#432 Undesirable Interaction wth UAC

1.7.2126
open
AxDecrypt (30)
5
2010-06-14
2010-06-14
Bob Coleman
No

I'm running AxCrypt 1.7.2126.0 64-bit on Windows 7 Home Premium 64-bit and seem to have discovered a problematic interaction between AxCrypt and UAC. To reduce this to as simple as case as possible, I've created the following 2-line BAT file:

start "" "C:\Program Files (x86)\Neutron\Neutron.exe"
"C:\Program Files\Axantum\AxCrypt\AxCrypt.exe" -d d:\Temp\test-txt.axx

Neutron is an application for synchronizing system time with internet time servers.available at http://keir.net/neutron.html, but I don't think the specific application is relevant. What I believe to be relevant is that the application has to be run as an administrator to perform its time adjustment function and therefore produces a UAC prompt if UAC is active.

The other necessary condition for the problem to occur is for AxCrypt to not have a resident passphrase. Let's assume that AxCrypt is being invoked for the first time since a system boot.

When the above shown BAT file is executed, the invocation of Neutron will cause a UAC prompt. In the scenario being described, "Yes" will be clicked to allow Neutron to run. Since Neutron was invoked via a Start command, it remains active as AxCrypt decryption is attempted, but instead of getting the expected request for a passphrase, I get “Internal error in (null). Please report.”.

As best I can tell, the following conditions are necessary to produce this result:

1.AxCrypt must not have a relevant, resident, cached passphrase.
2. An application must be being run as administrator which causes a UAC prompt.
3. Said application and an AxCrypt command must be invoked within a BAT file or other type of script.
4. Interaction with UAC must allow program being run as administrator to execute.
5. Said program must still be active when AxCrypt command runs.

Discussion

  • Svante Seleborg

    Svante Seleborg - 2010-06-15

    Hello,

    Thank you for this very detailed and exemplary bug report.

    I'm not quite sure what happens, or if it's even an AxCrypt issue. UAC has never been very easy to work with, and there are strange (but correct) behaviors associated with that functionality.

    The first question is, does 'neutron' have the proper manifest and is really Windows Vista/7 compatible? According to one source I found, a command line application should not case a regular GUI UAC prompt, but rather either fail or present a command line prompt.

    What might be happening (I haven't checked this fully) is that it's really cmd.exe requesting elevation to be able to start 'Neutron', and it will do so in compatibility mode because it doesn't have the right manifest.

    If so, once you start AxCrypt, it'll run in a virtual environment with various things redirected, such as Program Files, parts of the registry etc. This could cause the situation described.

    As a work around, and to try it out, check if you can tell what program is requesting elevation, and also try launching cmd.exe as administrator to see what effect it has. I'll look into this more later depending on your findings.

    Svante

     
  • Bob Coleman

    Bob Coleman - 2010-06-15

    One thing about which I might not initially have been completely clear. I have checked “Run this program as an administrator” in the Compatibility tab of of the Properties of Neutron.exe.

    I don't know much about nor very well understand UAC. I don't even know what a manifest is in this context, but the UAC prompt does identify Neutron as the program trying to “make changes to this computer”.

    From now on, I'll refer to the 2-line BAT file previously described as test.bat .

    You suggest to try launching cmd.exe as administrator. I assume you mean to do that and then run test.bat from the resulting command prompt.

    Let me recap what happens when I run test.bat from a command prompt not being run as administrator.

    I get a UAC prompt identifying Neutron. If I reply to UAC allowing Neutron to run, I then get the error message from AxCrypt.

    Now, if I start the command prompt as administrator, I immediately get a UAC prompt about allowing “Windows Command Processor” to “make changes to this computer”. If I allow it and then run test.bat, I don't get another UAC prompt. Neutron runs without further question, but I still get the same error from AxCrypt.

    I don't think anything about Neutron itself is relevant though. I can produce the same results using Firefox instead of Neutron.

    In my initial attempts with Firefox and with the command prompt not running as administrator, I got the UAC prompt for Firefox, but not the AxCrypt error. If I run the command prompt as administrator, I get no UAC prompt for Firefox when running test.bat, but do get the AxCrypt error.

    The absence of the AxCrypt error when command prompt is not run as administrator seems to be a timing issue. Maybe because Firefox is not completely active when AxCrypt runs. Just a somewhat educated guess.

    Because I don't know how to introduce a delay in a bat file, I switched to a rex script. The results using test.rex are exactly the same as with test.bat except that in the case of the command prompt not being run as an administrator, if I put a five second pause between invoking Firefox and AsCrypt, I get the AxCrypt error again.

    Experience with this delay causes me to emphasize that for the AxCrypt error to occur, the elevated application (Neutron/Firefox) must be the foreground or focused application when the AxCrypt command runs. If I switch to another window during the induced delay, I then get the expected passphrase prompt instead of the error message from AxCrypt.

    One final, probably irrelevant, observation: In the UAC prompt for Neutron, the question about making changes to this computer is on a dark yellow background whereas in the prompt for Firefox the background is blue. Does this have any relevance to the question of whether or not Neutron has the proper manifest and is really Windows Vista/7 compatible? I have no idea, but it probably doesn't matter here.

     
  • Svante Seleborg

    Svante Seleborg - 2010-06-15

    Hello,

    Once again thank you for the thorough problem description.

    I think the key to to the issue is what you write about here: "for the AxCrypt
    error to occur, the elevated application (Neutron/Firefox) must be the
    foreground or focused application when the AxCrypt command runs".

    I have not checked this, but what I think happens is that the foreground window is elevated, and AxCrypt tries to make that window it's parent if I recall correctly - but it can't since they run at different elevation levels. AxCrypt is running at non-adminstrative level, but the top-level window is running as administrator.

    I can't state my honest opinion about UAC in language that won't get me banned from my own support forum... But I can say as much as that I'm not happy with it.

    I'm not too sure how to make a workaround, and I'm not quite sure how to fix the issue either, but I will look into it.

    If I understand it correctly, neutron.exe is not really a gui application, and there's no real need for it to run in paralell with AxCrypt. You may want to try to use the start /wait switch to finish and exit neutron.exe before launching AxCrypt. That may work around the problem for you - or it may not...

    Svante

     
  • Bob Coleman

    Bob Coleman - 2010-06-15

    Actually, Neutron is a GUI application. It displays local time and has a “Get Atomic Time” button. If that button is used, a “Synchronize” button appears. Neutron can be configured to synchronize automatically at start up and then exit which is how I have it configured.

    I just happened to stumble into a situation where I ran a script which ran Neutron and then immediately decrypted some Quicken data files and ran Quicken. It's true that in this scenario, using “start /wait” with Neutron avoids the problem at the cost of a few seconds delay. It's also true that I'm not even using Neutron and AxCrypt in the described sequence anymore.

    I just switched from XP to 7 and am still cleaning up, avoiding, or working around situations where UAC gets in my way. I may end up disabling UAC completely. I haven't decided.

    I reported all this in the spirit of “Here is some information if it's of interest”. I no longer have an active problem in my own usage.

     

Log in to post a comment.