How to fix ACCESS DENIED when printing PDFs using CreateProcess without disabling protected mode?

New Here ,
May 11, 2022 May 11, 2022

Copy link to clipboard

Copied

Hi everyone,

 

I'm able to successfully print PDFs automatically to some printer using the following command line if I manually create the shell and execute that command. What additionally works is e.g. printing some PDf in Windows Explorer using the context menu of the PDF and the verb "print".

 

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /h /n /o /s /t "C:\Users\[...]\some.pdf" "SomePrinter"

 

What does NOT work is using the exact same command line in some custom WIN32-app with "CreateProcess". While Adobe Reader starts and tries to read the file, shortly afterwards an error message is shown about that the file can't be opened because the access is denied. The important thing of course is that I'm starting my app which starts Adobe Reader using "CreateProcess" under the same user like when successfully printing from the shell manually. Using ProcMon I can additionally see that the correct PDF is accessed, to there's no problem with wrong paths or alike.

 

What resolves that issue is disabling the protected mode at sartup of Adobe Reader. BUT that shouldn't be necessary in theory, because things work when manually executed on the shell, using the context menu and as well when not using "CreateProcess" with some commandline, but "ShellExecuteEx" with the verb "print" instead. The problem simply is that Adobe Reader needs to print untrusted PDFs, so using protected mode makes sense. Additionally, my app is deployed to many different systems and I would like to avoid the adminitrative task of reconfiguring Adobe Reader to disable protected mode. The downside of the verb "print" and "ShellExecuteEx" is that I can't forward additional arguments.

 

Looking at ProcMon again, the behaviour of Adobe Reader seems to be pretty much the same up until a point where things not work anymore when using "CreateProcess". In both cases an instance of "Acrobat.exe" is created, which afterwards spawns an additional instance of itself using "LowIntegrity" mode and some additional command line arguments:

 

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1  /h /n /o /s /t [...]

 

This looks to me like there's some recognition of interactive vs. non-interactive usage or alike and the former is allowed and the second denied. While my WIN32-app is 32 Bit and Adobe Reader 64, that doesn't seem to be the problem as well. I tested with a 32 Bit "cmd.exe" starting 64 Bit Adobe Reader and things work like expected.

 

So, what do I need to do with "CreateProcess" to fix this?

 

Thanks!

TOPICS
General troubleshooting , How to , Print and prepress

Views

220

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 11, 2022 May 11, 2022

Copy link to clipboard

Copied

The following is how I start processes, which works as expected for anything else than Adobe Reader:

 

STARTUPINFO si;
PROCESS_INFORMATION pi;

ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);

LOG4CXX_TRACE(logger, L"Beginn CreateProcess");
if (!CreateProcess( NULL, const_cast<_TCHAR*>(cmdLine.c_str()),
NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
{
DWORD error = GetLastError();
LOG4CXX_ERROR(logger, L"CreateProcess: GetLastError: " << error << L"; " << cmdLine);
return Result(cmdLine.c_str(), error);
}
LOG4CXX_TRACE(logger, L"Ende CreateProcess");

 

Making the started command line more complex and e.g. add "cmd.exe", like when things are done manually, doesn't change a thing. In the end Adobe Reader is still denied access to the PDF for some reason:

 

"C:\WINDOWS\system32\cmd.exe" /C ""C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /h /n /o /s /t "\\?\C:\[...]\[...].pdf" "SomePrinter""

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
May 11, 2022 May 11, 2022

Copy link to clipboard

Copied

LATEST

I believe Acrobat Reader is only expected to be an interactive tool. I can offer no more insight, you've been very thorough, and the limits and properties of the sandbox are intentionally vague and fluid (to give a slippery attack surface).

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines