InTouch HMI 2023 R2 SP1 P03
- Last UpdatedOct 08, 2025
- 8 minute read
About this Readme
This Readme provides information about AVEVA InTouch HMI 2023 R2 SP1 P03. Readme files from previous releases of AVEVA InTouch HMI are posted on the support site.
Restricted DLL Loading
Overview
The registry-based mechanism for restricted DLL loading has been introduced from this release. It is designed to strengthen system security by controlling which directories are permitted for library loading. This mechanism aims to minimize the risk of malicious or unintended DLLs being loaded into the system.
By default, restricted DLL loading is disabled. It is recommended to enable this feature in a test environment first to determine if it affects your application's functionality
You can enable or disable restricted DLL loading by editing the relevant registry key. This key is generated during installation and has a default value of 0, meaning the feature is off.
-
Registry Key Location: HKEY_LOCAL_MACHINE\SOFTWARE\AVEVA\SystemPlatform\Security
-
Value name: EnableRestrictedDllLoading
-
Type: DWORD (0 = Disabled, 1 = Enabled)
Values
-
0x00000000 (0): Restricted DLL loading is disabled (default)
-
0x00000001 (1): Restricted DLL loading is enabled
If the value is not specified or is anything other than 1, restricted DLL loading will remain disabled by default.
Test
If your application is affected by this feature, you might encounter some issues in your system. In the Logger you may see some warning or error messages.
This functionality may affect following:
-
Application Server
-
Custom Application Objects created with the AOT
-
Custom script libraries
-
IDE Extensions
-
GRAccess-based programs
-
-
InTouch HMI
-
Custom script libraries
-
IDEA Toolkit extensions
-
Network Application Development
-
Some Remote Desktop scenarios
-
Plan for moving forward
In the next release, this feature will be enabled by default, but you will still have the option to disable it. In a subsequent release, the feature will be enabled by default with no option to disable it.
WindowViewer as a Service
Service account changes
For improved security, the WindowViewer Virtual Service Account has been removed from the Administrators group and no longer has administrative privileges. The account has been added to the ASBSolution, ArchestrAWebHosting, and aaRuntimeUsers groups.
Application path access
When configuring WindowViewer to run as a service in the Application Manager, the system will automatically check if the WindowViewer Virtual Service Account has the necessary permissions to access the selected application path. If the service account does not have read/write access to the application directory tree, the following will occur:
-
Automatic permission grant: The WindowViewer Virtual Service Account will be automatically granted read/write access to the entire application directory tree.
-
User notification: You will see a log message informing you of this permission change.
-
Service configuration: The application will then be configured to run as a service with the appropriate access rights.
Post-upgrade redeployment requirements
Important: After performing a software upgrade, managed applications running as a service must be redeployed to ensure proper service account permissions. If you do not redeploy after an upgrade, the VIEW service account will not automatically have permission to the application folder for the managed application running as a service.
Standalone applications in protected paths
If a standalone application was created in a protected path and configured to run as a service in an earlier release, the VIEW service account may not have the required permissions after upgrade. This is due to the reduced privileges of the VIEW service account.
Issue: After upgrade and machine restart, the WindowViewer service may fail to start with an "Access Denied" error.
Solution: Manually grant read and write permissions to the VIEW service account for the application folder.
Logging
Detailed log messages are provided to help troubleshoot any service configuration issues. Monitor the Operations Control Management Console for information about permission changes and service setup status.
Security notes
-
The service account now operates with minimal required privileges for enhanced security.
-
Permissions are granted only to specific application directories as needed.
-
The service account no longer has system-wide administrative access.
StringCompareEncrypted() function will be deprecated soon
The StringCompareEncrypted script function compares an unencrypted password with an encrypted password entered through a password input field.
StringCompareEncrypted represents and supports a use case and workflow that is inherently insecure by modern cybersecurity standards, even within the scope of a closed network. Additionally, StringCompareEncrypted uses an insecure comparison mechanism which can lead to clear-text password or credential exposure in memory and in the swap file on disk.
