian Karlsson says:

    Hi, same for me, first adobe files wont open at all. Adobe suggesting update. After update can not open pdf files in AFS network resource protected by Kerberos. Seems to be some serious problems concerning permission. For copying it acted quite weird, first denied access and at repeated attempt it asked whether you would allow the file to copied to for example the desktop. At the desktop it was accessible.

    • Shakti says:

      Hi Christian,

      Can you please try with new update of Adobe Reader 10.1 and let me know if the issue is fixed for you.

      Thanks,
      Shakti

      • Adobe Acrobat Reader 11.0.0 experiences the same problem with OpenAFS 1.7.x up to version 1.7.2100 when Acrobat Protected Mode is enabled.

        To reproduce:

        1. Open a PDF by clicking a link in IE or Outlook

        2. While PDF is open, select File->Save As …, select a network mapped drive, select a subdirectory, press OK. For example,

        NET USE T: \\afs\your-file-system.com\project\test

        Save to T:\test1\file.pdf

        3. Acrobat does not display any dialogs indicating failure but the file is not saved to the destination.

        Disabling Protected Mode permits the file to be saved to T:\test1\file.pdf.

        Even with Protected Mode enabled, Save as … to \\afs\your-file-system.com\project\test\test1\file.pdf will succeed.

        Sysinternals Process Monitor shows that when Protected Mode is enabled, there are no IRP_MJ_CREATE requests issued which would result in the creation of the file. Therefore, all fail with STATUS_NAME_NOT_FOUND. When Protected Mode is disabled, file.pdf is created by an IRP_MJ_CREATE request specifying OverwriteIf mode.

        This bug has been reported to OpenAFS.org as RT130851.

  19. Brian Rayne says:

    We use a backup system (Commvault) where files that go unused for long enough get replaced by an “archive stub”, and when the file is accessed, the backup software restores the full file to the network so that the file can be opened with a program. In general, we don’t see any compatibility issues, programs launch and open the programs without problem. However, if Adobe Reader 10’s (and presumably Adobe Acrobat 10’s) “protected mode” feature is enabled, the familiar “There was an error opening this document. Access denied” message is presented when an archive stub file is launched. Previously, we were plagued by protected mode’s incompatibility with DFS, but this is the remaining thorn in our organization’s side. However it is enough of a problem that our prescribed workaround is to disable protected mode.

    • Shakti says:

      Hi Brian,

      Can you please try with new update of Adobe Reader, version 10.1 and verify if the issue is fixed for you.

      Thanks,
      Shakti

  20. Jason says:

    I’m not the most tech savvy person in the world but maybe someone can understand and help me out. We recently purchased a new pc with windows 7 for our office. I installed adobe reader 10 since we have used it on our XP machines in the past. When I try and open a pdf file, I get an error “There was an error opening this document. Access denied”. When I try and print off of a website that has pdf files, I just get a blank screen. I am running IE9 and was told this could be the problem. Any advice would be greatly appreciated!!

  21. Rob S says:

    Where is this .adm file supposed to be placed. Does it belong in the folder that the gpo is pointing to if deploying via group policy?

  22. Alejandro says:

    A few days upgrading from version 9 to X in a TS farm under VMWARE, and the result is that all my clients started having problems opening PDF files.

    After many tests in simulations solve the problem, add the following permissions:

    %ProgramFiles%\Adobe —> Users (Read Only)
    %Windir%\WinSxS —> Users (Read Only)
    Shared Folders —> Users (Read Only)

    I would also like to indicate the following:

    1) In our system all the security of %SystemDrive% and Regedit is completely changed.

    2) We only use Windows user groups: Administrators, System, Network Service and Local Service for the safety of our %SystemDrive% and Regedit

    3) Groups of users we have created based on read-only access to all the %SystemDrive% and Regedit. Except for those areas necessary for the execution of applications such as:

    %Windir%\Temp
    %Windir%\System32\Spool\Printers
    %UserProfile%

    And those other areas necessary for the client programs.

    4) groups: System, Network Service and Local Service are part of the Administrators group.

    5) All the sensitive points of Windows such as:
    “%SYSTEMDRIVE%\ADFS”
    “%SYSTEMDRIVE%\Inetpub”
    “%SYSTEMDRIVE%\RECYCLER”
    “%SYSTEMDRIVE%\System Volume Information”
    “%WINDIR%\$*$.*”
    “%WINDIR%\Application Compatibility Scripts”
    “%WINDIR%\Cluster”
    “%WINDIR%\Driver Cache”
    “%WINDIR%\ie8″
    “%WINDIR%\ie8updates”
    “%WINDIR%\pchealth”
    “%WINDIR%\repair”
    “%WINDIR%\SoftwareDistribution”
    “%WINDIR%\SYSTEM32\CatRoot”
    “%WINDIR%\SYSTEM32\clients”
    “%WINDIR%\SYSTEM32\Com”
    “%WINDIR%\SYSTEM32\config”
    “%WINDIR%\SYSTEM32\corebins”
    “%WINDIR%\SYSTEM32\dllcache”
    “%WINDIR%\SYSTEM32\inetsrv”
    “%WINDIR%\SYSTEM32\MsDtc”
    “%WINDIR%\SYSTEM32\npp”
    “%WINDIR%\SYSTEM32\oobe”
    “%WINDIR%\SYSTEM32\Setup”
    “%WINDIR%\SYSTEM32\*.EXE”
    “%WINDIR%\SYSTEM32\*.COM”
    “%WINDIR%\SYSTEM32\*.HLP”
    “%WINDIR%\SYSTEM32\*.CHM”
    “%WINDIR%\SYSTEM32\*.MSC”
    “%WINDIR%\SYSTEM32\*.CPL”
    “%WINDIR%\SYSTEM32\*.MSI”
    “%WINDIR%\SYSTEM32\*.SCR”
    “%WINDIR%\SYSTEM32\*.VBS”
    “%WINDIR%\SYSTEM32\*.WSC”
    “%WINDIR%\Tasks”
    “%WINDIR%\Temp”
    “%SYSTEMDRIVE%\wmpub”

