Application Compatibility Issues

Wednesday, February 09, 2011 11:15 PM

Owner

The mitigations offered by EMET have the potential to break some applications. This thread is to discuss people's experiences with applications that do not work correctly under EMET. The goal is to isolate which specific mitigations cause problems and for which applications (or plug-ins where appropriate). For those trying to determine which mitigations are causing problems, the most likely candidates are EAF and DEP.

Here are the issues the EMET support team has been able to confirm:

Application or plug-in	Issues that occur	Mitigation or setting causing the issues
Skype	Fails to run	EAF
NetFlix SilverLight app	Video playback in browser fails	EAF
ATI Drivers	System blue screens on boot	System ASLR policy set to always on (must enable unsafe settings to see this option)
iPod Synchronization service	Service crashes	System DEP policy set to always on
AOL	System gives “out of memory” error messages	System DEP policy set to always on

If you have experienced application compatibility problems with EMET, please share your experiences on this thread. The more detail you can provide about what the issues are and what

All Replies

Thursday, May 19, 2011 11:35 PM

0

DEP set to opt out (unless set as an excluded app)and always on will result in sims 3 + expansion packs to crash to desktop after a few mins of running
- Reply
- Quote
Sunday, May 22, 2011 3:35 PM

0

You can also add UltraISO, 9.3.5.2716, which does not like mandatory DEP. All other protections can be enabled and it works fine, though.
- Reply
- Quote
Monday, May 23, 2011 1:40 PM

0

World of Warcraft crashes with EAF enabled. This is due to battle.net.dll which may result in other Blizzard Battle.NET games crashing as well if EAF protection is enabled.
- Reply
- Quote

Thursday, June 09, 2011 8:18 PM

The mitigations offered by EMET have the potential to break some applications. This thread is to discuss people's experiences with applications that do not work correctly under EMET. The goal is to isolate which specific mitigations cause problems and for which applications (or plug-ins where appropriate). For those trying to determine which mitigations are causing problems, the most likely candidates are EAF and DEP.

Here are the issues the EMET support team has been able to confirm:

Application or plug-in

Issues that occur

Mitigation or setting causing the issues

Skype

Fails to run

EAF

NetFlix SilverLight app

Video playback in browser fails

EAF

ATI Drivers

System blue screens on boot

System ASLR policy set to always on

(must enable unsafe settings to see this option)

iPod Synchronization service

Service crashes

System DEP policy set to always on

AOL

System gives “out of memory” error messages

System DEP policy set to always on

If you have experienced application compatibility problems with EMET, please share your experiences on this thread. The more detail you can provide about what the issues are and what

include drivescrubber from iolo.com , only DEP under both vista and windows 7

have a nice day

Scan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE !

Saturday, July 02, 2011 4:55 AM

0

DAMN NFO Viewer (DAMN NFO Viewer.exe) crashes on every execution attempt, and that application wasn’t even added to EMET, so I added and unchecked everything and re-attempted to launch NFO file viewer application to no avail. Quick guess, might be where I have added the Windows Shell added to EMET? dunno.
- Reply
- Quote
Monday, July 25, 2011 4:14 PM

0

We've seen problems with Corel Draw X4. Not sure of the exact setting.
- Reply
- Quote
Tuesday, July 26, 2011 12:03 PM

0

safari fails to run/possibly DEP/
- Reply
- Quote
Friday, August 05, 2011 7:29 AM

0
When EMET's protections are enabled for web browsers and user installs or upgrades to latest version of Trusteer Rapport (protection from phishing, keylogging and financial malware, such as Zeus or SpyEye), browsers do not launch correctly or open blank, unusable windows.

Right now, possible solutions are:
- stop Rapport service, launch web browser, start Rapport service;
- uninstall Rapport, or
- remove web browsers from the list of programs protected by EMET.
Neither of these is a good one.

