Run rubyw.exe from Fixed Location with Personal Firewall

Hi Y'all!

When the PIA client is started, it unpacks a rubyw.exe into a temporary location and executes it. Since the temporary location is different every time, it is impossible for most personal firewalls to whitelist that process, resulting in blocks or firewall popups every time.

There is a nice post about how a guy developed an application that allows executing PIA with rubyw.exe from a fixed location: https://www.privateinternetaccess.com/forum/discussion/2286/pia-from-a-fixed-location-in-windows/p1

However, it is MUCH easier to get there without the need of downloading anything or executing someone else's executable:

  1. Run PIA application, let it start

  2. Now you need to find the temp directory created by PIA, it has a patter like C:\Users\YOUR_USER_NAME\AppData\Local\Temp\ocrXXXX.tmp\
    YOUR_USER_NAME <-- this is YOUR username
    XXXX <-- randomly generated alphanumeric value
    Tipp: You can get to your temporary directory easily if you just put %temp% into your Windows explorer location bar and hit Enter.

    So, find this temp folder, it will contain 3 folders: bin, lib and src, keep it open.

  3. Now open location where PIA is installed, in my case it was installed to "C:\Program Files\pia_manager" (I will refer to this location as "PIA directory" from now on)

    Copy those 3 folders (bin, lib and src) to PIA directory.

  4. Exit PIA application

  5. Right click on an empty spot on your desktop and choose New -> Shortcut

  6. Browse to the rubyw.exe that is inside your PIA directory in the bin folder,
    then on the same wizard page add a space character at the and and add:
     ..\src\pia_manager.rb --run

    image

  7. Click Next and there you can give a nice name for the shortcut, for example:
    image
  8. Click Finish and you are done, technically.

  9. You might want to change the shortcut icon. Right-click the shortcut, choose Properties -> Change Icon... > Browse... and navigate to your pia_manager.exe application. Then you can select the green robot and klick OK (2 times).

    image
That's all that's necessary! When you start PIA with this link, it uses the rubyw.exe from your Program Files. Turns out, you don't really need any other environment settings or a third-party app, at least in my environment (tested on 2 PCs).

Thought I share that with you...

Have a nice day,
djkrose

Comments

  • Thanks djkrose for this solution.

    Issue I've been having is many multiple temp directories being created by PIA (especially after waking from sleep mode) that never get cleaned up.
  • Posts: 23
    Thanks very much for this. The other method has been working for me for ages, but I like this solution, as it doesn't rely on third party software

    This solution provided a unique challenge. I couldnt get it to launch on boot with Task Scheduler.

    So what I ended up doing was putting a bat file in the same directory as the shortcut, then made a bat file PrivateInternetAccess.bat that contains:
    start PrivateInternetAccess.lnk

    The lnk file is the shortcut we made.

    Now, in Task Scheduler, make a task that runs PrivateInternetAccess.bat on login

    Hope this helps someone
  • p1r473 said:
    Thanks very much for this. The other method has been working for me for ages, but I like this solution, as it doesn't rely on third party software

    This solution provided a unique challenge. I couldnt get it to launch on boot with Task Scheduler.

    So what I ended up doing was putting a bat file in the same directory as the shortcut, then made a bat file PrivateInternetAccess.bat that contains:
    start PrivateInternetAccess.lnk

    The lnk file is the shortcut we made.

    Now, in Task Scheduler, make a task that runs PrivateInternetAccess.bat on login

    Hope this helps someone
    Helped me! Thanks djkrose and p1r473!

  • Posts: 11
    p1r473 said:
    Thanks very much for this. The other method has been working for me for ages, but I like this solution, as it doesn't rely on third party software

    This solution provided a unique challenge. I couldnt get it to launch on boot with Task Scheduler.

    So what I ended up doing was putting a bat file in the same directory as the shortcut, then made a bat file PrivateInternetAccess.bat that contains:
    start PrivateInternetAccess.lnk

    The lnk file is the shortcut we made.

    Now, in Task Scheduler, make a task that runs PrivateInternetAccess.bat on login

    Hope this helps someone

    Hi mate,

    Thanks for the suggestion, I was too struggling with Task Scheduler. Well - I still am. I moved the shortcut .lnk file to the pia_manager folder, and I created just one-line batch file that just calls

    start .\PrivateIntAccess.lnk

    But here's my problem - when I run the batch file manually, it works perfectly. When I try to run it through the Task Scheduler, I get a command window which tries to run

    C:\windows\system32\start .\PrivateIntAccess.lnk

    Obviously that's not gonna work. I tried to modify the batch file to start the full path

    start C:\Program Files\pia_manager\PrivateIntAccess.lnk

    But that didn't work either. But my batch file runs OK manually, but has a problem with task manager. Could you please paste the screenshot of how you made the scheduled task here?
  • Posts: 7
    Hello djkrose.
    Thank you so much from spending time and creating such a good guide on how to start PIA from the fixed location!
    Did anybody figure out what to do extra to make v5.9 (has new js.node engine) to run from fixed location? It does not want to do it anymore for me, unfortunately...
  • Posts: 23
    This stopped working for me recently too. Any fixes??
    Tired of clicking allow in my firewall for ruby!

