biopdf logo
Shortcuts

Customers

Download PDF Writer

Other Tools
Command line printing with Acrobat Wrapper

Awards & Press
PC Magazine

CHIP.de Online

CNet

ZD Net

XKnowledge

SnapFiles


AllowExecute Security Setting

Since version 10.14 it is no longer allowed to use the settings AfterPrintProgram, RunOnSuccess, and RunOnError in shared or global configurations without prior permission from an administrator. This is a security precaution. You can still allow this but you have to change a registry key or run the installer with a switch to do so.

Shared and Global Configurations

Because shared and global configurations can be written by everyone with access to the ProgramData folder, additional security is needed to protect users from other users.

Normally, all users have access to the ProgramData folder where the global and shared configurations are stored. This means that a potential security threat should originate from another named user with access to the machine. It cannot come from anonymous users that are not a member of the Users group. Even though this limits the risk dramatically, you still have to consider it.

The affected configuration files are the shared option sets, global.ini, and defaults.ini. Normal settings.ini and runonce.ini are user specific and should not pose any potential threat.

Allow Command Line Execution

You can set a value in the registry to allow the execution of commands in the shared and global configuration files. This setting can override the default behavior that blocks this feature. The registry value is named AllowExecute and is located under the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\PRINTER NAME

AllowExecute is a string value. If you set it to 1 then the execution of programs is allowed. Otherwise, it is blocked. If the setting is missing in the registry then the execution is also blocked.

AllowExecute setting

You should only allow execution if you trust your users or change the file system security as detailed below.

Security Recommendations

If you use AllowExecute to unblock the running of programs then it is recommended that you modify the file and directory security. Only administrators and trusted users should have write access to the printer specific folders under ProgramData.

Shared and global settings are stored in this folder and its subfolders:

C:\ProgramData\PDF Writer\PRINTER NAME

Backward Compatibility

The introduction of the AllowExecute setting can break some of the backward compatibility. If you are using the shared and global settings with versions prior to 10.14 then you may need to set AllowExecute to 1 to have the same behavior.

 
Search words: security settings
McAfee SiteAdvisor Norton Safe Web