This is just FYI, I see the fault at Trusteer's side.
- Reply
- Quote
Thursday, August 18, 2011 5:22 PM

0

Dropbox.exe 1.1.40 (99e6035826ccef09d525b2a025e1d1d7) fails to start with EMET 2.1 ARF enabled. http://forums.dropbox.com/topic.php?id=29640
- Reply
- Quote
Friday, August 26, 2011 2:40 AM

0
Please add Zemana AntiLogger 1.9.2.513 EAF and BottomUpRand option need to be unchecked ( all other option are check mark ok under application configuration ) . Otherwise EAF cause it to not start and BottomUpRand causes the hot link to not to work under services/support of any four links of Zemana software. This is on WIN 7/64 PRO system. Thanks.
- Edited by Knighthood Friday, August 26, 2011 3:05 AM Added BottomUpRand
- Reply
- Quote
Saturday, October 29, 2011 9:56 AM

0

add onlive,exe games launcher under winxp-dep & sehop activated
- Reply
- Quote
Sunday, November 13, 2011 6:21 PM

2
On 64-bit Windows 7 SP1, mmc.exe (Microsoft Management Console) will crash on launch if it's included in the protected apps. This has been observed on multiple systems, it's repeatable.

A component of a fingerprint-reader's software suite crashes if it's included in EMET's protected apps. The software in question is the Protector Suite, available for purchase or a free trial here: www.upek.com The component is psqltray.exe. This also is repeatable on two systems. Update: as you may have suspected, EAF is the culprit.

Other than that, things have been pretty smooth sailing with EMET applied to an extensive list of apps on Win7 and one recently-retired WinXP box. From past experience, I know not to set system-wide DEP to Always On or I won't be able to make DEP exceptions.

If you want to make the exploit writers break out in a cold sweat, consider adding an EMET-driven mitigation module to Microsoft Security Essentials. You could generate a "safe list" of high-profile targets that EMET can be safely applied to, the usual stuff like Java, media players, VoIP and email clients, etc, and distribute updated lists as part of your signature updates. Label it with a user-friendly euphemism like "Enable anti-exploit features."
- Edited by mechBgon Sunday, November 13, 2011 6:22 PM
- Edited by mechBgon Thursday, November 17, 2011 6:17 AM
- Edited by mechBgon Thursday, November 17, 2011 6:17 AM
- Reply
- Quote
Thursday, June 28, 2012 3:45 PM

2

With Windows Server 2008 R2 SP1 as Hyper-V Host and Hyper-V Guest the EMET 3.0 EAF Mitigation may cause applications like Internet Explorer 9 x86 And Adobe Reader 10 to run about 10 times slower (means at 10% of speed without EMET/EAF). When you disable only EAF applications run fast. This should be mentioned in the EMET documentation as Hyper-V/EMET/IE are all supported products and it should be possible to disable individual mitigations for a whole system through Group Policy.

You may use <http://v8.googlecode.com/svn/data/benchmarks/current/run.html> to compare. But don't compare IE 9's result with other Browsers or you might cry ;-(
- Reply
- Quote
Tuesday, July 31, 2012 7:52 AM

0

SQL Server Analysis Services 2008 R2 Developer x64 (msmdsrv.exe) on Windows 7 x64 requires EAF to be disabled
- Reply
- Quote
Tuesday, September 18, 2012 9:37 AM

1
As of 12.6 ATI drivers should now be compatible with ASLR.

http://www.cert.org/blogs/certcc/2012/06/amd_video_drivers_prevent_the.html

CONFIRMED: Running 12.8 with ASLR set to "Always on" and Windows 7 booted successfully.
- Edited by Quitch Tuesday, September 18, 2012 9:38 AM Added citation
- Edited by Quitch Tuesday, September 18, 2012 1:20 PM Tested fix
- Reply
- Quote
Tuesday, September 18, 2012 1:08 PM

0

DAMN NFO Viewer (DAMN NFO Viewer.exe) crashes on every execution attempt, and that application wasn’t even added to EMET, so I added and unchecked everything and re-attempted to launch NFO file viewer application to no avail. Quick guess, might be where I have added the Windows Shell added to EMET? dunno.

Windows has a built in nfo viewer. No need to install any apps to read them. Just right click the nfo file and choose to open with notepad as default.
- Reply
- Quote
Tuesday, September 18, 2012 11:58 PM

0

Windows 7 sidebar.exe (Desktop Gadgets) requires an EAF exception to run.
- Reply
- Quote
Friday, September 21, 2012 9:10 PM

0

There is incompatability between Emet 3.5 TP and Comodo Internet Security. The result is high CPU usage. See my other post for details.
- Reply
- Quote
Friday, September 21, 2012 11:22 PM

0

I'm using Windows 7 Professional SP1 x64 and EMET 3.0.