Considering these situations, and recent changes in the stance on the use of decryption methods in live systems in the standards within the cybersecurity community and the software industry, the decision has been made to deprecate the StringCompareEncrypted script function for the next major System Platform release.
In all upcoming Patch releases of System Platform 2023 R2 SP1, usage of the StringCompareEncrypted function will generate a warning message in the Operations Control Logger, reminding application maintainers that the function will be deprecated and to adjust the implementation that relies on this soon to be removed script function.
Starting in the next major System Platform release, StringCompareEncrypted will be fully deprecated, and will therefore not be available for use in InTouch HMI scripts. Importantly, after the upgrade of the InTouch application, all occurrences of the StringCompareEncrypted script function will have no effect at runtime and will always return 0.
Resolved Issues
InTouch HMI 2023 R2 SP1 P03 includes corrections for the issues listed in the following table. These issues are listed by their Defect ID (IMS number), any assigned Service Request (SR) or Case Number with a brief description of the defect.
|
Defect ID |
SR/Case Number |
Description |
|
3719329 |
960537420 |
Could not paste/place selected InTouch Object from the Symbol Factory. |
|
3728735 |
960517433 |
There was a of 3-5 seconds delay in populating graphics with an application that used UDTs and Owning Object and populated an alarm page with a script when a platform was deployed. |
|
3742715 |
960540570 |
WindowViewer was not responding when switched between windows before graphical objects were completely loaded. |
|
3805317 |
960562531 |
The revision number of the symbol increased after the first validation was performed post check-in. |
|
3914845 |
960595358 |
InTouch WindowMaker stopped responding after a UDT was created and a value for Log Deadband property was assigned. |
|
3918592 |
960571483 |
Alarm Client Control filtering through scripts did not work when Finnish regional settings were enabled. |
|
3933914 |
960603202 |
In the German version of InTouch 2023 P04, Symbol Editor stopped responding after saving changes to action script. |
|
3939033 |
960589451 |
The built-In EnableDisableKeys() function constantly caused memory leaks. |
|
3949590 |
960591257 |
The GetAlarm() function failed to retrieve an alarm from the buffer. |
|
3952152 |
960605564 |
When there were more than 10 access names and the screen resolution was set to 150% or 125%, navigating the access name list was not possible. |
|
3957939 |
960609884 |
In a Managed InTouch, the window was not displayed upon clicking the frame window configured in Overlay mode. |
|
3960140 |
960608855 |
In the French version of InTouch 2023 R2 SP1 P01, special characters were displayed in Select Wizard screen. |
|
3962068 |
960598632 |
In Historian, the existing Trend pens were not working in a duplicated project. |
|
3973364 |
960602505 |
In an OMI Alarm Client Control, an error was displayed saying "Invalid Column name. Provider". |
|
3981350 |
960513926 |
Instances could not acquire the overridden properties of the nested members. |
|
3981615 |
960614253 |
In an Alarm Client Control, Timestamp filters were not saving when Finnish format was enabled. |
|
3995500 |
960615216 |
In System Platform 2023 R2 SP1 P01, sorting was not working as expected when the Limit column had values with mixed data types. |
|
3997056 |
960619248 |
Alarm Client Control displayed incorrect (float/double) values when represented in exponential notation. |
|
4001145 |
960618791 |
Auto compilation of windows was not happening once WindowViewer was opened. |
|
4003330 |
960615216 |
When an Alarm Client Control was viewed in runtime using a ViewApp, number values and characters were not sorted as expected. |
|
4009991 |
960622761 |
Multiple statements on a single line of script caused IntelliSense to indicate an error. |
|
4010203 |
960622919 |
In the A2 graphic within InTouch HMI, the visibility animation failed to make the element visible when the logic condition was true upon initial display in the InTouch HMI application. The element only became visible after an unrelated action, such as a button press. |
|
4015231 |
960624424 |
NAD Clients were not responding when NAD Host was unavailable. |
|
4017390 |
960606070 |
Alarm Client control was not responding when Alarm Hot Backup query with many other Galaxy queries were used. |
|
4023123 |
960624712 |
Issue was observed in the font size when the machine was opened and converted to different resolution and then the application language was changed in runtime. |
|
4049242 |
960633279 |
Trend Client was not able to resolve the reference for the Historical Source. Only the first data grid row showed the reference value and the other rows did not show the reference value in the Trend client. |
|
4079735 |
960616560 |
An InTouch ViewApp stopped responding when WindowViewer was launched. |
|
4097470 |
960641289 |
Unable to run DBLoad on an application with UDTs. |
Known Issues
This section describes known issues that remain in the release of InTouch HMI 2023 R2 SP1 P03.
