sticky
Application Compatibility Issues

    General discussion

  • The mitigations offered by EMET have the potential to break some applications.  This thread is to discuss people's experiences with applications that do not work correctly under EMET.  The goal is to isolate which specific mitigations cause problems and for which applications (or plug-ins where appropriate).  For those trying to determine which mitigations are causing problems, the most likely candidates are EAF and DEP.

    Here are the issues the EMET support team has been able to confirm:

    Application or plug-in

    Issues that occur

    Mitigation or setting causing the issues

    Skype

    Fails to run

    EAF

    NetFlix SilverLight app

    Video playback in browser fails

    EAF

    ATI Drivers

    System blue screens on boot

    System ASLR policy set to always on

    (must enable unsafe settings to see this option)

    iPod Synchronization service

    Service crashes

    System DEP policy set to always on

    AOL

    System gives “out of memory” error messages

    System DEP policy set to always on

    If you have experienced application compatibility problems with EMET, please share your experiences on this thread.  The more detail you can provide about what the issues are and what 

    Wednesday, February 09, 2011 11:15 PM

All replies

  • DEP set to opt out (unless set as an excluded app)and always on will result in sims 3 + expansion packs to crash to desktop after a few mins of running
    Thursday, May 19, 2011 11:35 PM
  • You can also add UltraISO, 9.3.5.2716, which does not like mandatory DEP. All other protections can be enabled and it works fine, though.
    Sunday, May 22, 2011 3:35 PM
  • World of Warcraft crashes with EAF enabled. This is due to battle.net.dll which may result in other Blizzard Battle.NET games crashing as well if EAF protection is enabled.
    Monday, May 23, 2011 1:40 PM
  • The mitigations offered by EMET have the potential to break some applications.  This thread is to discuss people's experiences with applications that do not work correctly under EMET.  The goal is to isolate which specific mitigations cause problems and for which applications (or plug-ins where appropriate).  For those trying to determine which mitigations are causing problems, the most likely candidates are EAF and DEP.

    Here are the issues the EMET support team has been able to confirm:

    Application or plug-in

    Issues that occur

    Mitigation or setting causing the issues

    Skype

    Fails to run

    EAF

    NetFlix SilverLight app

    Video playback in browser fails

    EAF

    ATI Drivers

    System blue screens on boot

    System ASLR policy set to always on

    (must enable unsafe settings to see this option)

    iPod Synchronization service

    Service crashes

    System DEP policy set to always on

    AOL

    System gives “out of memory” error messages

    System DEP policy set to always on

    If you have experienced application compatibility problems with EMET, please share your experiences on this thread.  The more detail you can provide about what the issues are and what 


    hi

    include drivescrubber from iolo.com , only DEP under both vista and windows 7

    have a nice day


    Scan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! 
    Thursday, June 09, 2011 8:18 PM
  • DAMN NFO Viewer (DAMN NFO Viewer.exe) crashes on every execution attempt, and that application wasn’t even added to EMET, so I added and unchecked everything and re-attempted to launch NFO file viewer application to no avail. Quick guess, might be where I have added the Windows Shell added to EMET? dunno.

    Saturday, July 02, 2011 4:55 AM
  • We've seen problems with Corel Draw X4. Not sure of the exact setting.
    Monday, July 25, 2011 4:14 PM
  • safari fails to run/possibly DEP/
    Tuesday, July 26, 2011 12:03 PM
  • When EMET's protections are enabled for web browsers and user installs or upgrades to latest version of Trusteer Rapport (protection from phishing, keylogging and financial malware, such as Zeus or SpyEye), browsers do not launch correctly or open blank, unusable windows.

    Right now, possible solutions are:

    • stop Rapport service, launch web browser, start Rapport service;
    • uninstall Rapport, or
    • remove web browsers from the list of programs protected by EMET.

    Neither of these is a good one.

    This is just FYI, I see the fault at Trusteer's side.

    Friday, August 05, 2011 7:29 AM
  • Dropbox.exe 1.1.40 (99e6035826ccef09d525b2a025e1d1d7) fails to start with EMET 2.1 ARF enabled. http://forums.dropbox.com/topic.php?id=29640
    Thursday, August 18, 2011 5:22 PM
  • Please add Zemana AntiLogger 1.9.2.513 EAF and BottomUpRand option need to be unchecked ( all other option are check mark ok under application configuration ) . Otherwise EAF cause it to not start and BottomUpRand causes the hot link to not to work under services/support of any four links of Zemana software. This is on WIN 7/64 PRO system. Thanks.

    • Edited by Knighthood Friday, August 26, 2011 3:05 AM Added BottomUpRand
    Friday, August 26, 2011 2:40 AM
  • add onlive,exe games launcher under winxp-dep & sehop activated
    Saturday, October 29, 2011 9:56 AM
  • On 64-bit Windows 7 SP1, mmc.exe (Microsoft Management Console) will crash on launch if it's included in the protected apps.  This has been observed on multiple systems, it's repeatable.

    A component of a fingerprint-reader's software suite crashes if it's included in EMET's protected apps.  The software in question is the Protector Suite, available for purchase or a free trial here:  www.upek.com  The component is psqltray.exe.  This also is repeatable on two systems.  Update:  as you may have suspected, EAF is the culprit.