I've found EAF to cause the following to crash on start:

getright.exe - A venerable download manager
left4dead2.exe - A video game by VALVe

borderlands.exe - A video game by Gearbox Software - crashes on start if any of NullPage, HeapSpray, EAF or MandatoryASLR are used.
- Reply
- Quote
Saturday, September 29, 2012 6:20 PM

0

Audible Manager stops running just after launching, with Maximum Security enabled, but runs fine if drop back to Recommended Security Settings. Win7 x64.
- Reply
- Quote
Monday, October 01, 2012 1:19 AM

0

MusicMatch Jukebox fails to run. Uninstalling EMET has not fixed the issue.
- Reply
- Quote
Monday, October 01, 2012 7:31 AM

3

The system settings are registry keys. If you've changed the system settings in EMET then uninstalling it won't undo that, you need to undo the change within EMET.
- Reply
- Quote
Friday, October 12, 2012 2:46 PM

0
I would like report that the 32 bit versions of Windows Media Player and Wordpad within Windows 8 Release Preview 64 bit are not compatible with the SEHOP mitigation of EMET 3.0 or EMET 3.5 Tech Preview.

Please see the following threads for details:

Windows Media Player (post dated: 12th October 2012):

http://social.technet.microsoft.com/Forums/en/emet/thread/3bdfa034-4eda-4d9e-8580-c63c971bb869

Wordpad (second post dated 26th July 2012):

http://social.technet.microsoft.com/Forums/en/emet/thread/3d750eee-a701-4910-aa34-e9c0e1af8aa2

Finally, the 64 bit version of Apple iTunes (iTunes.exe) is not compatible with the system wide i.e. global SEHOP setting(Application Opt-Out) when installed on Windows 7 SP1 64 bit.

Please see the following thread for details (post dated: 5th October 2012):

http://social.technet.microsoft.com/Forums/en/emet/thread/26d83e44-31d3-4cb8-9ae0-7a1a7c450340

EDIT: 21st April 2013: In the above thread, the version of iTunes was 10.7 64 bit. Version 11 and higher of iTunes 64 bit are not affected by this issue. I have used iTunes to purchase tracks from the iTunes Store without issues even with system wide SEHOP enabled.

I hope this helps. Thank you.
- Edited by JamesC_836 Sunday, April 21, 2013 2:57 PM Extra info
- Reply
- Quote
Saturday, October 13, 2012 1:11 AM

0

EMET 3.5 Tech Preview ROP issues with latest Logitech Setpoint 6.50 x64 and IE9 (Win7 x64 SP1).

After installing Logitech Setpoint 6.50 x64 EMET reported continuously ROP mitigation issues from iexplore.exe whenever I start IE9.

Once Setpoint 6.50 x64 has been uninstalled everything goes back to normal.

Logitech Setpoint 6.32 x64 runs fine without issues.
- Reply
- Quote
Thursday, November 08, 2012 7:12 AM

1

updating to Chrome Version 23.0.1271.64 m and Chrome in EMET (all checkmarks on) crashes several extensions. Uncheck SEHOP for chrome solves the problem.

Please see:

http://forums.lastpass.com/viewtopic.php?t=83548&p=277044

http://code.google.com/p/chromium/issues/detail?id=159885

If you think that might be a security problem in Chrome, then give google support a hint. For me as private person its a little bit difficult to contact the right channels.

Thank you
- Reply
- Quote
Friday, November 09, 2012 5:03 AM

0

Hi,

Encountered the same issues and Google's Forum has similar posting:

http://productforums.google.com/forum/#!category-topic/chrome/report-a-problem-and-get-troubleshooting-help/windows/29WXfbcmueE

Hope this info helps other users

Best regards
- Reply
- Quote
Thursday, November 15, 2012 1:07 PM

0

Excel 2007 on Windows 7 32bit, with eurotool.xlam plugin, fails to run. If I disable DEP or disable the plugin it does run.
- Reply
- Quote
Monday, December 03, 2012 2:16 PM

0

I have Problems with Roxio easy creator and an Outlook plugin from octophone our phone Company... The application crashes directly and worked fine under Windows 7 before...
- Reply
- Quote
Saturday, December 08, 2012 9:30 PM

0

Intel Rapid Storage Technology installer fails to initialize with DEP set to Always On in system settings.
- Reply
- Quote
Wednesday, December 12, 2012 2:43 PM

0
Dropbox.exe 1.1.40 (99e6035826ccef09d525b2a025e1d1d7) fails to start with EMET 2.1 ARF enabled. http://forums.dropbox.com/topic.php?id=29640

As noted by David G.1 (above), Dropbox is not compatible with the EAF mitigation of EMET. I can also confirm this for version 1.6.4 (released yesterday) when installed on Windows 7 SP1 64 bit.