    Thanks.
  • Posts: 47
    I'm tired of having to delete the 100's of allow ruby* in my firewall since it doesn't let you select batches of them so you have to do it one at a time....

    Anyway, never knew this was possible at all, and I'm sure I was told (by staff I think) that this was a security risk, which is why the run location is radomised in the first place.
  • Bonkers said:
     I'm sure I was told (by staff I think) that this was a security risk, which is why the run location is radomised in the first place.

    They should and must make an option then,
    run random - by default installation
    run from fixed location in the "program folder" - advanced settings
  • Posts: 7
    @asanjeev The idea provided by @Masashevich is really cool one and allows people with the Firewall installed use PIA client normally. Do you have anywhere on the website like a voting system for the new features? I would like to vote for this one!
  • edited September 2016 Posts: 105
    The OP neglected to mention that this needs to be run with elevation. Just double clicking the shortcut won't launch PIA. Either right click and select "Run as Administrator", or use Task Scheduler (command line using schtasks.exe--explained at the bottom of this post--or GUI).

    Also, and this probably goes without saying, but disable the native PIA startup setting and make sure the client isn't running when you start testing this.

    You may notice two bin/lib/src directories, and two copies of rubyw.exe. That's normal. They're both identical, so it doesn't matter which one you copy.

    It took some playing around, but here's how I got it to work with Task Scheduler (thank you, p1r473):

    * Followed steps outlined by the OP.

    * My LNK is named "Private Internet Access.lnk" and is located in "C:\Program Files\pia_manager".

    * I created a command script (basically the same as a batch file) named "Private Internet Access.cmd", also located in "C:\Program Files\pia_manager".

    * The contents of "Private Internet Access.cmd" are:

    start "" "C:\Program Files\pia_manager\Private Internet Access.lnk"

    The "" is simply negating the title fed into the command processor. Old habit from creating many command scripts over the years. It works.

    * In Task Scheduler, I enabled "Run with highest privileges", "Configure for: Windows 10" (this may vary depending on your version of Windows, and does not seem to be important anyway). On the Actions tab, I have "Start a program" selected and set the "Program/script" to "C:\Program Files\pia_manager\Private Internet Access.cmd". Everything else is pretty obvious and/or optional.

    Edit: I didn't like seeing the command window when the task was run (it only stayed on screen for a couple seconds, but I'm funny that way), so I made a change. I changed the "Program/script" to:

    "C:\Program Files\Console\nircmd.exe"

    ...with the following arguments:

    execmd "C:\Program Files\pia_manager\Private Internet Access.cmd"

    NirCmd is a great little command line utility that does a ton of different things. I've used it for years. The "execmd" NirCmd argument simply invokes the command interpreter in a hidden window. It does nothing further. You can get NirCmd here:


    * You can run your scheduled task via command line with a shortcut having a target similar to the following:

    %SystemRoot%\System32\schtasks.exe /run /tn "\Path in Task Scheduler\Task Name"

    If your task is in the root folder in Task Scheduler, you can just use:

    %SystemRoot%\System32\schtasks.exe /run /tn "Task Name"
    Post edited by TimeBomb on
  • edited September 2016 Posts: 23
    Thanks administrator!
    Post edited by p1r473 on
  • Thx @djkrose for all your follow up on this. I read thru several help posts and the following comment threads and you've chased this down.

    I'm wondering about the security of fixing the PIA-Rubyw.exe boot process & location. Can anyone comment if making the ruby path permanent is a security problem? 

    I want to try the method out for the convenience to the AVG alert issue, but don't want to sacrifice or create a security loophole. 
    Hope some of you are still on alert for this post. :) Cheers!
  • Thx @djkrose and everyone else here for all your efforts. A "smashing" success.

    Was running into a great deal of trouble with (the newer) v66 of PIA versus my ZoneAlarm Firewall (the Free version of course). With PIA v65, even with the rubyw.exe popping up in a new and unique TMP file on every launch, ZA picked up on it and asked for access confirmation. For some reason with PIA v66, ZA no longer asked for confirmation and the PIA would fail to connect until I manually went into ZA and set the "new" listing for PIA to approved access.