     

    Other than that, things have been pretty smooth sailing with EMET applied to an extensive list of apps on Win7 and one recently-retired WinXP box.  From past experience, I know not to set system-wide DEP to Always On or I won't be able to make DEP exceptions.

    If you want to make the exploit writers break out in a cold sweat, consider adding an EMET-driven mitigation module to Microsoft Security Essentials.  You could generate a "safe list" of high-profile targets that EMET can be safely applied to, the usual stuff like Java, media players, VoIP and email clients, etc, and distribute updated lists as part of your signature updates.  Label it with a user-friendly euphemism like "Enable anti-exploit features."




    • Edited by mechBgon Thursday, November 17, 2011 6:17 AM
    Sunday, November 13, 2011 6:21 PM
  • With Windows Server 2008 R2 SP1 as Hyper-V Host and Hyper-V Guest the EMET 3.0 EAF Mitigation may cause applications like Internet Explorer 9 x86 And Adobe Reader 10 to run about 10 times slower (means at 10% of speed without EMET/EAF). When you disable only EAF applications run fast. This should be mentioned in the EMET documentation as Hyper-V/EMET/IE are all supported products and it should be possible to disable individual mitigations for a whole system through Group Policy.

    You may use <http://v8.googlecode.com/svn/data/benchmarks/current/run.html> to compare. But don't compare IE 9's result with other Browsers or you might cry ;-(

    Thursday, June 28, 2012 3:45 PM
  • SQL Server Analysis Services 2008 R2 Developer x64 (msmdsrv.exe) on Windows 7 x64 requires EAF to be disabled
    Tuesday, July 31, 2012 7:52 AM
  • As of 12.6 ATI drivers should now be compatible with ASLR.

    http://www.cert.org/blogs/certcc/2012/06/amd_video_drivers_prevent_the.html

    CONFIRMED: Running 12.8 with ASLR set to "Always on" and Windows 7 booted successfully.
    • Edited by Quitch Tuesday, September 18, 2012 1:20 PM Tested fix
    Tuesday, September 18, 2012 9:37 AM
  • DAMN NFO Viewer (DAMN NFO Viewer.exe) crashes on every execution attempt, and that application wasn’t even added to EMET, so I added and unchecked everything and re-attempted to launch NFO file viewer application to no avail. Quick guess, might be where I have added the Windows Shell added to EMET? dunno.


    Windows has a built in nfo viewer. No need to install any apps to read them. Just right click the nfo file and choose to open with notepad as default.
    Tuesday, September 18, 2012 1:08 PM
  • Windows 7 sidebar.exe (Desktop Gadgets) requires an EAF exception to run.
    Tuesday, September 18, 2012 11:58 PM
  • There is incompatability between Emet 3.5 TP and Comodo Internet Security. The result is high CPU usage. See my other post for details.
    Friday, September 21, 2012 9:10 PM
  • I'm using Windows 7 Professional SP1 x64 and EMET 3.0.

    I've found EAF to cause the following to crash on start:

    getright.exe - A venerable download manager
    left4dead2.exe - A video game by VALVe

    borderlands.exe - A video game by Gearbox Software - crashes on start if any of NullPage, HeapSpray, EAF or MandatoryASLR are used.

    Friday, September 21, 2012 11:22 PM
  • Audible Manager stops running just after launching, with Maximum Security enabled, but runs fine if drop back to Recommended Security Settings. Win7 x64.
    Saturday, September 29, 2012 6:20 PM
  • MusicMatch Jukebox fails to run.  Uninstalling EMET has not fixed the issue.

    Monday, October 01, 2012 1:19 AM
  • The system settings are registry keys. If you've changed the system settings in EMET then uninstalling it won't undo that, you need to undo the change within EMET.
    Monday, October 01, 2012 7:31 AM
  • I would like report that the 32 bit versions of Windows Media Player and Wordpad within Windows 8 Release Preview 64 bit are not compatible with the SEHOP mitigation of EMET 3.0 or EMET 3.5 Tech Preview.

    Please see the following threads for details:

    Windows Media Player (post dated: 12th October 2012):

    http://social.technet.microsoft.com/Forums/en/emet/thread/3bdfa034-4eda-4d9e-8580-c63c971bb869

    Wordpad (second post dated 26th July 2012):

    http://social.technet.microsoft.com/Forums/en/emet/thread/3d750eee-a701-4910-aa34-e9c0e1af8aa2

    Finally, the 64 bit version of Apple iTunes (iTunes.exe) is not compatible with the system wide i.e. global SEHOP setting(Application Opt-Out) when installed on Windows 7 SP1 64 bit.

    Please see the following thread for details (post dated: 5th October 2012):

    http://social.technet.microsoft.com/Forums/en/emet/thread/26d83e44-31d3-4cb8-9ae0-7a1a7c450340

    EDIT: 21st April 2013: In the above thread, the version of iTunes was 10.7 64 bit. Version 11 and higher of iTunes 64 bit are not affected by this issue. I have used iTunes to purchase tracks from the iTunes Store without issues even with system wide SEHOP enabled.

    I hope this helps. Thank you.

