error message for non administrative users (msiexec.exe)
When you start Adobe Acrobat Pro without local adminstrative rights a error message appears.(see attachment)
We identified the corresponding command line with procmon: "C:\Windows\System32\msiexec.exe" /i {AC76BA86-1033-FFFF-7760-0C0F074E4100} REINSTALLMODE=omus DISABLEFIUCHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 /qn"
We deployed the "Creative Cloud Client" as a "Self-Serivce-Packages", so licensed Users can install and use adobe products without local administrative rights.
Could you please check why msiexec.exe is called with every program start? We get a lot of tickets from users complaining about this error message and your support wasnt a help at all.
-
Thomas Kurth commented
it would be great to have more information or a possibility to disable this execution. Or do we only need to execute it once as an admin and then it's ok for all users on the same box?
-
Bill Sutphin commented
Agree as to need for complete detail. Consider the following detection category:
Identifies suspicious processes indirectly spawned by Microsoft Office applications. These descendant processes are often launched during exploitation. This alert may have more noise than the direct descendent rule (Suspicious MS Office Child Process). MITRE ATT&CK™ T1064 - Scripting, T1173 - Dynamic Data Exchange, T1192 - Spearphishing Link, T1193 - Spearphishing Attachment.