Run rubyw.exe from Fixed Location with Personal Firewall

Hi Y'all!

When the PIA client is started, it unpacks a rubyw.exe into a temporary location and executes it. Since the temporary location is different every time, it is impossible for most personal firewalls to whitelist that process, resulting in blocks or firewall popups every time.

There is a nice post about how a guy developed an application that allows executing PIA with rubyw.exe from a fixed location: https://www.privateinternetaccess.com/forum/discussion/2286/pia-from-a-fixed-location-in-windows/p1

However, it is MUCH easier to get there without the need of downloading anything or executing someone else's executable:

  1. Run PIA application, let it start

  2. Now you need to find the temp directory created by PIA, it has a patter like C:\Users\YOUR_USER_NAME\AppData\Local\Temp\ocrXXXX.tmp\
    YOUR_USER_NAME <-- this is YOUR username
    XXXX <-- randomly generated alphanumeric value
    Tipp: You can get to your temporary directory easily if you just put %temp% into your Windows explorer location bar and hit Enter.

    So, find this temp folder, it will contain 3 folders: bin, lib and src, keep it open.

  3. Now open location where PIA is installed, in my case it was installed to "C:\Program Files\pia_manager" (I will refer to this location as "PIA directory" from now on)

    Copy those 3 folders (bin, lib and src) to PIA directory.

  4. Exit PIA application

  5. Right click on an empty spot on your desktop and choose New -> Shortcut

  6. Browse to the rubyw.exe that is inside your PIA directory in the bin folder,
    then on the same wizard page add a space character at the and and add:
     ..\src\pia_manager.rb --run

    image

  7. Click Next and there you can give a nice name for the shortcut, for example:
    image
  8. Click Finish and you are done, technically.

  9. You might want to change the shortcut icon. Right-click the shortcut, choose Properties -> Change Icon... > Browse... and navigate to your pia_manager.exe application. Then you can select the green robot and klick OK (2 times).

    image
That's all that's necessary! When you start PIA with this link, it uses the rubyw.exe from your Program Files. Turns out, you don't really need any other environment settings or a third-party app, at least in my environment (tested on 2 PCs).

Thought I share that with you...

Have a nice day,
djkrose

Comments

  • Thanks djkrose for this solution.

    Issue I've been having is many multiple temp directories being created by PIA (especially after waking from sleep mode) that never get cleaned up.
  • Posts: 23
    Thanks very much for this. The other method has been working for me for ages, but I like this solution, as it doesn't rely on third party software

    This solution provided a unique challenge. I couldnt get it to launch on boot with Task Scheduler.

    So what I ended up doing was putting a bat file in the same directory as the shortcut, then made a bat file PrivateInternetAccess.bat that contains:
    start PrivateInternetAccess.lnk

    The lnk file is the shortcut we made.

    Now, in Task Scheduler, make a task that runs PrivateInternetAccess.bat on login

    Hope this helps someone
  • p1r473 said:
    Thanks very much for this. The other method has been working for me for ages, but I like this solution, as it doesn't rely on third party software

    This solution provided a unique challenge. I couldnt get it to launch on boot with Task Scheduler.

    So what I ended up doing was putting a bat file in the same directory as the shortcut, then made a bat file PrivateInternetAccess.bat that contains:
    start PrivateInternetAccess.lnk

    The lnk file is the shortcut we made.

    Now, in Task Scheduler, make a task that runs PrivateInternetAccess.bat on login

    Hope this helps someone
    Helped me! Thanks djkrose and p1r473!

  • Posts: 9
    p1r473 said:
    Thanks very much for this. The other method has been working for me for ages, but I like this solution, as it doesn't rely on third party software

    This solution provided a unique challenge. I couldnt get it to launch on boot with Task Scheduler.

    So what I ended up doing was putting a bat file in the same directory as the shortcut, then made a bat file PrivateInternetAccess.bat that contains:
    start PrivateInternetAccess.lnk

    The lnk file is the shortcut we made.