Dropbox is compatible with all other mitigations from EMET 3.5 Tech Preview.

For your information, Dropbox works with system wide DEP (Application Opt-Out)(always on) and SEHOP (always on)(Application Opt-Out) applied.

I hope this helps. Thank you.

----------------------------------------------------

Off Topic:

I have submitted a feature request with Dropbox to add DEP, ASLR and /GS security mitigations to Dropbox by default.

https://forums.dropbox.com/topic.php?id=94183
- Edited by JamesC_836 Wednesday, December 12, 2012 2:44 PM Added extra info
- Reply
- Quote
Tuesday, December 18, 2012 5:06 AM

1
Running EMET 3.5 Tech Preview on Win XP SP3

Microsoft Outlook Express 6.0.2900.5512 crashes on startup if the ROP Caller mitigation is enabled.

If that ROP checkbox is cleared, Outlook Express starts and runs fine (it works well with the other ROP).

Error message generated:

EMET detected Caller Mitigation and will close the application: msimn.exe
EMET ROP checks error. Resume?
CallerCheck Failed:
PID: 0x418/1048
TID: 248
API Name: kernel32.CreateFileW
ReturnAddress: 6CDFC762
CalledAddress: 7C810CD9
StackPtr: 0007F420
- Edited by TaskForceKen Wednesday, January 09, 2013 5:32 AM add software version number (outlook express)
- Reply
- Quote
Sunday, December 23, 2012 4:28 AM

0
Windows 7 Ultimate x64:

Possibly since November 2012 Windows Update and update to Windows Essentials 16.4.3505.0912:
- Windows Explorer frequent minor corruption of Videos library by spontaneous addition of Pictures folder to Videos library (have not yet discovered which action/application triggers this).
Possibly since December 2012 Windows Update and addition of Windows Management Framework 3.0:
- Clicking Control Panel links frequently causes Windows Explorer crash with invalid parameter error message.
Disabling EAF for Windows Explorer seems to fix these problems.
- Reply
- Quote
Sunday, December 23, 2012 11:57 AM

0
Windows 7 64-bit

The ROP caller mitigation causes all my Office 2010 products to crash when accessing mapped network drives.
- Edited by Quitch Sunday, December 23, 2012 11:57 AM
- Reply
- Quote
Thursday, December 27, 2012 1:07 AM

0

Google Earth appears to work OK, but I noticed that it was showing errors in Windows 8 Action Centre > View Reliability History.

After un-checking SEHOP, the errors no longer appear.
- Reply
- Quote
Sunday, December 30, 2012 3:48 PM

0

Some technical background for this repeatable issue:

OS: Windows 7 Professional, SP1 (64-bit), upto date patches
EMET: version 3.5
Browser: IE 9.0, ROP protection enabled
Application: SnippingTool.exe, version 6.1.76

Issue: When trying to capture some of the content within Internet Explorer with the Snipping tool, the system freezes and only the Task manager is available. EMET Notfier logs this message:

EMET_DLL module logged the following event:

EMET encountered an error in 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
CallerCheck Failed:
PID          : 0x1508/5384
TID          : 1184
API Name     : kernel32.VirtualAllocEx
ReturnAddress: 6AF9B294
CalledAddress: 7644D998
StackPtr     : 0014DC64

Capturing image with Snipping tool within any other applications or browsers with ROP protection enabled does not result in this error. Ending task for IE through Task Manager unfreezes the system and Snipping shows the captured image; however, ending task for Snipping does not unfreeze the system. EMET ask, "Do you want to resume?" Selecting "Yes" results in more EMET notifications, conversely, selecting "No" keeps the system frozen.

Disabling all ROP mitigation for IE resolves this issue. Removing the check mark for the mitigation identified as "Caller" only also resolves this issue. It seems that Windows SnippingTool.exe application code isn't "secure" and might be the next attack vector for hackers for Windows. In either case, IE should freeze the whole system.
- Reply
- Quote
Thursday, January 03, 2013 9:06 PM

0
After installing EMET 3.5 on Win7/64. Now AOL will not run. Says out of memory.

I uninstalled EMET, but the problem persists. Clearly EMET is leaving some registry settings behind when it uninstalls.

I went to the advanced system settings control panel, and now I see the DEP settings are all greyed out. I used to be able to turn DEP on and off here, but no longer.