    Now, I don't even bother setting PIA to start with the system. I'm always present at system startup so I just do it manually from the custom shortcut.lnk.

    Nice work everyone. Kudos to all!
  • edited January 2017 Posts: 14
    This method works very well, only for me it seems that with every new update you have to follow all the steps again.

    So i did send a mail to support if there was a possibility that they could implement an extra feature to install rubyw.exe from a fixed location, for example in "C:\Program Files\pia_manager".

    I understand that the current method of using a non-fixed location is probably the most secure, but if they implement this extra feature with info that this is not the most safe option, then people who are using private firewalls can choose for themselves.

    Support did send my question to the development department, let's see....and hope.

    In my opinion this would be a great extra feature.
    Post edited by virtuado on
  • edited February 2017 Posts: 105
    kahuaina said:
    I'm wondering about the security of fixing the PIA-Rubyw.exe boot process & location. Can anyone comment if making the ruby path permanent is a security problem? 

    I want to try the method out for the convenience to the AVG alert issue, but don't want to sacrifice or create a security loophole.
    That is a good question. But I can't see how it would create a security problem, since: * pia_manager.exe, rubyw.exe, openvpn.exe, and pia_nw.exe run with full elevation whether you use this method or if you just use the client the usual way. * Having a variable launch directory doesn't gain any security. I can, for example, terminate any of those processes from a command line. Malware could just as easily target them by name, regardless of where they launch from. * Malware could also deliver those binaries itself, so having them only appear when they're running doesn't achieve anything, either. Maybe I'm missing something, but I can't see what that would be.
    virtuado said:
    This method works very well, only for me it seems that with every new update you have to follow all the steps again.
    Why would you say this? I did not have to redo anything after installing the last client update. I did check the binaries to make sure they had not been updated, though.
    Post edited by TimeBomb on
  • edited February 2017 Posts: 14
    I said this because i assumed this would be the case, good to know that this is not needed. Anyway...it would be nice if the develop department would implement this option in future updates.
    Post edited by virtuado on
  • This method doesn't seem to be working with v73, can anyone else confirm that or is it just me.
    If it isn't I hope some smart person can work out how to get it going again.
  • Posts: 702
    This method doesn't seem to be working with v73, can anyone else confirm that or is it just me.
    If it isn't I hope some smart person can work out how to get it going again.
    I happen to have done this earlier (slighly differently because I did it on my own) and it worked just fine for me with v73.
  • Can you let me know your method as I have tried this one a couple of times with no success, never had a problem with any earlier versions.
  • Currently using v74.  I had to change from this in the shortcut  ..\src\pia_manager.rb --run to ..\src\bin\pia_manager.rb --run
  • Thanks so much all back to normal now
  • Thanks to the recent events with Bitdefender's Advanced Threat Defense not working properly with PIA, this thread saved me after these 2 months of pain using PIA...

    Thanks to @djkrose , @p1r473 , @TimeBomb and @blaster71
    Combining information from all of your posts provides a perfect temporary solution until the BD devs find a solution for this... Or until PIA devs add an advanced option to have a fixed location for rubyw.exe...

    Here is a snippet with all of the information combined, the end result is a shortcut that starts PIA with rubyw interpreter inside pia_manager folder... If something is not clear then look at the original posts for more detailed instructions and possible screenshots.

    ____________________________________________________________________________________________________________________

    Making PIA start with a static location rubyw.exe:

    1) Open PIA and let it start

    2) Go to your temp folder (Win + R and type in %temp%, press enter. OR type %temp% to your explorer window location bar)

    3) You should see a folder (or two) called ocrXXXX (Where XXXX random string of numbers and letters). Open the folder and copy the 3 folders inside (bin, lib, src) to your PIA installation folder. (In most cases, C:\Program Files/pia_manager)

    4) Exit PIA

    5) Create a new shortcut on your desktop (Right click). Browse to your PIA installation folder and select rubyw.exe inside the /bin/ folder there and click OK. Then add 
     ..\src\bin\pia_manager.rb --run
    after the rubyw.exe path. This should result to the entire shortcut target line to be:
    "C:\Program Files\pia_manager\bin\rubyw.exe" ..\src\bin\pia_manager.rb --run
    Click Next, give the shortcut a name (this example assumes that it's "Private Internet Access") and then click Finish.

    6) Move the shortcut to PIA installation folder (C:\Program Files\pia_manager)

    7) Open notepad as admin and paste in
    start "" "C:\Program Files\pia_manager\Private Internet Access.lnk"
    where "Private Internet Access.lnk" is whatever name you chose for the shortcut in step #5
    File -> Save As
    Change Type to "All Files (*.*)" and save the file to PIA installation folder with the name of your choosing, but make sure it ends in .cmd (This example assumes you used PIA.cmd).

