Friday, May 26, 2017

Stop the Adobe ARM Services Dead in their Tracks - The Ultimate Adobe Acrobat Hack

Stop the Adobe ARM Service Dead in its tracks with Group Policy

Why Stop the Pesky Adobe ARM Software?
Adobe ARM is the Adobe Reader Updater. Stop it dead in its tracks to prevent the annoying and nuisance help desk calls about not being able to update Adobe Acrobat, because we are only domain users. Use it to lock down your Adobe configuration to a specific version of software.  Use Windows Group Policy to ensure these settings get passed down to all of your OU's computers. These GPO tricks will work with Adobe Acrobat DC running on Windows 7, with a Windows Server 2008 GPO editor.  Furthermore, if you are a hacker and have cracked the amtlib.dll file to disable the Adobe signon page or you used the AMT Emulator to hack Adobe Acrobat DC, then this bit of advice will be very useful to you. is the leading provider of software protection emulators for Adobe products.  To keep Adobe Updater from removing the emulator, you need to follow this advice.  We wrote a great knowledge base story about making your computer run faster, one of the tips includes turning off unneeded services, and that would include Adobe ARM.

Make a new GPO called Adobe Lockdown, edit the paths:
Computer Configuration -> Preferences ->Windows Settings -> Registry

Stop Services Dead in their Tracks
key is called "Start" it is a  REG_DWORD = 4

key is called "Start" it is a REG_DWORD = 4

Stop the AdobeAAMUpdater-1.0 startup utility
Only appears in registry when the startup has been disabled from the msconfig.exe list.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdobeAAMUpdater-1.0

Remove this key: if present
By removing this key, you will remove the entry from msconfig.exe list of startup programs.
This Will prevent the service from showing up in msconfig.exe

Remove This key to prevent Task Scheduler from running AdobeARM.exe at user logon.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Acrobat Update Task]

Configure User Preferences

Configure a GPO Registry key to "update" the Mode value
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Adobe ARM\Legacy\Acrobat\{AC76BA86-1033-FFFF-7760-0C0F074E4100}
Mode is a REG_DWORD
0 == do not download or install updates
3 == install updates

Another interesting registry key is the ManifestURL that usually contains:
It contains a link to the installer.  You can stop Adobe software updates in DNS
by making a zone called and making a A Record for armmf host.
thereby bypassing the update lookup DNS query.  Normally, DNS would return:
cname records and
By doing so, you will stop Adobe ARM Updater dead in its tracks and smack it down.

Applies to: Adobe Acrobat DC on Windows 7,8 and 10

Thursday, May 25, 2017

DNS.exe APPCRASH Event ID 1000 and 1001

Loading DNS zones fails on a Windows Server 2008 R2-based DNS serverDNS service on a windows server 2008 R2 Domain Controller fails with appcrash report.


This DNS service crash may occur if DNS is configured to have a CNAME and an SOA record that both exist for the "@" record. The "@" record identifies the root of a DNS zone. This can frequently be identified in the DNS Manager as a record with the <same as parent folder> name. The SOA and NS records are allowed in this folder. RFC 2181 describes name uniqueness checks for CNAME records. According to RFC 2181, the CNAME may not exist in the <same as parent name> folder ("@") of a zone.


To avoid this issue, identify and remove the "@" CNAME record that's causing the issue from the misconfigured zone before you install update KB3145126. 
For example, you have a dns zone for that contains: 
Name                       Type                   Data
(same as parent folder)    Alias(CNAME) 
(same as parent folder)    Start of Authority (SOA)  [38],
You must remove the first record shown above. It is illegal according to Microsoft KB 3145126
Additionally remove the Windows Updates: KB3145126
This issue occurs after you have either security update 3100465 or hotfix 3022780 installed on a server that's running Windows Server 2008 R2.