I tried rolling back to a system recovery point before installing EMET, but that was no help.

How do I fix this? Should I reinstall EMET and use it to make an exception of AOL, or what?

How do I get the advanced system settings control panel to let me set DEP settings as it used to?

Can we get EMET fixed so that it uninstalls better?

PS: On a hunch, I reinstalled EMET 3.0, set settings to recommended, then rebooted.

Now AOL works again.
- Edited by FAntonio2 Friday, January 04, 2013 3:20 AM
- Reply
- Quote
Friday, January 04, 2013 11:16 AM

0
Hi FAntonio2,

You are correct, AOL will give this error when system wide DEP is enabled. Since the option of turning off system wide DEP is unavailable to you, the following thread may be of assistance to you. From what I can tell these steps only apply to Windows XP:

http://social.technet.microsoft.com/Forums/en/emet/thread/b6a3fbf2-0e2f-43f1-a8ca-9b7c0da2f1b0

The steps that apply for Windows 7 (they should be the same for Windows Vista) are mentioned in the following thread:

http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/0310435c-e04a-4204-8bd4-fcc9c2498556

I hope the above information is of assistance to you. Thank you.

--------------------------------

EDIT: Thanks for your update FAntonio2. If re-installing EMET and setting it to recommended setting had not resolved the issue, the threads I linked to above would have been the next steps. Thank you for providing the solution that worked for you.
- Edited by JamesC_836 Friday, January 04, 2013 11:42 AM Added more info
- Edited by JamesC_836 Friday, January 04, 2013 11:43 AM
- Reply
- Quote
Wednesday, January 09, 2013 5:25 AM

1

Running EMET 3.5 Tech Preview on Windows XP SP3

Word 2000 SP3 and Excel 2000 SP3 running well with all mitigations on, including the DEP that both the .xml protection profile and the EMET guide listed as incompatible in the later Office XP.

Both Word and Excel have all patches up to their end-of-life date in 2009.
Caveat: I have an older Pentium 4 that does not support hardware-based DEP; my DEP is the software-based variant. This might be the reason why DEP did not crash the applications.

Some other software not listed in the EMET guide that are also running all mitigations, with no issues:
Rhapsody 4.0.6.7 (the standalone application for music streaming and searching)
Irfanview 4.3.3.0
Sumatra PDF reader 2.1.1.0
- Reply
- Quote
Tuesday, January 15, 2013 8:12 PM

0

Setting DEP to Always On in EMET v3.0 and v3.5 causes the following application to not start:

Cisco WebEx Productivity Tools One-Click (ptoneclick.exe) v2800.400.1205.1700
- Reply
- Quote
Friday, January 18, 2013 10:04 PM

0

Add Xobni to that list too. Seemed that no matter what settings I selected in EMET 3.0 or 3.5, Outlook 2010 kept blowing up on startup.
- Reply
- Quote
Saturday, January 26, 2013 7:52 PM

0
Flash fails to load in Google Chrome 24.0.1312.56 if SEHOP is enabled in application settings (EMET 3.5 on Windows 8 x64).
- Edited by Sand Storm Sunday, January 27, 2013 8:42 AM
- Reply
- Quote
Friday, February 01, 2013 4:36 PM

0

Running EMET 3.5 on Windows 7 Professional 32-bit.

MS Money 2005 fails with DEP error.

Outlook 2003 fails when ROP Caller setting is enabled.
- Reply
- Quote
Friday, February 01, 2013 5:14 PM

0

EMET is closing Explorer.EXE. Fault Module Name: ShellExtensionNative.dll_unloaded

I had this problem with EMET 3.0 and now I still have it with 3.5 Tech Preview. I have EMET configured to opt out explorer.exe for all protection types, but it still crashes and EMET reports it did a DEP mitigation. Looking at the report, it appears there's a shell extension or context menu causing it to crash? Shouldn't the opt-out of explorer.exe prevent this?