    • Edited by JamesC_836 Sunday, April 21, 2013 2:57 PM Extra info
    Friday, October 12, 2012 2:46 PM
  • EMET 3.5 Tech Preview ROP issues with latest Logitech Setpoint 6.50 x64 and IE9 (Win7 x64 SP1).

    After installing Logitech Setpoint 6.50 x64 EMET reported continuously ROP mitigation issues from iexplore.exe whenever I start IE9.

    Once Setpoint 6.50 x64 has been uninstalled everything goes back to normal.

    Logitech Setpoint 6.32 x64 runs fine without issues.

    Saturday, October 13, 2012 1:11 AM
  • updating to Chrome Version 23.0.1271.64 m and Chrome in EMET (all checkmarks on) crashes several extensions. Uncheck SEHOP for chrome solves the problem.

    Please see:

    http://forums.lastpass.com/viewtopic.php?t=83548&p=277044

    http://code.google.com/p/chromium/issues/detail?id=159885

    If you think that might be a security problem in Chrome, then give google support a hint. For me as private person its a little bit difficult to contact the right channels.

    Thank you

    Thursday, November 08, 2012 7:12 AM
  • Hi,

    Encountered the same issues and Google's Forum has similar posting:

     http://productforums.google.com/forum/#!category-topic/chrome/report-a-problem-and-get-troubleshooting-help/windows/29WXfbcmueE

    Hope this info helps other users

    Best regards

    Friday, November 09, 2012 5:03 AM
  • Excel 2007 on Windows 7 32bit, with eurotool.xlam plugin, fails to run. If I disable DEP or disable the plugin it does run.
    Thursday, November 15, 2012 1:07 PM
  • I have Problems with Roxio easy creator and an Outlook plugin from octophone our phone Company... The application crashes directly and worked fine under Windows 7 before...
    Monday, December 03, 2012 2:16 PM
  • Intel Rapid Storage Technology installer fails to initialize with DEP set to Always On in system settings.
    Saturday, December 08, 2012 9:30 PM
  • Dropbox.exe 1.1.40 (99e6035826ccef09d525b2a025e1d1d7) fails to start with EMET 2.1 ARF enabled. http://forums.dropbox.com/topic.php?id=29640

    As noted by David G.1 (above), Dropbox is not compatible with the EAF mitigation of EMET. I can also confirm this for version 1.6.4 (released yesterday) when installed on Windows 7 SP1 64 bit.

    Dropbox is compatible with all other mitigations from EMET 3.5 Tech Preview.

    For your information, Dropbox works with system wide DEP (Application Opt-Out)(always on) and SEHOP (always on)(Application Opt-Out) applied.

    I hope this helps. Thank you.

    ----------------------------------------------------

    Off Topic:

    I have submitted a feature request with Dropbox to add DEP, ASLR and /GS security mitigations to Dropbox by default.

    https://forums.dropbox.com/topic.php?id=94183


    • Edited by JamesC_836 Wednesday, December 12, 2012 2:44 PM Added extra info
    Wednesday, December 12, 2012 2:43 PM
  • Running EMET 3.5 Tech Preview on Win XP SP3

    Microsoft Outlook Express 6.0.2900.5512 crashes on startup if the ROP Caller mitigation is enabled. 

    If that ROP checkbox is cleared, Outlook Express starts and runs fine (it works well with the other ROP).

    Error message generated:

    EMET detected Caller Mitigation and will close the application: msimn.exe
    EMET ROP checks error. Resume?
    CallerCheck Failed:
    PID: 0x418/1048
    TID: 248
    API Name: kernel32.CreateFileW
    ReturnAddress: 6CDFC762
    CalledAddress: 7C810CD9
    StackPtr: 0007F420


    • Edited by TaskForceKen Wednesday, January 09, 2013 5:32 AM add software version number (outlook express)
    Tuesday, December 18, 2012 5:06 AM
  • Windows 7 Ultimate x64:

    Possibly since November 2012 Windows Update and update to Windows Essentials 16.4.3505.0912:

    • Windows Explorer frequent minor corruption of Videos library by spontaneous addition of Pictures folder to Videos library (have not yet discovered which action/application triggers this).

    Possibly since December 2012 Windows Update and addition of Windows Management Framework 3.0:

    • Clicking Control Panel links frequently causes Windows Explorer crash with invalid parameter error message.

    Disabling EAF for Windows Explorer seems to fix these problems.

    Sunday, December 23, 2012 4:28 AM
  • Windows 7 64-bit

    The ROP caller mitigation causes all my Office 2010 products to crash when accessing mapped network drives.

    • Edited by Quitch Sunday, December 23, 2012 11:57 AM
    Sunday, December 23, 2012 11:57 AM
  • Google Earth appears to work OK, but I noticed that it was showing errors in Windows 8 Action Centre > View Reliability History.

    After un-checking SEHOP, the errors no longer appear.

