Acrobat Reader XI addon gets disabled periodically in Internet Explorer within Windows domain

Reproducing the problem

Assuming you have installed

  • Microsoft Windows 7+ / Server 2008 R2+
  • Microsoft Internet Explorer 11+ (IE)
  • Adobe PDF Reader 11+ (Reader)
  • Microsoft System Center Endpoint Protection / Microsoft Malware Protection (MalwareProtection)

the following seems to happen here:

MalwareProtection registers a component named Microsoft Antimalware IOfficeAntiVirus implementation (MpOAv) for Extension Validation with IE.

IExtensionValidation interface

For Internet Explorer 11, specifies an interface the anti-malware vendors can implement. Vendors that register support for this interface may be called by IE11 to validate that an ActiveX control is safe to instantiate.

MpOAv registers as a CLSID of {2781761E-28E1-4109-99FE-B9D127C57AFE}.

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}]

You can inspect the detailed properties of MpOAv in the registry. The associated DLL usually resides at C:\Program Files (x86)\Microsoft Security Client\MpOAv.dll

[HKCR\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}]
[HKCR\Wow6432Node\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE}]

Now everytime IE wants to run an ActiveX control, the registered MpOAv is being called before that and sometimes misbehaves or simply thinks that the Reader ActiveX control is not safe. I have no idea what its behavior really depends on.

This all results in IE (iexplore.exe) writing 2 keys to the registry: The CLSIDs of MpOAv {2781761E-28E1-4109-99FE-B9D127C57AFE} and Reader {CA8A9780-280D-11CF-A24D-444553540000}.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA8A9780-280D-11CF-A24D-444553540000}]

From this point on IE will not run the Reader ActiveX control until someone manually removes its CLSID from there. This is the observed problem.

Workarounds

  • Stop IE from calling the Extension Validation component in the first place: Remove CLSID of MpOAv from the Extension Validation keys [HKLM\…\Internet Explorer\Extension Validation]. This requires adminstrative rights and can be distributed via Group Policy. Be careful: Future updates of MalwareProtection might recreate the registry entry.

  • Uninstall Microsoft System Center Endpoint Protection / Microsoft Malware Protection. Use a different product.

Long term solution

  • File a bug with Microsoft and/or Adobe? I fear they will blame each other. ;)
  • Maybe better wait for Microsoft Spartan with integrated PDF support.

Group Policy could be adding that registry value. The gpresult tool can give you insight into the settings being applied via Group Policy.

Any program running as the user could be doing it, because users have rights to modify that part of the registry by default. Being that it's changing "Every few days" I suspect it's not Group Policy that's doing it (since policy refresh happens more frequently than that).

I'd consider enabling auditing on the HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings registry key and watching the Security Event Log to catch the modification. (I don't hasten to link to blogs, however the procedure in this entry is nice because it doesn't involve making changes to audit policy via Group Policy, which most of Microsoft's official examples do.)

You'll probably also want to enable process tracking auditing to get a clear picture of what processes are involved in the modification.


While oleschri's answer is quite comprehensive, I want to add some additional detail.

In my observations, I do not see MpOAv impacting or being related to this issue. Removing the Extension Validation key also does not change any behaviors I experience - the rest of the post got me to dig further...

When using Internet Explorer 11 and visiting many Google webpages (Google Images, for example), an error is generated on the Javascript:

{var c=function(a){try{return new window.ActiveXObject(a),!0}catch(c){return!1}}

just after attempting the return new window.ActiveXObject(a) segment.

This causes IE to make the \Ext\Settings\{CA8A9780-280D-11CF-A24D-444553540000} registry changes, and disabling Adobe PDF Reader Add-On. This is observed using the Sysinternals tool Procmon and filtering the path to our registry location.

As of IE 11, the window.ActiveXObject property is hidden from the DOM. https://msdn.microsoft.com/library/dn423948(v=vs.85).aspx

Bad/outdated code from Google? Certainly doesn't mean that Microsoft can't handle the exception better.