    Are prohibited or permitted carefully by us with our own groups, so all security planning imposed by Windows by default does not exist in our systems.

    7) A customer will only allow access to files and folders necessary for them to log into the system and run the required applications. A folder, script or executable is not necessary for the work of our clients is prohibited.

    6) permits the configuration of TS are also all own and do not use any standard user group.

    From Microsoft’s opinion these changes may seem a suicide safety but in fact we never had unauthorized access, code execution or elevation of access.

    PS: Sorry for my terrible English

  23. Alejandro says:

    On my farm of Terminal Services on VMware works perfectly local in both the open and under SMB. It was only necessary to edit some permissions in 2 specific folders so that everything works perfectly both as an administrator as a limited user.

  24. Chuck Gilbo says:

    We also have issues with the Protect Mode access Pay statements from ADI with Adobe X in Protect Mode in IE 8, worked fine in Adobe 9, and we dont use 3rd Party Add-ins or any Add-ins at all, how safe is this? Seems this Protect Mode has been a issue since 2010 and still no fixes? This is sad

  25. GOSPODNETIC says:

    Hello,

    We also cannot view our PDF Files in an HTML page.
    The message is “Access denied”.
    All works fine with Adobe Reader 7, and we test to get Adobe Reader 10.1, and now we cannot view our PDF Files in the IE Plugin.
    We have tried to deselect Protected mode, and the result is the same.
    (The Registry key is good bProtectedMode = 0)
    Is there anything elsewhere to do for deprotecting the plugin Adobe Reader X?
    The page which works fine with Adobe 7 and niot with Adobe 10 is like :

  26. Alex Hummel says:

    Locally stored PDFs open without problem, but when I attempt to open a PDF stored on my companies mapped drives with Adobe Reader X I keep getting an Adobe Acrobat error “Before proceeding you must first launch Adobe Acrobat and accept the End User License Agreement.” This would have worried me so much except that I don’t have Acrobat installed on my computer. I didn’t notice this problem before updating to Reader X v10.1.0

    Manually opening Adobe Reader, then double clicking on the network file I want to open works, so does copying the file locally. A quick search let me to believe that Protected Mode may have something to do with it, so I checked “Enable Protected Mode at startup” and so far everything appears to be running correctly.

  27. Eric S says:

    I was having the same issue with one user. I Tried all of the suggestions above and nothing worked. The only work arounds I was able to use to get the user up and running are:
    1) Opening Adobe Reader and then opening the File through file open
    2) Right clicking on the file and clicking Open With… IE.

  28. Michael says:

    Since we installed Reader X in our virtualized (Xen Server) Terminal Server farm with W2003 servers I have spontaneous reboots of servers every day. So far I am under the impression that if IE8 opens a pdf through a website the server will get a BSOD. I am not completly sure if this is the reason since its not easy to replicate. There are no events mentioned in the event logs except for Bugcheck String: 0x0000008e (0xc0000005, 0xbf8a248e, 0xba14db1c, 0x00000000)
    I just want to mention it, maybe it looks familiar to someone.

  29. Mike says:

    Interesting how ‘sandboxing’ and protected mode is supposed to help secure the product… yet all it’s done for us (and many others, reading the comments above) is create work for IT by creating misleading error messages (“access denied” always has the user complain they don’t have access to files/folders). Maybe we’ll refer our help desk calls straight to Adobe. BTW, we’re running a very plain & standard Windows network & file shares, no funky stuff.
    If one can simply copy the file to do whatever they wish (i.e. actually open it and read it, for example!), it’s like the car-with-no-tires analogy but someone just comes along, drags the car onto a flat deck and takes off with it. Yay, security!

  30. MikeZ83 says:

    Several updates later the problem still exists in all kinds of shapes.

    Apparently the “Access Denied” error also occurs if you’re using NTFS symbolic links. Copying the file or accessing it from its actual location works just fine.

    Seems like the feature has been in there for over 18 month and it still doesn’t work.

  31. Dirk says:

    I do not know if this issue has been solved meanwhile.

    We face the same problem. “Access denied” depending on PDF location and how accessed. My findings (same server, same access rights (afaik!), two different folders):

    FOLDER A
    ————–
    via link from notes eMail file://….. X
    directly from explorer (mapped) OK
    directly from explorer (network) OK
    via link pasted into explorers address bar file://…. OK

    FOLDER B
    ————–
    via link from notes eMail file://….. X
    directly from explorer (mapped) OK
    directly from explorer (network) X
    via link pasted into explorers address bar file://…. X

    Best,
    Dirk.