Colour Picker does not work with Windows unless user has Administrator Rights

[jeremy-tas]

Describe the bug
A clear and concise description of what the bug is.

Desktop (please complete the following information):

• OS: Windows 10 Enterprise 64 bits (22H2)
• Version 3.3.0 & 3.4.1 pre-release

To Reproduce
Steps to reproduce the behavior: Two AD accounts, one with local administrator rights and one without administrator rights. The Colour Picker functions as expected when CCA Tool is run from the account with admin rights but doesn't from the non-admin account (other features seem to work fine though).

Expected behavior
Expectation is that it would function without needing administrator rights.

[ferllings]

I can't reproduce yet, with a regular Windows 10 version.
Might be something specific to Enterprise

[ferllings]

@jeremy-tas Could you start CCA, click on the picker and send me your log file?
C:\Users\xxxx\AppData\Roaming\CCA\logs\main.log

[jeremy-tas]

@ferllings here's the log file...
main.log

[ahay77]

Any update on this thread? I am having same problem with Windows Enterprise

[ferllings]

@ahay77 I still can't reproduce either on Windows Enterprise.
The only way I was able to reproduce, is when the security suite put the picker into quarantine.
Do you have an antivirus enabled, that might flag the CCA picker?

[ahay77]

Yes I do as I work at a University and our hardware is controlled by central IT. Was absolutely perfect on Mac but my hardware was change to PC and picker doesn't work now

[ferllings]

That might be the problem.
I'm thinking about a long term solution, but for the short term I don't have any workaround.
You should try to contact your administrator, to see if he can whitelist CCA

[dhssectest]

If you're using Windows 10 Enterprise, you're likely in a corporate environment with application whitelisting.

The app installs fine into Program Files, a whitelisted path, and runs.
But there's a secondary executable that only runs when the colour picker is selected, and tries to execute from user profile:
Examples:
FilePath = %OSDRIVE%\USERS<userid>\APPDATA\LOCAL\TEMP\E496E883-899B-48AA-B5BF-924F101B11E7.TMP.EXE
FilePath = %OSDRIVE%\USERS<userid>\APPDATA\LOCAL\TEMP\08C6AE5A-4A34-4F1E-9061-0DAA81DBEEE7.TMP.EXE
FilePath = %OSDRIVE%\USERS<userid>\APPDATA\LOCAL\TEMP\CA004EA3-BCF4-4BCE-8F67-4BD20C04C8B1.TMP.EXE

Because of their random created name, your IT area may need to whitelist by publisher with a wildcard for filename?
FQDN = O=TPG INTERACTIVE, LLC, L=CLEARWATER, S=FLORIDA, C=US\MODAO NATIVE COLORPICKER\1.0.0.01

Publisher: O=TPG INTERACTIVE, LLC, L=CLEARWATER, S=FLORIDA, C=US
Product name: MODAO NATIVE COLORPICKER
Filename: *
File version: 1.0.0.1 and above

Ideally it'd be good if everything executed from inside the installation folder though.
Is that possible?

[ferllings]

I have no idea. I believe this is how electron package the application:
Because the picker is an external .exe, it needs to be unpacked at runtime.

[edikir]

Maybe the following information can help.
I use CCA without any problems on Windows 10 Enterprise. A colleague works with Windows 11 Enterprise and CCA doesn't work.

The difference:
CCA was installed automatically via the software distribution. For me, CCA was installed manually.
Perhaps there is some setting in the automatic installation that prevents the use, while in the manual installation this does not occur.

[A11yEvangel]

Using the portable edition I've never had this problem. Not an issue with portable edition in v 3.5.2 either (Win 10 Enterprise).

[edikir]

I discussed the problem with an IT colleague today. In our company the TEMP folder is locked with an APPLOCKER and you need access to the entire TEMP folder to use the color picker in CCA.
Depending on the company IT policy, not every user is allowed to do this.
Therefore a recommendation and question: Would it be possible to save the log data within the TEMP folder in a separate folder (e.g. APPDATA\LOCAL\TEMP\CCA)? Then only the TEMP\CCA folder would have to be released and not the entire TEMP folder.

[ferllings]

I need to do some research, as this is handled by Electron.
I'm sure there is an hidden option somewhere, I just need to find it.

[jeremy-tas]

If you're using Windows 10 Enterprise, you're likely in a corporate environment with application whitelisting.

The app installs fine into Program Files, a whitelisted path, and runs. But there's a secondary executable that only runs when the colour picker is selected, and tries to execute from user profile: Examples: FilePath = %OSDRIVE%\USERS\APPDATA\LOCAL\TEMP\E496E883-899B-48AA-B5BF-924F101B11E7.TMP.EXE FilePath = %OSDRIVE%\USERS\APPDATA\LOCAL\TEMP\08C6AE5A-4A34-4F1E-9061-0DAA81DBEEE7.TMP.EXE FilePath = %OSDRIVE%\USERS\APPDATA\LOCAL\TEMP\CA004EA3-BCF4-4BCE-8F67-4BD20C04C8B1.TMP.EXE

Because of their random created name, your IT area may need to whitelist by publisher with a wildcard for filename? FQDN = O=TPG INTERACTIVE, LLC, L=CLEARWATER, S=FLORIDA, C=US\MODAO NATIVE COLORPICKER\1.0.0.01

Publisher: O=TPG INTERACTIVE, LLC, L=CLEARWATER, S=FLORIDA, C=US Product name: MODAO NATIVE COLORPICKER Filename: * File version: 1.0.0.1 and above

Ideally it'd be good if everything executed from inside the installation folder though. Is that possible?

Looks like you're onto something. Each time the colour picker is run it has a different file name and it is being blocked by AppLocker. See my attached screenshot from Event Viewer.

[ferllings]

Thanks. I'll open a ticket on electron's github. Might be faster to get a working solution.

[jeremy-tas]

Thanks. I'll open a ticket on electron's github. Might be faster to get a working solution.

We're going to try whitelisting the publisher (TPG Interactive, LLC) certificate in AppLocker to see if that fixes the issue.