    Thursday, December 27, 2012 1:07 AM
  • Some technical background for this repeatable issue:

    OS: Windows 7 Professional, SP1 (64-bit), upto date patches
    EMET: version 3.5
    Browser: IE 9.0, ROP protection enabled
    Application: SnippingTool.exe, version 6.1.76

    Issue: When trying to capture some of the content within Internet Explorer with the Snipping tool, the system freezes and only the Task manager is available. EMET Notfier logs this message:

    EMET_DLL module logged the following event:

    EMET encountered an error in 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
    CallerCheck Failed:
      PID          : 0x1508/5384
      TID          : 1184
      API Name     : kernel32.VirtualAllocEx
      ReturnAddress: 6AF9B294
      CalledAddress: 7644D998
      StackPtr     : 0014DC64

    Capturing image with Snipping tool within any other applications or browsers with ROP protection enabled does not result in this error. Ending task for IE through Task Manager unfreezes the system and Snipping shows the captured image; however, ending task for Snipping does not unfreeze the system. EMET ask, "Do you want to resume?" Selecting "Yes" results in more EMET notifications, conversely, selecting "No" keeps the system frozen.

    Disabling all ROP mitigation for IE resolves this issue. Removing the check mark for the mitigation identified as "Caller" only also resolves this issue. It seems that Windows SnippingTool.exe application code isn't "secure" and might be the next attack vector for hackers for Windows. In either case, IE should freeze the whole system.

    Sunday, December 30, 2012 3:48 PM
  • After installing EMET 3.5 on Win7/64.  Now AOL will not run.  Says out of memory.

    I uninstalled EMET, but the problem persists.  Clearly EMET is leaving some registry settings behind when it uninstalls.

    I went to the advanced system settings control panel, and now I see the DEP settings are all greyed out.  I used to be able to turn DEP on and off here, but no longer.

    I tried rolling back to a system recovery point before installing EMET, but that was no help.

    How do I fix this?  Should I reinstall EMET and use it to make an exception of AOL, or what?

    How do I get the advanced system settings control panel to let me set DEP settings as it used to?

    Can we get EMET fixed so that it uninstalls better?

    PS: On a hunch, I reinstalled EMET 3.0, set settings to recommended, then rebooted.

    Now AOL works again. 

    • Edited by FAntonio2 Friday, January 04, 2013 3:20 AM
    Thursday, January 03, 2013 9:06 PM
  • Hi FAntonio2,

    You are correct, AOL will give this error when system wide DEP is enabled. Since the option of turning off system wide DEP is unavailable to you, the following thread may be of assistance to you. From what I can tell these steps only apply to Windows XP:

    http://social.technet.microsoft.com/Forums/en/emet/thread/b6a3fbf2-0e2f-43f1-a8ca-9b7c0da2f1b0

    The steps that apply for Windows 7 (they should be the same for Windows Vista) are mentioned in the following thread:

    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/0310435c-e04a-4204-8bd4-fcc9c2498556

    I hope the above information is of assistance to you. Thank you.

    --------------------------------

    EDIT: Thanks for your update FAntonio2. If re-installing EMET and setting it to recommended setting had not resolved the issue, the threads I linked to above would have been the next steps. Thank you for providing the solution that worked for you.

    • Edited by JamesC_836 Friday, January 04, 2013 11:43 AM
    Friday, January 04, 2013 11:16 AM
  • Running EMET 3.5 Tech Preview on Windows XP SP3

    Word 2000 SP3 and Excel 2000 SP3 running well with all mitigations on, including the DEP that both the .xml protection profile and the EMET guide listed as incompatible in the later Office XP. 

    Both Word and Excel have all patches up to their end-of-life date in 2009.
    Caveat: I have an older Pentium 4 that does not support hardware-based DEP; my DEP is the software-based variant.  This might be the reason why DEP did not crash the applications.

    Some other software not listed in the EMET guide that are also running all mitigations, with no issues:
    Rhapsody 4.0.6.7 (the standalone application for music streaming and searching)
    Irfanview 4.3.3.0
    Sumatra PDF reader 2.1.1.0

    Wednesday, January 09, 2013 5:25 AM
  • Setting DEP to Always On in EMET v3.0 and v3.5 causes the following application to not start:

    Cisco WebEx Productivity Tools One-Click (ptoneclick.exe) v2800.400.1205.1700

    Tuesday, January 15, 2013 8:12 PM
  • Add Xobni to that list too.  Seemed that no matter what settings I selected in EMET 3.0 or 3.5, Outlook 2010 kept blowing up on startup.
    Friday, January 18, 2013 10:04 PM
  • Flash fails to load in Google Chrome  24.0.1312.56  if SEHOP is enabled in application settings (EMET 3.5 on Windows 8 x64).
    • Edited by Sand Storm Sunday, January 27, 2013 8:42 AM
    Saturday, January 26, 2013 7:52 PM
  •  

    Running EMET 3.5 on Windows 7 Professional 32-bit.

    MS Money 2005 fails with DEP error.

    Outlook 2003 fails when ROP Caller setting is enabled.

    Friday, February 01, 2013 4:36 PM
  • EMET is closing Explorer.EXE. Fault Module Name: ShellExtensionNative.dll_unloaded

    I had this problem with EMET 3.0 and now I still have it with 3.5 Tech Preview. I have EMET configured to opt out explorer.exe for all protection types, but it still crashes and EMET reports it did a DEP mitigation. Looking at the report, it appears there's a shell extension or context menu causing it to crash? Shouldn't the opt-out of explorer.exe prevent this?


