Acrobat Reader XI addon gets disabled periodically in Internet Explorer within Windows domain

adobe-readerinternet explorermicrosoft-forefrontsystem-centerwindows 7

We have a followig problem that happens on new workstations with Windows 7 x64 and Acrobat Reader XI only.

Every few days the following key is automatically added to registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA8A9780-280D-11CF-A24D-444553540000}

This key has the effect that Acrobat Reader XI gets disabled in Internet Explorer add-ons.
So when user opens PDF in IE (or SAP or other Windows software using IE), it is not opened within IE but in a new separate window.

All the client workstations use Microsoft System Center 2012 R2 and Microsoft System Center Endpoint protection as antivirus solution.

Can you please suggest what can be the reason for this, like group policy, antivirus etc.?

Best Answer

Reproducing the problem

Assuming you have installed

  • Microsoft Windows 7+ / Server 2008 R2+
  • Microsoft Internet Explorer 11+ (IE)
  • Adobe PDF Reader 11+ (Reader)
  • Microsoft System Center Endpoint Protection / Microsoft Malware Protection (MalwareProtection)

the following seems to happen here:

MalwareProtection registers a component named Microsoft Antimalware IOfficeAntiVirus implementation (MpOAv) for Extension Validation with IE.

IExtensionValidation interface

For Internet Explorer 11, specifies an interface the anti-malware vendors can implement. Vendors that register support for this interface may be called by IE11 to validate that an ActiveX control is safe to instantiate.

MpOAv registers as a CLSID of {2781761E-28E1-4109-99FE-B9D127C57AFE}.

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}]

You can inspect the detailed properties of MpOAv in the registry. The associated DLL usually resides at C:\Program Files (x86)\Microsoft Security Client\MpOAv.dll

[HKCR\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}]
[HKCR\Wow6432Node\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}]

Now everytime IE wants to run an ActiveX control, the registered MpOAv is being called before that and sometimes misbehaves or simply thinks that the Reader ActiveX control is not safe. I have no idea what its behavior really depends on.

This all results in IE (iexplore.exe) writing 2 keys to the registry: The CLSIDs of MpOAv {2781761E-28E1-4109-99FE-B9D127C57AFE} and Reader {CA8A9780-280D-11CF-A24D-444553540000}.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA8A9780-280D-11CF-A24D-444553540000}]

From this point on IE will not run the Reader ActiveX control until someone manually removes its CLSID from there. This is the observed problem.

Workarounds

  • Stop IE from calling the Extension Validation component in the first place: Remove CLSID of MpOAv from the Extension Validation keys [HKLM\…\Internet Explorer\Extension Validation]. This requires adminstrative rights and can be distributed via Group Policy. Be careful: Future updates of MalwareProtection might recreate the registry entry.

  • Uninstall Microsoft System Center Endpoint Protection / Microsoft Malware Protection. Use a different product.

Long term solution

  • File a bug with Microsoft and/or Adobe? I fear they will blame each other. ;)
  • Maybe better wait for Microsoft Spartan with integrated PDF support.
Related Topic