EMET_DLL module logged the following event:
EMET detected DEP mitigation and will close the application: C:\Windows\Explorer.EXE

Problem signature:

Problem Event Name:                        BEX64

Application Name:                             Explorer.EXE

Application Version:                           6.1.7601.17567

Application Timestamp:                     4d672ee4

Fault Module Name:                          ShellExtensionNative.dll_unloaded

Fault Module Version:                        0.0.0.0

Fault Module Timestamp:                  4d106bed

Exception Offset:                                000007fedfc76a59

Exception Code:                                  c0000005

Exception Data:                                   0000000000000008

OS Version:                                          6.1.7601.2.1.0.256.1

Locale ID:                                             1033

Additional Information 1:                  2264

Additional Information 2:                  2264db07e74365624c50317d7b856ae9

Additional Information 3:                  4ad6

Additional Information 4:                  4ad6e4750e042fff050fdb2aa067881f
- Reply
- Quote
Friday, February 01, 2013 8:14 PM

2
Hi Lucas Z.,

I would suggest simply removing explorer.exe from being protected by EMET. I have not seen this included on any tried and tested list of applications to protect with EMET since explorer.exe is a crucial process that must remain stable.

Since you are running Windows 7 64 bit (your exception shows this, namely BEX64 and Application Version: 6.1.7601.17567. 6.1.7601 is Windows 7 with SP1) explorer.exe already has DEP, ASLR and /GS (Guard Stack) v2 enabled and this should be enough protection.

Here are 2 examples of such lists of applications to protect. The first link cautions you about what applications you add to the list, especially for operating system processes.

http://www.rationallyparanoid.com/articles/microsoft-emet-3.html

http://krebsonsecurity.com/tools-for-a-safer-pc/

If you wish to troubleshoot this issue further, please create a new thread (topic) in this forum.

Thank you.
- Edited by JamesC_836 Friday, February 01, 2013 8:15 PM
- Edited by JamesC_836 Monday, February 04, 2013 6:11 PM Added further info
- Reply
- Quote
Tuesday, February 26, 2013 3:33 PM

0

LogMeIn Rescue Technician Console (LMIRTechConsole.exe) fails if ROP Caller is enabled.

Log Name:      Application
Source:        EMET
Date:          2/26/2013 2:03:19 AM
Event ID:      2
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXXXXXX
Description:
EMET_DLL module logged the following event:

EMET encountered an error in 'C:\Program Files\LogMeIn Rescue Technician Console\LogMeInRescueTechnicianConsole_x86\LMIRTechConsole.exe'
CallerCheck Failed:
PID          : 0x5DC/1500
TID          : E48
API Name     : kernel32.CreateFileW
ReturnAddress: 004D6104
CalledAddress: 771AE8A5
StackPtr     : 0012EF84
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="EMET" />
    <EventID Qualifiers="0">2</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-26T07:03:19.000000000Z" />
    <EventRecordID>194249</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXXXXXX</Computer>
    <Security />
</System>
<EventData>
    <Data>EMET_DLL module logged the following event:

EMET encountered an error in 'C:\Program Files\LogMeIn Rescue Technician Console\LogMeInRescueTechnicianConsole_x86\LMIRTechConsole.exe'
CallerCheck Failed:
PID          : 0x5DC/1500
TID          : E48
API Name     : kernel32.CreateFileW
ReturnAddress: 004D6104
CalledAddress: 771AE8A5
StackPtr     : 0012EF84</Data>
</EventData>
</Event>
- Reply
- Quote
Wednesday, February 27, 2013 10:40 AM

0

Hi RDinerman,

Does this error still occur if you disable the Caller Checks mitigation of EMET 3.5 Tech Preview?

Thanks.
- Reply
- Quote
Saturday, March 16, 2013 10:37 PM

1

No. Disabling Caller Checks allows the program to work without issue. This is the workaround.
- Reply
- Quote
Sunday, March 17, 2013 9:58 PM

0

Hi RDinerman.

Thanks for the additional information.
- Reply
- Quote
Thursday, March 21, 2013 2:34 PM

0

Thanks James! That appears to have worked.
- Reply
- Quote
Thursday, March 21, 2013 9:10 PM

0

Hi Lucas Z. _,

You are more than welcome. I am really glad that helped.

