none
Slow to start a app with "UIAccess = true" on Windows 2008 R2 64bit RRS feed

  • Question

  • We have an 32 bit app with "UIAccess = true", and it is launched in SYSTEM account. All is OK on Vista and Windows 2008, but it takes 18 seconds to start this app by ShellExecute on R2 64 bit. We also test it on Win7 32 bit. We just met the issue at the first time.

    Is it related to forced security check?
    bigblueapple
    Saturday, September 5, 2009 1:34 AM

Answers

  • Is this a .Net application? It's not new to 2008 R2, but .Net apps perform a Certificate Revocation List (CRL) check when launched and when they're started under the SYSTEM account, they usually don't have access to the network in a corporate environment.

    If it's a .Net app, you can try to change the State value and see if that helps. Found here:
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    Change it from 23c00 to 23e00 (this will disable the CRL check for the System account).

    It's always a good idea to run Process Monitor in situations like this as you can get an idea of where it's spending time during startup.
    • Edited by Frank Wiggum Monday, September 7, 2009 8:34 PM 19=>18
    • Marked as answer by bigblueapple Wednesday, September 9, 2009 2:24 AM
    Monday, September 7, 2009 8:33 PM

All replies

  • Is this a .Net application? It's not new to 2008 R2, but .Net apps perform a Certificate Revocation List (CRL) check when launched and when they're started under the SYSTEM account, they usually don't have access to the network in a corporate environment.

    If it's a .Net app, you can try to change the State value and see if that helps. Found here:
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    Change it from 23c00 to 23e00 (this will disable the CRL check for the System account).

    It's always a good idea to run Process Monitor in situations like this as you can get an idea of where it's spending time during startup.
    • Edited by Frank Wiggum Monday, September 7, 2009 8:34 PM 19=>18
    • Marked as answer by bigblueapple Wednesday, September 9, 2009 2:24 AM
    Monday, September 7, 2009 8:33 PM
  • Thanks for the info, Frank.

    I changed the reg value as you said. And it does work, although it's a native application.

    I ever suspect CRL check because it's OK while I sign the app with my testing cert but not with the cert of my company.

    Actually, I ran Process Monitor, however I failed to locate which reg operation causesd this among numerous logs.

    BTW, does Windows have a policy relative to this change?

    Appreciate your help very much.

     


    bigblueapple
    Wednesday, September 9, 2009 2:24 AM
  • For a .exe file you should be able to switch it off for your app only by adding a config file, YourApp.exe.config and put it in the same folder as your .exe:

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <runtime>
        <generatePublisherEvidence enabled="false"/>
      </runtime>
    </configuration>


    Read more here:
    http://msdn.microsoft.com/en-us/library/bb629393.aspx

    >>BTW, does Windows have a policy relative to this change?

    No idea.
    Friday, September 11, 2009 12:57 PM
  • Frank,

    The config file seems only for managed applications. I tried and it didn't work as expected.

    Right now, I use WintrustSetRegPolicyFlags to change the value before I start my application.

    But I do hope there's a similar parameter which can be put into manifest file.
    bigblueapple
    Friday, September 11, 2009 10:15 PM
  • May I ask do you fix this issue by WintrustSetRegPolicyFlags or other solution?

     

    Friday, April 22, 2011 2:19 AM