    Now, in Task Scheduler, make a task that runs PrivateInternetAccess.bat on login

    Hope this helps someone

    Hi mate,

    Thanks for the suggestion, I was too struggling with Task Scheduler. Well - I still am. I moved the shortcut .lnk file to the pia_manager folder, and I created just one-line batch file that just calls

    start .\PrivateIntAccess.lnk

    But here's my problem - when I run the batch file manually, it works perfectly. When I try to run it through the Task Scheduler, I get a command window which tries to run

    C:\windows\system32\start .\PrivateIntAccess.lnk

    Obviously that's not gonna work. I tried to modify the batch file to start the full path

    start C:\Program Files\pia_manager\PrivateIntAccess.lnk

    But that didn't work either. But my batch file runs OK manually, but has a problem with task manager. Could you please paste the screenshot of how you made the scheduled task here?
  • Posts: 5
    Hello djkrose.
    Thank you so much from spending time and creating such a good guide on how to start PIA from the fixed location!
    Did anybody figure out what to do extra to make v5.9 (has new js.node engine) to run from fixed location? It does not want to do it anymore for me, unfortunately...
  • Posts: 23
    This stopped working for me recently too. Any fixes??
    Tired of clicking allow in my firewall for ruby!

    Thanks.
  • Posts: 47
    I'm tired of having to delete the 100's of allow ruby* in my firewall since it doesn't let you select batches of them so you have to do it one at a time....

    Anyway, never knew this was possible at all, and I'm sure I was told (by staff I think) that this was a security risk, which is why the run location is radomised in the first place.
  • Bonkers said:
     I'm sure I was told (by staff I think) that this was a security risk, which is why the run location is radomised in the first place.

    They should and must make an option then,
    run random - by default installation
    run from fixed location in the "program folder" - advanced settings
  • Posts: 5
    @asanjeev The idea provided by @Masashevich is really cool one and allows people with the Firewall installed use PIA client normally. Do you have anywhere on the website like a voting system for the new features? I would like to vote for this one!
  • edited September 2016 Posts: 103
    The OP neglected to mention that this needs to be run with elevation. Just double clicking the shortcut won't launch PIA. Either right click and select "Run as Administrator", or use Task Scheduler (command line using schtasks.exe--explained at the bottom of this post--or GUI).

    Also, and this probably goes without saying, but disable the native PIA startup setting and make sure the client isn't running when you start testing this.

    You may notice two bin/lib/src directories, and two copies of rubyw.exe. That's normal. They're both identical, so it doesn't matter which one you copy.

    It took some playing around, but here's how I got it to work with Task Scheduler (thank you, p1r473):

    * Followed steps outlined by the OP.

    * My LNK is named "Private Internet Access.lnk" and is located in "C:\Program Files\pia_manager".

    * I created a command script (basically the same as a batch file) named "Private Internet Access.cmd", also located in "C:\Program Files\pia_manager".

    * The contents of "Private Internet Access.cmd" are:

    start "" "C:\Program Files\pia_manager\Private Internet Access.lnk"

    The "" is simply negating the title fed into the command processor. Old habit from creating many command scripts over the years. It works.

    * In Task Scheduler, I enabled "Run with highest privileges", "Configure for: Windows 10" (this may vary depending on your version of Windows, and does not seem to be important anyway). On the Actions tab, I have "Start a program" selected and set the "Program/script" to "C:\Program Files\pia_manager\Private Internet Access.cmd". Everything else is pretty obvious and/or optional.

    Edit: I didn't like seeing the command window when the task was run (it only stayed on screen for a couple seconds, but I'm funny that way), so I made a change. I changed the "Program/script" to:

    "C:\Program Files\Console\nircmd.exe"

    ...with the following arguments:

    execmd "C:\Program Files\pia_manager\Private Internet Access.cmd"

    NirCmd is a great little command line utility that does a ton of different things. I've used it for years. The "execmd" NirCmd argument simply invokes the command interpreter in a hidden window. It does nothing further. You can get NirCmd here:


    * You can run your scheduled task via command line with a shortcut having a target similar to the following:

    %SystemRoot%\System32\schtasks.exe /run /tn "\Path in Task Scheduler\Task Name"

    If your task is in the root folder in Task Scheduler, you can just use:

    %SystemRoot%\System32\schtasks.exe /run /tn "Task Name"
    Post edited by TimeBomb on
  • edited September 2016 Posts: 23
    Thanks administrator!
    Post edited by p1r473 on
  • Posts: 3
    Thx @djkrose for all your follow up on this. I read thru several help posts and the following comment threads and you've chased this down.

