Adobe Reader Protected Mode

Adobe Reader Protected mode is a new security sandbox feature in Adobe Reader 10. For Reader plugin maintainers it’s can be a huge nightmare, I just wanted to share some of my findings with you in the hopes it saves someone a few hours of head scratching.

What’s allowed by default

The sandbox disables almost everything by default. The two major exceptions are that reading/writing to %TEMP% is allowed and reading from the registry is allowed. If this is all your plugin needs you are lucky :)

Part 3 of Inside Adobe Reader Protected Mode discusses the whitelisted features in more detail. Part 1, Part 2 and Part 4 are also worth reading for more background information on protected mode.

What’s possible

Fortunately it’s possible to customize the very restrictive default policies.

The Inside Protected Mode series indicates that there seems to be some sort of API to customize the sandbox rules (AddRule() examples), however it seems yet to be released or it doesn’t even exist (which kind of makes sense from a security point of view).

Fortunately there’s another way: ProtectedModeWhiteList.txt.

ProtectedModeWhitelist.txt must be in the same directory as AcroRd32.exe (HKLMSoftwareAdobeAcrobat Reader10.0InstallPath).

It must also be enabled by creating the following registry key bUseWhitelistConfigFile (type: DWORD, value: 0x1) under HKLMSOFTWAREPoliciesAdobeAcrobatReader10.0FeatureLockDown.

After enabling the usage of whitelist config we can define our own custom policies that allow the plugin to read/write to any location on the filesystem or any location in the registry.

Adding registry exceptions


Adding filesystem exceptions


There are actually a few more things that can be allowed using this file, see Adobe Application Security for more details.

Debugging Protected Mode

If you are having a problem with Reader X that doesn’t exist in Reader 9 or Reader 8 then Protected Mode is a very likely cause.

The first thing you should do is to try disable Protected Mode and see if the problem continues to exist. To do that uncheck Edit -> Preferences -> General -> Enable Protected Mode at startup.

When you have determined that the problem is really caused by Protected Mode the next thing you should do is enable Protected Mode Log file. To that check Edit -> Preferences -> General -> Create Protected Mode log file.

With this file enabled you can see most things being denied by Protected Mode and hopefully it will also recommend a rule to add to ProtectedModeWhitelist.txt.

What’s impossible

Also there are a few things that I’ve found impossible to do with Protected Mode enabled.

First it seems to be impossible to use the Windows Help system. It seems that the call to HtmlHelp() wants to launch an external process and it gets denied silently by Protected Mode. Another thing that seems impossible is reading proxy settings stored by Internet Explorer.

I have tried creating ProtectedModeWhitelist.txt rules that allow almost anything (events, process exec, files, registry etc.) and have no ACCESS_DENIED lines in there – but it still doesn’t help. When disabling Protected Mode everything works fine so those things somehow get blocked silently.

The general rule seems to be: don’t try to talk to other processes :)


Last thing I would like to mention is that when creating ProtectedModeWhitelist.txt files (probably by your plugin installer) – be nice and leaving the existing rules there, don’t overwrite anything.

Hope this was useful to someone and don’t be shy to leave comments if you discover something more about Protected Mode :)

Tarmo Lehtpuu
Tarmo is the swiss army knife Software Engineer. His deep knowledge on wide range of technologies makes him an efficient problem solver. In addition to Ruby on Rails, he enjoys developing iOS Apps.

1 Comment

  • Shridhar

    Normally I wanted to enable Protect Mode in Adobe Reader X… But when I enabled through Edit -> Preferences -> General -> Enable Protected Mode on Start, it asks for restart of Adobe Reader Once again but when i opened, i got popup again.

    Please provide me the solution if you have any idea.

Liked this post?

There’s more where that came from. Follow us on Facebook, Twitter or subscribe to our RSS feed to get all the latest posts immediately.