    8) Optional: This tool will be used to hide the command prompt window created from running .bat or .cmd files.
    Download NirCmd from http://nirsoft.net/utils/nircmd-x64.zip and extract NirCmd.exe to a folder, for example C:\Program Files, C:\Program Files\NirCmd or C\Program Files\pia_manager. (This example uses the second one)

    9) Open task scheduler (Search in Start menu OR Win + R and type in "taskschd.msc")

    10) Make sure "Task Scheduler (Local)" or "Task Scheduler Library" is selected on the left.
    Create a new task (Action -> Create task)
    Choose a name for it (this example uses name "PIA Start")
    Check "Run with highest privileges"
    Go to Actions tab -> New -> Choose action "Start a program"
    Navigate to NirCmd.exe (or directly to your .cmd script if you don't want to use NirCmd) and choose it.
    If you use NirCmd, add this to the "Add arguments" field:
    execmd "C:\Program Files\pia_manager\PIA.cmd"
    Where "PIA.cmd" is whatever you specified in step #7.
    That's all you need in task scheduler, press OK until you see main scheduler window and close it.

    11) Create a new shortcut on your desktop. Set the target as:
    %SystemRoot%\System32\schtasks.exe /run /tn "PIA Start"
    Where "PIA Start" is whatever name you specified for the task in step #10. Name it whatever you want.
    This shortcut will now start PIA with rubyw.exe located inside the PIA installation folder. You can for example pin it to start (tiles) by copying/moving it to C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    After that you can open Start menu, and you should see the shortcut in recent items (or under the alphabetical list) and you can right click it and "Pin to start".

    EXTENDED STEPS FOR BITDEFENDER PROBLEM:
    12) Whitelist the rubyw.exe in your PIA installation folder (C:\Program Files\pia_manager\bin\rubyw.exe) in Bitdefender Advanced Threat Defense:
    Open Bitdefender 2018.
    View features -> Advanced Threat Defense -> *click on the cogwheel* -> "Add applications to the whitelist"

    _____________________________________________________________________________________________________________________
    Original posts:
    https://www.privateinternetaccess.com/forum/discussion/18865/run-rubyw-exe-from-fixed-location-with-personal-firewall
    https://www.privateinternetaccess.com/forum/discussion/comment/36423/#Comment_36423
    https://www.privateinternetaccess.com/forum/discussion/comment/43266/#Comment_43266
    https://www.privateinternetaccess.com/forum/discussion/comment/51243/#Comment_51243
  • Posts: 7
    Mystik, I confirm that this method works like a charm. The only recent hiccup was related to path change between versions 7.3 and 7.4. Running bat script with Admin privileges is now on subconscious level. Running PIA this way allows me to bypass Comodo firewall requests to whitelist every new random Ruby location in the temp directory after restart of the PIA software (or computer or both). So this method saves me a lot of hassle. Thank you for putting together nice summary.
  • WHY is this something that has gone unfixed by the devs in over 3 years???!!!  Are the devs SO incompetent that they cannot write the program so that it uses Ruby in a static place themselves?

    WHY is this something that *users* should have to figure out???!!!

    We all KNOW that this has been a persistent issue with the application.  I find this utterly irresponsible and unprofessional of PIA.  There ARE no excuses for it,

  • Posts: 702
    WHY is this something that has gone unfixed by the devs in over 3 years???!!!  Are the devs SO incompetent that they cannot write the program so that it uses Ruby in a static place themselves?

    WHY is this something that *users* should have to figure out???!!!

    We all KNOW that this has been a persistent issue with the application.  I find this utterly irresponsible and unprofessional of PIA.  There ARE no excuses for it,

    Because 99.99% of users don't know what Ruby is, doesn't care where it is nor have any need to move it.

    This is something that's specific to Windows as the Mac and Linux versions have it already extracted within the application package. It's because the software that embeds the Ruby interpreter and the code within a single .exe file works this way, so we'd need to make our own packaging software to do it.

    I'm not saying it completely excuses it, because really this thread itself is a proof that it's doable and that it works just fine (if we ignore everything that this solution ends up unknowingly bypassing), although I know there's a few things that ends up calling the main pia_manager.exe which might be why they don't "just fix it". But there are other more widespread and more urgent issues that are being prioritized at the moment. PIA's development process also got a major overhaul this year and development has slowed down a bit while things settle with the new deploy pipeline, QA process, etc. Big plans for 2018 that might fix this one however :)
Sign In or Register to comment.