Here's a frightening feature, explorer shell can launch an exe on a mindless mouse ov

Discussion in 'ProcessGuard' started by rickontheweb, Jul 8, 2005.

Thread Status:
Not open for further replies.
  1. rickontheweb

    rickontheweb Registered Member

    Nov 14, 2004
    The things you find out with ProcessGuard. It never ceases to amaze me.

    I always wondered what the new background running little helper app, acrord32info.exe was for in Acrobat Reader 7 (on version 7.02 already because of security fixes mind you). Due to my bad experience with Photoshop CS, I always set acrord32info.exe to deny always in ProcessGuard, since it didn't seem to make any difference if it ran or not when viewing PDF's.

    Turns out, if you open a window in the explorer shell with PDF's in it, acrord32info.exe launches by itself in the background the moment your mouse moves over a PDF file. You don't even have to single click or double click a PDF file, all you have to do is move your mouse over a PDF file on the way to another icon and acrord32info.exe launches in the background. Talk about a hair trigger response. It's probably some sort of safe harmless preloader app used to speed up Reader access, but the concept of execute in explorer, on a mindless mouse-over of a file type, seems like a recipe for disaster. It's easy enough to stop, set acrord32info.exe (not acrord32.exe) to deny always or deny once for a prompt. Optionally check your System Event log after denying it, you'll have a DCOM error. Search on the DCOM Server # the event lists in the registry and zap it, no more launch on mouse over. Reader has a detect and repair option so you can repair if you notice it breaks something. I see no ill effects.

    I could see how this feature could be abused. Sometimes all you have to do is skim your mouse over something to launch a stealthy executable in explorer. But it does make me appreciate PG's Execution Protection feature all the more.
Thread Status:
Not open for further replies.