|
Issue ID |
Description |
|
2612382 |
MxDataProvider Service is not deploying on Runtime node as PCS-Services Repository is installed on Runtime node. |
|
2897808 |
Attempting to sign an alarm acknowledgement fails in a Managed InTouch with an error message warning of incorrect user credentials. The SignedAlarmAck feature is not currently supported for a Managed InTouch configured for AVEVA Operations Control connected experience. |
|
1928318 |
When the Supertag instances are created by importing from a .CSV file, the imported Supertags are not displayed in the Supertags pane of the WindowMaker. Workaround: The Supertag instances created by importing from a .CSV file can be viewed in the tag dictionary. |
|
1826926 |
When a window containing a symbol with an embedded MapApp widget is viewed in WindowViewer, the MapApp does not load. Workaround: To view the embedded MapApp widget upon fast switching to WindowViewer:
|
|
1765301 |
When an existing Custom Client Control or Web Widget is overwritten to the Cloud, the latest version is not available for other users. Workaround: To overwrite an existing Custom Client Control or Web Widget to the Cloud, restart the WindowMaker and delete the existing client control or Web Widget in the source repository. This allows successful upload/download of the the client control. Similarly, restart the WindowMaker to retrieve the latest Custom Client Control or Web Widget. |
|
TFS-1351507 |
Language switching is not supported for the Carousel Widget in runtime. |
|
TFS-1369183 |
A Carousel Widget containing the Web Browser Widget, QR Code Scanner Widget, Trend Client Control, Alarm Client Control or SQL Data Grid Control will not display correctly in WindowViewer, as default browser security options prevent cross-origin requests. |
|
TFS-1372178 |
Carousel widgets in a managed application migrated from InTouch 2020 to InTouch 2020 R2, do not contain the latest properties. Workaround: On migrating a Galaxy from InTouch 2020 to InTouch 2020 R2, run the AVEVA System Platform IDE as an Administrator at least once, to allow loading the latest InTouch 2020 R2 carousel widget properties. |
|
TFS-1371799 |
When an InTouch 2020 application (.aapkg) is exported and imported to InTouch 2020 R2, then the default namespace for a tag reference within a Carousel widget is not resolved in runtime. Workaround: Open the graphic containing the Carousel widget. Edit any property and save the graphic. The tag reference is resolved, and the graphic is displayed in runtime. |
|
TFS-1374896 |
After a graphic/toolset is created, the letter case of the graphic name cannot be changed in WindowMaker. For example: INTOUCH cannot be changed to InTouch. Workaround: Rename the graphic to a temporary name. Rename the graphic again with the correct letter case. For example: Rename INTOUCH to ChangeName and then rename to InTouch. |
|
TFS-1377672 |
Connecting many clients to a busy OPC UA server may cause various warnings and errors to be logged from the InTouch OPCUA Host process. Warning messages are for information purposes only and do not indicate any loss in functionality. Error message indicate that the operation was aborted. Workaround: It is recommended that client connections to the server be planned and monitored, so not to burden the server and cause connection failures. |