Mark said:
No. "Always there" means always there. "There" on its own does not
imply all the time.
You entirely miss the point. Abobe should provide a clear and
transparent method of updating flash. Silently inserting a registry
key to run some program at some later date is bad for several reasons.
- It is not run until the next boot which may be some time so security
patches may be delayed.
- The user cannot be sure that the updater is actually from Adobe and
not some malware masquerading at such.
No. You are making incorrect assumptions.
The point is that the installer should tell the user what it is doing
and when it is doing it. The best way would be to redirect the user
to the download web site as soon as the update is necessary. The user
can download and install the update. The installer can prompt the
user to close the browser and/or reboot the machine if necessary. This
is what most applications do and there is no reason why Adobe cannot.
Redirecting the user to a web site to then manually obtain a new
installer usually means there is no incremental update. The whole
program gets replaced. Not all updates require a full install of the
program. Why redirect to a web site instead of a file server? Since
the file is probably on a file server, there's no point in wasting
resources of a web server to handle updates. In fact, very few of my
programs that have an update check ever waste time redirecting users to
a web site. Live updates have been common for long over a decade.
Avast anti-virus: no web site redirect, just get the update direct
Windows updates: no web site redirect required, just get the updates
Paint.Net: direct update, no having to wander to a web site
PDF-Xchange Viewer: live (direct) update
WinPatrol: redirects to a web site for a full installer
Flash Player: Control Applet checks and takes me to web site (like you
want). Right-clicking to run an update check takes me to
their web site (like you want).
If the user gets prompted to click on a web site link or to click Okay,
they are still being told about an available update and prompted for
their permission.
If configured to check for updates (the "automatic" part of its option
description means to automatically check, not automatically install) and
anytime the Flash Player sees an update, it prompts me. There is no
invisible update.
I have performed updates to Flash Player in the past. I've also had
WinPatrol running and monitoring for new or changed startup items. I
haven't yet been prompted by WinPatrol that a new startup item appeared
(in the RunOnce registry keys). While there is a newer version
available and although I have update checking enabled in the AX control,
I'm not getting prompted about a new update when I visit a web page that
contains Flash content, so maybe they don't prompt when there's only a
sub-minor version change (10.3.181.26 to 10.3.183.7) and wait until
there's a minor version change or the update incorporate critical
security fixes. I don't know the criteria under which they issue a
prompt asking for my permission to perform an update but I've never had
it perform an invisible (unprompted) update. I have visited sites that
claimed I needed a newer version of Flash but rarely is it actually
required (their version checking algorithm is flawed) or it's a hacked
or malware version retrieved from their server instead of from Adobe
(just because a site says you need a newer version doesn't mean you
don't already have the latest or what you have won't work). Of the
legit sites that want me to update, I've looked at their code and
they're pushing me over to the Flash download web page. It's the
suspicious sites that want me downloading from elsewhere. So, for now,
I can't get their "automatic" update (which means only to check, not
some invisible or unprompted install) to trigger. Every Flash update
that I recall has been an "in your face" prompted experience.
The update has always been a prompted experience for me. If it is a
security update which requires a reboot to complete, that RunOnce entry
for that security update will disappear since Windows deletes it from
the RunOnce key before it even runs the command. So if it appears again
then you were previously prompted to obtain an available update. The
RunOnce entry is a continuation of a prior prompted experience.
Do you have Firefox or some non-IE web browser installed on your
computer? From what I've read, this experience is generated by the
NPSWF32.dll plug-in (IE uses AX controls whereas other web browsers use
the Netscape plug-in scheme). So I won't see what you see because I
only have IE on my computer. From what I've read, non-IE users get
prompted about an update but that update does not occur until later
hence the need to use the RunOnce key. The permissioned update is
deferred (until next boot or login). The non-IE plug-in defers the
update by creating the subkey FlashPlayerUpdate with the data value of
"<system root>\System32\Macromed\Flash\FlashUtil<version>_Plugin.exe
-update plugin". This entry appears after you permissioned an update
but it gets deferred and because you're updating a plug-in instead of an
AX control, and the entry disappears during the boot or login for THAT
update (so you won't see it until the next deferred update).
So I don't see what you see because I only use IE with an AX control for
Flash Player whereas I suspect you also have Firefox, Opera, Seamonkey,
Chrome, or some other non-IE web browser installed that requires use of
the plug-in for Flash Player. Because Adobe, for reasons that you and I
don't know, decided that the installation of the update must be deferred
to occur during the boot of Windows or when you login and before other
startup items are executed, an entry for an update shows up in the
RunOnce key. This is a deferred install. Are you saying there was no
prior prompt for permission from you to download the update installer
(which then gets deferred)? If not, you do get prompted for permission
on the reboot or login but, as you say, it would be more polite to
notify you about the update, get your permission, and then defer the
install; however, then you'll get prompted twice for the same update and
that could be even more confusing because many users thought they
already granted permission. So they could prompt, get permission, tell
you the install will be deferred until the next reboot or login
(depending on which RunOnce key was used), and hope you remember about
that deferred install when you sometime later reboot your computer. Do
you remember everything you did 5 or 30 minutes ago on your computer?
Or they could retrieve the installer file and prompt you just once when
the deferred install executes? Hard to say which is the better scheme.
Noobs might want the first scheme and get prodded twice about the update
for the plug-in. Experienced users might only want one prompt but which
one - first prompt and then do an invisible deferred install or prompt
during the deferred install - is debatable.
They're using the RunOnce key for its intended purpose. That RunOnce
entries are gone by the time you run msconfig to review the startup
items only exemplifies the inanity of the msconfig program to show you
only SOME of the startup items. It also doesn't list WinLogon or other
events that can trigger the load of background processes. msconfig was
never designed to show you every startup item possible nor does it
monitor for entries added to RunOnce or other startup keys to let you
know that something has changed there. That malware could use the
RunOnce key is hardly an argument regarding the use as "bad" for the
this registry key. There are a hell of a lot more startup locations in
the registry than just RunOnce that malware can take advantage of as
well as good software.
Get SysInternal's AutoRuns if you want to see more locations than
msconfig will list. Get something that monitors all these startup
locations (and far more than msconfig will list) if you want to get
alerted about such changes. Besides boot and login events, there are
events that can be tied to applications, so you loading Windows Explorer
could run an application whether it be good or bad. An installer could
add a scheduled event (that deletes itself when ran) so Task Scheduler
is another method of loading a program on startup or login. There are
BootExecute events that run after just a little of the OS has been
loaded (after the drivers) but before any user-mode apps, like autocheck
for chkdsk. Both malware and goodware can take advantage of the many
methods allowed within Windows for loading them. That a particular
method is used does not dictate that the program is malware or goodware.
So, I think, we discovered why you see entries appear occasionally in
the RunOnce key that I don't see. You have a non-IE web browser on your
host and I do not. You have the plug-in installed whereas I just use
the AX control. Also, it seems that all you need to do is disable Flash
Player's automatic checking for updates to eliminate your concern over
use of the RunOnce key.