    EMET_DLL module logged the following event:
    EMET detected DEP mitigation and will close the application: C:\Windows\Explorer.EXE

    Problem signature:

      Problem Event Name:                        BEX64

      Application Name:                             Explorer.EXE

      Application Version:                           6.1.7601.17567

      Application Timestamp:                     4d672ee4

      Fault Module Name:                          ShellExtensionNative.dll_unloaded

      Fault Module Version:                        0.0.0.0

      Fault Module Timestamp:                  4d106bed

      Exception Offset:                                000007fedfc76a59

      Exception Code:                                  c0000005

      Exception Data:                                   0000000000000008

      OS Version:                                          6.1.7601.2.1.0.256.1

      Locale ID:                                             1033

      Additional Information 1:                  2264

      Additional Information 2:                  2264db07e74365624c50317d7b856ae9

      Additional Information 3:                  4ad6

      Additional Information 4:                  4ad6e4750e042fff050fdb2aa067881f

    Friday, February 01, 2013 5:14 PM
  • Hi Lucas Z.,

    I would suggest simply removing explorer.exe from being protected by EMET. I have not seen this included on any tried and tested list of applications to protect with EMET since explorer.exe is a crucial process that must remain stable.

    Since you are running Windows 7 64 bit (your exception shows this, namely BEX64 and Application Version: 6.1.7601.17567. 6.1.7601 is Windows 7 with SP1) explorer.exe already has DEP, ASLR and /GS (Guard Stack) v2 enabled and this should be enough protection.

    Here are 2 examples of such lists of applications to protect. The first link cautions you about what applications you add to the list, especially for operating system processes.

    http://www.rationallyparanoid.com/articles/microsoft-emet-3.html

    http://krebsonsecurity.com/tools-for-a-safer-pc/

    If you wish to troubleshoot this issue further, please create a new thread (topic) in this forum.

    Thank you.

    • Edited by JamesC_836 Monday, February 04, 2013 6:11 PM Added further info
    Friday, February 01, 2013 8:14 PM
  • LogMeIn Rescue Technician Console (LMIRTechConsole.exe) fails if ROP Caller is enabled.

    Log Name:      Application
    Source:        EMET
    Date:          2/26/2013 2:03:19 AM
    Event ID:      2
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      XXXXXXXX
    Description:
    EMET_DLL module logged the following event:

    EMET encountered an error in 'C:\Program Files\LogMeIn Rescue Technician Console\LogMeInRescueTechnicianConsole_x86\LMIRTechConsole.exe'
    CallerCheck Failed:
      PID          : 0x5DC/1500
      TID          : E48
      API Name     : kernel32.CreateFileW
      ReturnAddress: 004D6104
      CalledAddress: 771AE8A5
      StackPtr     : 0012EF84
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="EMET" />
        <EventID Qualifiers="0">2</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2013-02-26T07:03:19.000000000Z" />
        <EventRecordID>194249</EventRecordID>
        <Channel>Application</Channel>
        <Computer>XXXXXXXX</Computer>
        <Security />
      </System>
      <EventData>
        <Data>EMET_DLL module logged the following event:

    EMET encountered an error in 'C:\Program Files\LogMeIn Rescue Technician Console\LogMeInRescueTechnicianConsole_x86\LMIRTechConsole.exe'
    CallerCheck Failed:
      PID          : 0x5DC/1500
      TID          : E48
      API Name     : kernel32.CreateFileW
      ReturnAddress: 004D6104
      CalledAddress: 771AE8A5
      StackPtr     : 0012EF84</Data>
      </EventData>
    </Event>

    Tuesday, February 26, 2013 3:33 PM
  • Hi RDinerman,

    Does this error still occur if you disable the Caller Checks mitigation of EMET 3.5 Tech Preview?

    Thanks.

    Wednesday, February 27, 2013 10:40 AM
  • No.  Disabling Caller Checks allows the program to work without issue.  This is the workaround.
    Saturday, March 16, 2013 10:37 PM
  • Hi RDinerman.

    Thanks for the additional information.

    Sunday, March 17, 2013 9:58 PM
  • Thanks James! That appears to have worked.
    Thursday, March 21, 2013 2:34 PM
  • Hi Lucas Z. _,

    You are more than welcome. I am really glad that helped.

    Thanks.

    Thursday, March 21, 2013 9:10 PM
  • McAfee H-IPS incompatibility, causing all applications to fail to launch when enabled with EMET v4 Beta.

    Did not affect EMET v3.5 Tech Preview


    • Edited by Nullsec Tuesday, April 23, 2013 5:02 AM
    Tuesday, April 23, 2013 5:01 AM
  • I am using EMET v4 on windows 7 32bit with IE 10. I had to uncheck ROP Caller for iexplorer to stop pop up errors every time I restarted the computer and opened IE. No more pop ups after the uncheck, here is a sample of the type of error

    Application Name: C:\Program Files\Internet Explorer\iexplore.exe

    CallerCheck Failed:

      PID          : 0xF74/3956

      TID          : B68

      API Name     : kernelbase.LoadLibraryExW

      ReturnAddress: 6FFF0D2C

      CalledAddress: 7606B8B1

      StackPtr     : 0331BB90

    Also I registered on this site to post this and wanted to make the error a screen shot but every time I try it gives me an error about I am not allowed to add photo till my account email is checked. I set up alert me and received a confirm email. It has not been 24 hours, do you have to wait longer or can someone tell where to write to get this fixed. thanks Lynn


    EDIT I did not know about registry files to delete. So uninstalled, only found one registry file to delete the, HKLM\Software\Microsoft\EMET. And then reinstalled, so far no errors. I have started another post about settings to import.
    • Edited by Lynn53 Wednesday, April 24, 2013 1:35 PM
    Wednesday, April 24, 2013 7:17 AM
  • Hi Lynn53,

    Thanks for highlighting this issue.