Thanks.
- Reply
- Quote
Tuesday, April 23, 2013 5:01 AM

1
McAfee H-IPS incompatibility, causing all applications to fail to launch when enabled with EMET v4 Beta.

Did not affect EMET v3.5 Tech Preview
- Edited by Nullsec Tuesday, April 23, 2013 5:02 AM
- Reply
- Quote
Wednesday, April 24, 2013 7:17 AM

2
I am using EMET v4 on windows 7 32bit with IE 10. I had to uncheck ROP Caller for iexplorer to stop pop up errors every time I restarted the computer and opened IE. No more pop ups after the uncheck, here is a sample of the type of error

Application Name: C:\Program Files\Internet Explorer\iexplore.exe

CallerCheck Failed:

PID          : 0xF74/3956

TID          : B68

API Name     : kernelbase.LoadLibraryExW

ReturnAddress: 6FFF0D2C

CalledAddress: 7606B8B1

StackPtr     : 0331BB90

Also I registered on this site to post this and wanted to make the error a screen shot but every time I try it gives me an error about I am not allowed to add photo till my account email is checked. I set up alert me and received a confirm email. It has not been 24 hours, do you have to wait longer or can someone tell where to write to get this fixed. thanks Lynn

EDIT I did not know about registry files to delete. So uninstalled, only found one registry file to delete the, HKLM\Software\Microsoft\EMET. And then reinstalled, so far no errors. I have started another post about settings to import.
- Edited by Lynn53 Wednesday, April 24, 2013 1:35 PM
- Reply
- Quote
Wednesday, April 24, 2013 2:42 PM

0
Hi Lynn53,

Thanks for highlighting this issue.

Due to the variety of add-ons that Internet Explorer may have installed, an incompatibility with a mitigation can be expected. Thanks for pointing out which mitigation you disabled in order to resolve this.

What you describe in relation to the registry keys sounds fine. Another forum user, Quitch mentioned this in the following thread:

http://social.technet.microsoft.com/Forums/en-US/emet/thread/56d4edf8-f250-4aea-9c93-72a25d5bfd0e

I have also only found 1 registry key that was present to delete.
- Edited by JamesC_836 Wednesday, April 24, 2013 3:25 PM
- Edited by JamesC_836 Wednesday, April 24, 2013 3:52 PM
- Reply
- Quote
Wednesday, April 24, 2013 3:48 PM

0
Hi JamesC_836, after importing the Popular and Recommended settings started getting the pop ups again. Removed the checkmark for ROP Caller iexplorer and they have again stopped. Just wanted to report this for others.
Should add that the checkmark had been added with the new install of EMET that I did.
- Edited by Lynn53 Wednesday, April 24, 2013 3:50 PM
- Reply
- Quote
Wednesday, April 24, 2013 4:08 PM

0
Hi Lynn53,

Thanks for your update.

In an effort to narrow down what is causing Internet Explorer to close due to the ROP Caller Checks mitigation, would you be willing to re-enable this mitigation and try to use Internet Explorer without add-ons? This is a temporary mode of Internet Explorer.

If Internet Explorer continues to work correctly in this mode, you will then have determined that an add-on for Internet Explorer is causing this issue. The support article linked to below describes how to this. Disabling add-ons one by one is also mentioned.

http://windows.microsoft.com/en-ie/windows7/how-do-browser-add-ons-affect-my-computer

While not every security mitigation of EMET is compatible with every add-on, if the name of the specific add-on causing the issue can be determined, it may be possible to fix this compatibility issue.

Alternatively you can simply leave the ROP Caller Checks mitigation disabled and continue to use Internet Explorer as normal.

I hope this helps. Thank you.
- Edited by JamesC_836 Wednesday, April 24, 2013 4:53 PM
- Reply
- Quote
Wednesday, April 24, 2013 4:36 PM

0

Hi JamesC_836 , Yes sounds easy enough to try just will take some time. I will report back when done. Lynn
- Reply
- Quote
Wednesday, April 24, 2013 6:39 PM

1
Well I disabled all IE add ons and was still getting the errors. I have four computers, the one with the problem is an old vista that I installed a fresh windows 7 so I would not have all that useless junk. I also use it for testing and learning as the reason this is the only one with EMET v4 the others have v3. I have Winpatrol Plus program I have been trying out, I stop it from loading at startup and thought that was the problem so uninstalled it but now am still getting the errors, so that was not the problem. So I have eliminated the IE add ons and Winpatrol as the problem. The only other thing I can think of is I have Avast Pro antivirus. What do you think I should try next JamesC_836.

Edit, disabled Avast and still getting error, so Avast has been eliminated as the problem.
- Edited by Lynn53 Wednesday, April 24, 2013 7:00 PM
- Reply
- Quote
Wednesday, April 24, 2013 7:29 PM

0

Hi Lynn53,

Thanks again for your update and for the thoroughness of your testing.

