In this post I am providing a solution to a problem some of our users had encountered. When users were starting up Adobe Reader X an exception was triggered in process AcroRd32.exe. Observing the crash details the memory addresses was always the same and module was always pgphk.dll. Taking a look at the properties of this library told me that it comes shipped with the PGP Desktop software.
After some investigative work I figured out what was actually happening:
1. PGPTray.exe executable gets loaded from the start-up.
2. This process loads up the library PGPhk.dll in PGPTray.exe process space.
3. Thereafter any new process opened the library PGPhk.dll gets injected in its process space.
So say if you load up Windows Calculator you’ll see PGPhk.dll in calc.exe. Due to this injection happening in AcroRd32.exe process it causes Adobe Reader to crash as by default Adobe Reader X runs in protected mode. Why PGP software does this injection in every process that I can’t say but is the cause of the problem.
Now there are a couple of ways around this:
1. Just don’t load PGPTray.exe executable and thus won’t load PGPhk.dll
2. Disable Adobe Reader in “Protected Mode” but I strongly advise not to do so, this shouldn’t be seen as a solution but only if there is no other options.
3. Upgrade to the latest version of PGP Desktop 10.1 which fixes the issue. This is the best action to take as you will be also fixing any previous vulnerabilities in its product. The version I had problems with was 9.5.3.
4. Create a whitelist excluding PGPhk memory section from Adobe Readers protected mode. The way to add this to the exclusion is to take the steps below.
i. Add a registry entry enabling the use of whitelisting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown]
“bUseWhitelistConfigFile”=dword:00000001
ii. Create a whitelist file called “ProtectedModeWhitelistConfig.txt” and place it
in the Adobe Reader executable path i.e. C:\Program Files\Adobe\Reader 10.0\Reader
iii. The ProtectedModeWhitelistConfig.txt file will need to contain the string
SECTION_ALLOW_ANY = *PGPhk*
Check out Adobe’s Application Security Guide document which is a very good document worth reading. Another point to mention is that if you try to rename PGPhk.dll library then PGP Desktop will only try to re-install it again. Another way to test is to close the handle PGPhkSharedMemory before starting up Adobe Reader and you’ll find that Adobe Reader loads up fine.
When you enable Adobe Readers “Create Protected Mode log file” and view the log file AdbeReaderBroker.log you will see something like this below. This is if the exclusion is not added to the whitelist giving you information you need to add future exclusions in the whitelist.
[03:11/09:08:06] Adobe Reader Protected Mode Logging Initiated
[03:11/09:08:08] NtCreateSection: STATUS_ACCESS_DENIED
[03:11/09:08:08] real_path: \BaseNamedObjects\PGPhkSharedMemory
[03:11/09:08:08] Consider modifying policy using this policy rule: SECTION_ALLOW_ANY
References:
http://forums.adobe.com/thread/755098
http://learn.adobe.com/wiki/display/security/Application+Security+Library
The Whitelist exclusion worked great for Reader 10.0.1, but I’m finding it does not work with version 10.1. Any suggestions?
I did some further troubleshooting, and if a device has reader 10.1 and PGP installed, things seem to be working ok. If Acrobat is installed, we receive the PGPhk.dll
error stating Adobe Reader has encountered a problem. I removed reader and only had Acrobat installed, attempted to open a variety of PDF’s and each time receive the Reader PGPhk.dll error (even with reader removed)? Help!
Hi Melissa, both of the latest versions of Adobe Reader and Acrobat support protected mode. Most likely what is happening is that for Acrobat you’ll need to add the exception again as the folder location and registry locations will be different. So when opening PDFs in Acrobat its process is checking its own registry and folder location and since it cannot find those changes its flagging up the error. I havent got Acrobat to test but Im sure thats the reason. Give it a test and let me know.
I’d like to thank you for this article. I had been using version 8 of Reader, but downloaded Reader X yesterday and found that it wouldn’t run. A search of the Web turned up your article, and setting up whitelisting in accordance with your recipe has cured the problem.
thanks, glad I could help
Thank a Million.
The below step worked
4. Create a whitelist excluding PGPhk memory section from Adobe Readers protected mode. The way to add this to the exclusion is to take the steps below.
i. Add a registry entry enabling the use of whitelisting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown]
“bUseWhitelistConfigFile”=dword:00000001
ii. Create a whitelist file called “ProtectedModeWhitelistConfig.txt” and place it
in the Adobe Reader executable path i.e. C:\Program Files\Adobe\Reader 10.0\Reader
iii. The ProtectedModeWhitelistConfig.txt file will need to contain the string
SECTION_ALLOW_ANY = *PGPhk*
I am using 10.1.1
Thanks Again
Hello I come to you with this similar issue. Apparently Microsoft nor Adobe have a fix in place. I’m using WinXP with Visual Studio Prof. C++ / Visual Basic installed. Prior to installing my programming suite, Adobe Reader worked.
Now since the new install, I get “An unhandled win32 exception occurred in AcroRd32.exe. Just In Time debugging this exception failed with the following error: No installed debugger has Just In Time debugging enabled. In Visual Studio, Just In Time debugging can be enabled from Tools/Options/Debugging/Just In Time.
I found where the JIT was located and checked/unchecked, visa versa and continued getting the same error message. I really need my Visual Studio plus Adobe Reader for college.
I’ve uninstalled / reinstalled Adobe ReaderX, plus an earlier version, I’ve uninstalled Visual Studio, reinstalled and now, I’m baffled.
I noticed your solution above was geared towards a software PGP Desktop(internet search Symantic?) with the error message. I am wondering if your fix (Whitelist) will also work the same as my issue?
Resubmit: Unchecked all choices in the JIT debugging, and reopening the icon for Adobe ReaderX, I rec’d the error message that I do not have a debugger installed. So I rechecked and reclicked the Adobe icon and when asked to debug I clicked yes. I’m new at programming but this, I’m clueless. I suppose at the point where Visual Studio asked if I wanted to break or continue I clicked break, and the error(s) appeared at the bottom of Visual Studio. I guess it captured the actual (crash point) in Adobe Reader. Maybe you could advise me?
Thanks
‘AcroRd32.exe’: Loaded ‘C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\ntdll.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\kernel32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\user32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\gdi32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\advapi32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\rpcrt4.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\secur32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\shell32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\msvcrt.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\shlwapi.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\ole32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\oleaut32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\imm32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\uxtheme.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\lpk.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\usp10.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Documents and Settings\Angel Wings\Local Settings\Temp\IadHide5.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\msctfime.ime’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Program Files\Adobe\Reader 10.0\Reader\AGM.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\version.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Program Files\Adobe\Reader 10.0\Reader\CoolType.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Program Files\Adobe\Reader 10.0\Reader\BIB.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\Program Files\Adobe\Reader 10.0\Reader\ACE.dll’, Cannot find or open the PDB file
‘AcroRd32.exe’: Loaded ‘C:\WINDOWS\system32\setupapi.dll’, Cannot find or open the PDB file
Unhandled exception at 0x7c812afb in AcroRd32.exe: 0xC06D007E: Module not found.
I recreated this same error the other day getting the same information about the Unhandled exception but the above dll’s and so forth were all from different programs in case it makes a difference.
Hi, after reading your comments I was initially going to say to untick the “Protected mode” feature in Adobe Reader and see if it first makes a difference but then I noticed one library which looks suspicious and might be causing the crash.
C:\Documents and Settings\Angel Wings\Local Settings\Temp\IadHide5.dll
The IaHide5.dll could be malicious and this injection into the Adobe process might be causing it. I suggest you clear out the temp files and IE temporary files, and try again.
kind regards