    Due to the variety of add-ons that Internet Explorer may have installed, an incompatibility with a mitigation can be expected. Thanks for pointing out which mitigation you disabled in order to resolve this.

    What you describe in relation to the registry keys sounds fine. Another forum user, Quitch mentioned this in the following thread:

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/56d4edf8-f250-4aea-9c93-72a25d5bfd0e

    I have also only found 1 registry key that was present to delete.

    • Edited by JamesC_836 Wednesday, April 24, 2013 3:52 PM
    Wednesday, April 24, 2013 2:42 PM
  • Hi JamesC_836, after importing the Popular and Recommended settings started getting the pop ups again. Removed the checkmark for ROP Caller iexplorer and they have again stopped. Just wanted to report this for others.
    Should add that the checkmark had been  added with the new install of EMET that I did.
    • Edited by Lynn53 Wednesday, April 24, 2013 3:50 PM
    Wednesday, April 24, 2013 3:48 PM
  • Hi Lynn53,

    Thanks for your update.

    In an effort to narrow down what is causing Internet Explorer to close due to the ROP Caller Checks mitigation, would you be willing to re-enable this mitigation and try to use Internet Explorer without add-ons? This is a temporary mode of Internet Explorer.

    If Internet Explorer continues to work correctly in this mode, you will then have determined that an add-on for Internet Explorer is causing this issue. The support article linked to below describes how to this. Disabling add-ons one by one is also mentioned.

    http://windows.microsoft.com/en-ie/windows7/how-do-browser-add-ons-affect-my-computer

    While not every security mitigation of EMET is compatible with every add-on, if the name of the specific add-on causing the issue can be determined, it may be possible to fix this compatibility issue.

    Alternatively you can simply leave the ROP Caller Checks mitigation disabled and continue to use Internet Explorer as normal.

    I hope this helps. Thank you.

    • Edited by JamesC_836 Wednesday, April 24, 2013 4:53 PM
    Wednesday, April 24, 2013 4:08 PM
  • Hi JamesC_836 , Yes sounds easy enough to try just will take some time. I will report back when done. Lynn
    Wednesday, April 24, 2013 4:36 PM
  • Well I disabled all IE add ons and was still getting the errors. I have four computers, the one with the problem is an old vista that I installed a fresh windows 7 so I would not have all that useless junk. I also use it for testing and learning as the reason this is the only one with EMET v4 the others have v3. I have Winpatrol Plus program I have been trying out, I stop it from loading at startup and thought that was the problem so uninstalled it but now am still getting the errors, so that was not the problem. So I have eliminated the IE add ons and Winpatrol as the problem. The only other thing I can think of is I have Avast Pro antivirus. What do you think I should try next JamesC_836.

    Edit, disabled Avast and still getting error, so Avast has been eliminated as the problem.

    • Edited by Lynn53 Wednesday, April 24, 2013 7:00 PM
    Wednesday, April 24, 2013 6:39 PM
  • Hi Lynn53,

    Thanks again for your update and for the thoroughness of your testing.

    Among my PCs, I also have a Windows Vista 64 bit SP2 PC with EMET v3 loaded. I have found that settings that work perfectly on Windows 7 64 bit do not work as well for Vista. I am not sure exactly why this is. I have had to customize EMET settings to keep 3rd party programs on Vista working smoothly.

    My advice would be to leave the mitigations disabled that are causing the issues. This is an advantage of EMET it can provide extra protection while maintaining compatibility/usability by simply turning off mitigations that crash programs. The settings that you mentioned earlier today seemed to work very well.

    Thanks for testing and eliminating Avast and WinPatrol as potential causes. Please feel free to re-enable Avast and re-install WinPatrol and set them up as you have found to work best for you. Please also feel free to use Internet Explorer as normal with EMET settings that do not cause it to crash but still provide the best protection. Apologies for any inconvenience that this testing has caused.

    I am sorry that I can’t provide more specific advice but with the different combinations of programs that each of us use we need to find what settings work best for us and continue to use them.

    I have marked your above post as helpful since you have carried out a lot of testing which will benefit others.

    If I can provide any further assistance, please let me know. Thank you.

    Wednesday, April 24, 2013 7:29 PM
  • Thank You, I enjoy the learning. Lynn

    Wednesday, April 24, 2013 7:36 PM
  • Windows 7 Professional 32-bit

    EMET 4.0 Technical Preview System Settings settings as follows,

    DEP - Always On

    SEHOP - Application Opt Out

    ASLR - Always On

    Certificate Trust - Enabled.

    Regression testing against 3.5 results in,

    Outlook 2003 now works fine whereas in EMET 3.5 it failed when ROP caller check was active, so something

    fixed/changed. 

    MS Money 2005 UK now fails with Caller Check error but in EMET 3.5 it failed with a DEP error.