Among my PCs, I also have a Windows Vista 64 bit SP2 PC with EMET v3 loaded. I have found that settings that work perfectly on Windows 7 64 bit do not work as well for Vista. I am not sure exactly why this is. I have had to customize EMET settings to keep 3rd party programs on Vista working smoothly.

My advice would be to leave the mitigations disabled that are causing the issues. This is an advantage of EMET it can provide extra protection while maintaining compatibility/usability by simply turning off mitigations that crash programs. The settings that you mentioned earlier today seemed to work very well.

Thanks for testing and eliminating Avast and WinPatrol as potential causes. Please feel free to re-enable Avast and re-install WinPatrol and set them up as you have found to work best for you. Please also feel free to use Internet Explorer as normal with EMET settings that do not cause it to crash but still provide the best protection. Apologies for any inconvenience that this testing has caused.

I am sorry that I can’t provide more specific advice but with the different combinations of programs that each of us use we need to find what settings work best for us and continue to use them.

I have marked your above post as helpful since you have carried out a lot of testing which will benefit others.

If I can provide any further assistance, please let me know. Thank you.
- Reply
- Quote
Wednesday, April 24, 2013 7:36 PM

0

Thank You, I enjoy the learning. Lynn
- Reply
- Quote
Friday, April 26, 2013 2:00 PM

0

Windows 7 Professional 32-bit

EMET 4.0 Technical Preview System Settings settings as follows,

DEP - Always On

SEHOP - Application Opt Out

ASLR - Always On

Certificate Trust - Enabled.

Regression testing against 3.5 results in,

Outlook 2003 now works fine whereas in EMET 3.5 it failed when ROP caller check was active, so something

fixed/changed.

MS Money 2005 UK now fails with Caller Check error but in EMET 3.5 it failed with a DEP error.

Currently happy to switch ROP caller checking off for this application.

Everything else looks good.
- Reply
- Quote
Tuesday, April 30, 2013 10:00 PM

0
Every could of days a random Windows 7 64 bit user will have an issue when running EMET 3.0 and Microsoft Office 2010 looking at a known good document, where one of the Office apps they are using will crash with a DEP error when opening or closing the application. This is logged in the Windows Application logs as an Error:

Source: EMET
Event ID: 2
EMET_DLL module logged the following event:
EMET detected DEP mitigation and will close the application: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

The next second, another log will be generated:
Source: Application Error
Event ID: 1000
Faulting application name: WINWORD.EXE, version: 14.0.6129.5000
Faulting module name: log4cxx.dll_unloaded, version: 0.0.0.0
Exception code: 0xc0000005
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Faulting module path: log4cxx.dll

This has happened for "Faulting module path" values of: log4cxx.dll, unknown, PGPlsp.dll, and others. The Office application may be different for each.

This seems non-repeatable but an occasional random occurance.
- Edited by Chris Covington Tuesday, April 30, 2013 10:01 PM
- Reply
- Quote
Wednesday, May 01, 2013 10:01 AM

0
Hi Chris,

The log4cxx.dll is a DLL related to Nero CD/DVD Authoring software and is included with Nero Burning ROM. It is possible that this DLL is being loaded by Word 2010 through an Add-in (another less likely possibility is that this DLL is being loaded into Word via the AppInit_DLLs value within the Windows Registry since Word does load user32.dll).

Please find below links describing how to disable such add-ins. This should prevent Word from crashing in the future.

http://www.itechtalk.com/thread8986.html

http://support.microsoft.com/kb/921541

PGPLsp.dll is related to the Symantec PGP Desktop encryption product. Since this provides encryption for sensitive data, I would advise against removing this particular add-in.

If the Windows Registry is being used to load these DLLs additional steps will be necessary to remove them.

I hope this helps. Thank you.
- Edited by JamesC_836 Wednesday, May 01, 2013 11:26 AM Added further info
- Edited by JamesC_836 Wednesday, May 01, 2013 11:34 AM
- Reply
- Quote
Friday, May 03, 2013 9:19 PM

0

Thanks for the help James!
- Reply
- Quote
Saturday, May 04, 2013 3:42 PM

0

You're welcome, Chris.<o:p></o:p>

I am not sure if what I mentioned about add-ins for Microsoft Office helps or not. If you need the functionality they offer, the only remaining option is to disable
the DEP mitigation of EMET for any Office application that uses these add-ins. Also ensure that system wide DEP is set to Application Opt-in (or essential Windows programs and services only option within the Windows Control Panel).

Thanks.
- Reply
- Quote

Application Compatibility Issues

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?