    I'm wondering about the security of fixing the PIA-Rubyw.exe boot process & location. Can anyone comment if making the ruby path permanent is a security problem? 

    I want to try the method out for the convenience to the AVG alert issue, but don't want to sacrifice or create a security loophole. 
    Hope some of you are still on alert for this post. :) Cheers!
  • Posts: 1
    Thx @djkrose and everyone else here for all your efforts. A "smashing" success.

    Was running into a great deal of trouble with (the newer) v66 of PIA versus my ZoneAlarm Firewall (the Free version of course). With PIA v65, even with the rubyw.exe popping up in a new and unique TMP file on every launch, ZA picked up on it and asked for access confirmation. For some reason with PIA v66, ZA no longer asked for confirmation and the PIA would fail to connect until I manually went into ZA and set the "new" listing for PIA to approved access.

    Now, I don't even bother setting PIA to start with the system. I'm always present at system startup so I just do it manually from the custom shortcut.lnk.

    Nice work everyone. Kudos to all!
  • edited January 25 Posts: 14
    This method works very well, only for me it seems that with every new update you have to follow all the steps again.

    So i did send a mail to support if there was a possibility that they could implement an extra feature to install rubyw.exe from a fixed location, for example in "C:\Program Files\pia_manager".

    I understand that the current method of using a non-fixed location is probably the most secure, but if they implement this extra feature with info that this is not the most safe option, then people who are using private firewalls can choose for themselves.

    Support did send my question to the development department, let's see....and hope.

    In my opinion this would be a great extra feature.
    Post edited by virtuado on
  • edited February 4 Posts: 103
    kahuaina said:
    I'm wondering about the security of fixing the PIA-Rubyw.exe boot process & location. Can anyone comment if making the ruby path permanent is a security problem? 

    I want to try the method out for the convenience to the AVG alert issue, but don't want to sacrifice or create a security loophole.
    That is a good question. But I can't see how it would create a security problem, since: * pia_manager.exe, rubyw.exe, openvpn.exe, and pia_nw.exe run with full elevation whether you use this method or if you just use the client the usual way. * Having a variable launch directory doesn't gain any security. I can, for example, terminate any of those processes from a command line. Malware could just as easily target them by name, regardless of where they launch from. * Malware could also deliver those binaries itself, so having them only appear when they're running doesn't achieve anything, either. Maybe I'm missing something, but I can't see what that would be.
    virtuado said:
    This method works very well, only for me it seems that with every new update you have to follow all the steps again.
    Why would you say this? I did not have to redo anything after installing the last client update. I did check the binaries to make sure they had not been updated, though.
    Post edited by TimeBomb on
  • edited February 5 Posts: 14
    I said this because i assumed this would be the case, good to know that this is not needed. Anyway...it would be nice if the develop department would implement this option in future updates.
    Post edited by virtuado on
  • This method doesn't seem to be working with v73, can anyone else confirm that or is it just me.
    If it isn't I hope some smart person can work out how to get it going again.
  • Posts: 266
    This method doesn't seem to be working with v73, can anyone else confirm that or is it just me.
    If it isn't I hope some smart person can work out how to get it going again.
    I happen to have done this earlier (slighly differently because I did it on my own) and it worked just fine for me with v73.
  • Can you let me know your method as I have tried this one a couple of times with no success, never had a problem with any earlier versions.
  • Currently using v74.  I had to change from this in the shortcut  ..\src\pia_manager.rb --run to ..\src\bin\pia_manager.rb --run
  • Thanks so much all back to normal now
Sign In or Register to comment.