    Currently happy to switch ROP caller checking off for this application.

    Everything else looks good.

    Friday, April 26, 2013 2:00 PM
  • Every could of days a random Windows 7 64 bit user will have an issue when running EMET 3.0 and Microsoft Office 2010 looking at a known good document, where one of the Office apps they are using will crash with a DEP error when opening or closing the application.  This is logged in the Windows Application logs as an Error:

    Source: EMET
    Event ID: 2
    EMET_DLL module logged the following event:
    EMET detected DEP mitigation and will close the application: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

    The next second, another log will be generated:
    Source: Application Error
    Event ID: 1000
    Faulting application name: WINWORD.EXE, version: 14.0.6129.5000
    Faulting module name: log4cxx.dll_unloaded, version: 0.0.0.0
    Exception code: 0xc0000005
    Faulting application path: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    Faulting module path: log4cxx.dll

    This has happened for "Faulting module path" values of: log4cxx.dll, unknown, PGPlsp.dll, and others.  The Office application may be different for each.

    This seems non-repeatable but an occasional random occurance. 


    Tuesday, April 30, 2013 10:00 PM
  • Hi Chris,

    The log4cxx.dll is a DLL related to Nero CD/DVD Authoring software and is included with Nero Burning ROM. It is possible that this DLL is being loaded by Word 2010 through an Add-in (another less likely possibility is that this DLL is being loaded into Word via the AppInit_DLLs value within the Windows Registry since Word does load user32.dll).

    Please find below links describing how to disable such add-ins. This should prevent Word from crashing in the future.

    http://www.itechtalk.com/thread8986.html

    http://support.microsoft.com/kb/921541

    PGPLsp.dll is related to the Symantec PGP Desktop encryption product. Since this provides encryption for sensitive data, I would advise against removing this particular add-in.

    If the Windows Registry is being used to load these DLLs additional steps will be necessary to remove them.

    I hope this helps. Thank you.

    • Edited by JamesC_836 Wednesday, May 01, 2013 11:34 AM
    Wednesday, May 01, 2013 10:01 AM
  • Thanks for the help James!
    Friday, May 03, 2013 9:19 PM
  • You're welcome, Chris.<o:p></o:p>

    I am not sure if what I mentioned about add-ins for Microsoft Office helps or not. If you need the functionality they offer, the only remaining option is to disable
    the DEP mitigation of EMET
    for any Office application that uses these add-ins. Also ensure that system wide DEP is set to Application Opt-in (or essential Windows programs and services only option within the Windows Control Panel).

    Thanks.

    Saturday, May 04, 2013 3:42 PM
  • We have identified one Office EMET 3.0 DEP issue as correlating with a separate Cisco Click to Call plug-in error in the OS application logs.  Other EMET Office 2010 OS application crash logs, mostly DEP related, occur every now and then across our workstations randomly and non-repeatedly with known good documents and have no correlated plug-in OS application log messages, so I am unable to troubleshoot.
    Tuesday, June 11, 2013 1:10 PM
  • Salesforce Chatter Desktop crashes on startup when ROP is enabled along with the Deep Hooks setting.

    Faulting application name: Chatter Desktop.exe, version: 0.0.0.0, time stamp: 0x51817ac0
    Faulting module name: EMET.DLL, version: 4.0.0.0, time stamp: 0x51ba563b
    Exception code: 0xc0000005
    Fault offset: 0x0004ef31
    Faulting process id: 0x17c8
    Faulting application start time: 0x01ce6d8d96c4e29f
    Faulting application path: C:\Program Files (x86)\salesforce.com\Chatter Desktop\Chatter Desktop.exe
    Faulting module path: C:\Windows\AppPatch\EMET.DLL
    Report Id: d6b00a34-d980-11e2-bb4b-74e543520225

    EMET does not display a notification when this occurs.

    Thursday, June 20, 2013 8:17 AM
  • I had EMET V3.5 Tech Preview installed for a long time on Windows 7 and since inception on Windows 8 with no problems.

    I uninstalled V3.5, restarted Windows 8 and installed V4.0.4913.26122 and all of: Adobe Acrobat, Lenovo Hot Spot Service, Skype C2C Service, Internet Explorer and DU Meter failed with KERNELBASE.dll errors. Acrobat and Internet Explorer would not even start.

    I had installed V4 with Recommended Settings.

    I uninstalled V4, restarted, and reinstall V3.5 Tech Preview. This substantially reduced the errors.

    I again uninstalled V3.5 and this time removed the two EMET Registry Keys. I restarted and installed EMET V4 with no setup.

    I then added about a dozen and a half programs manually:  All of Office 2013 including ONENOTEM, Adobe, both iexplore (32 and 64), Java, and jusched, integratedoffice, and PopPeeper (email daemon). I then imported the certificates file.

    Time will tell if this bizarre and worthless Windows 8 system will just keep crashing.

    With over 150 processes and 12 flags, adding one each day to test will take 1800 days to set it up. EMET V4 was not made for mortal human beings and yet mortal human being are precisely the ones that need it.

    Friday, June 21, 2013 1:26 AM
  • Windows XP SP3, all Updates. Office 2010, all Updates. We installed EMET 4.0 last night, used standard settings and could not open Outlook any more. After we uninstalled EMET all was well again.

    Event Error "EMET 2"

    Application Name: C:\Programme\Microsoft Office\Office14\OUTLOOK.EXE
    CallerCheck Failed:
      PID          : 0x788/1928
      TID          : 124C
      API Name     : kernel32.CreateFileW
      ReturnAddress: 21872340
      CalledAddress: 7C810CD9
      StackPtr     : 0013E4E8

    Event Warning "EMET 1"

    "Error Sending Telemetry Data: Config Not Initialized"

    Friday, June 21, 2013 8:30 AM
  • We had used "recommended settings" as well as "normal settings". I don't remember the exact names of these two any more.
    Friday, June 21, 2013 8:32 AM
  • Foxit Reader version 6.0.3.0524 crashes on startup unless SEHOP is disabled for it.

    Running EMET version 4.0.4913.26122 on Windows 7 Ultimate 64-bit

    Edit: The FoxIt crash with SEHOP does not happen on a second PC, all the versions are the same, the only difference is the working system has a Core 2 Duo CPU and the problem PC is a workstation with dual older XEON CPUs.  We've had several other applications that acted up on that XEON PC, in one case it was tracked down to a libgnutls26 bug that only happened on CPUs that have MMX but not SSE2.

    • Edited by jh_314159 Friday, June 28, 2013 7:41 PM additional info
    Thursday, June 27, 2013 8:10 PM
  • TeamViewer (8.0.19045) crashes if the ROP mitigation "Caller checks" is enabled (using EMET 4.0.4913.26122). You need to disable it for both "TeamViewer.exe" and "TeamViewer_Service.exe". All the other mitigations can be enabled. Also you can enable all mitigations for "TeamViewer_Desktop.exe", "tv_w32.exe" and "tv_x64.exe".


    Application Name: C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
    CallerCheck Failed:
      PID          : 0xC0C/3084
      TID          : B4C
      API Name     : kernel32.LoadLibraryExW
      ReturnAddress: 0101A299
      CalledAddress: 759C4945
      StackPtr     : 0016F274

    Application Name: C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
    CallerCheck Failed:
      PID          : 0x12A0/4768
      TID          : A94
      API Name     : kernel32.LoadLibraryExW
      ReturnAddress: 00B11CDA
      CalledAddress: 759C4945
      StackPtr     : 002DF9DC


    Wednesday, July 03, 2013 4:27 AM
  • AQTime 7 by SmartBear is a .exe profiling application used by software developers.

    I cannot disable the "SimExecFlow" check for this application, no matter what I try.

    I added an entry to AQTime.exe and all other *.exe files installed by the application. I disabled all mitigations for all these executables. But when I start AQTime, EMET always detects a SimExecFlow, even if that checkbox is off.

    The only way I can run AQTime is to switch from "Stop On Exploit" to "Audit Only". EMET will display the "SimExecFlow" detection for AQTime.exe but the application itself continues and works as expected.


    Lit Window Productions

    Wednesday, July 03, 2013 6:31 AM
  • Please consider the following "EMET 4.0: Configuration issues with XML profile" bug report: http://social.technet.microsoft.com/Forums/en-US/d3d8c845-20b1-46eb-91e6-d9f34ca1b302/emet-40-configuration-issues-with-xml-profile
    Thursday, July 04, 2013 2:37 AM
  • EMET 4.0 with Outlook 2010 & CRM 2011 Plugin - Outlook crashing -stackpivot to fix
    Thursday, July 04, 2013 4:28 PM
  • New today.

    Windows 7 x64 SP1

    EMET 3.0. MS default config as installed - all opt in.

    Google Chrome major version 28 completely broken by EMET 3.0. Google Chrome calendar major version 27 broken by same.

    Solution: Disable SEHOP protection for chrome.exe. Fixed!

    Thursday, July 11, 2013 4:30 PM
  • Ubisoft Uplay (uplay.exe) crashes when launching unless "Caller" is unchecked in EMET.
    Sunday, July 14, 2013 3:54 PM
  • I had the same issue. seems to be fixed in EMET 4.0. Able to enable all protection for chrome without any issue (so far so good). Windows 7 32-bit SP1
    Friday, July 19, 2013 8:49 AM
  • I had same issue (same IE, same OS 32-bit, same EMET version). For me, I had to disable SEHOP. I have disabled all add-ons.

    Problem signature:
      Problem Event Name: APPCRASH
      Application Name: iexplore.exe
      Application Version: 10.0.9200.16635
      Application Timestamp: 51b7a921
      Fault Module Name: KERNELBASE.dll
      Fault Module Version: 6.1.7601.18015
      Fault Module Timestamp: 50b83b16
      Exception Code: 0000071a
      Exception Offset: 0000812f
      OS Version: 6.1.7601.2.1.0.256.48
      Locale ID: 17417

    Problem signature:
      Problem Event Name: APPCRASH
      Application Name: iexplore.exe
      Application Version: 10.0.9200.16635
      Application Timestamp: 51b7a921
      Fault Module Name: KERNELBASE.dll
      Fault Module Version: 6.1.7601.18015
      Fault Module Timestamp: 50b83b16
      Exception Code: 800706ba
      Exception Offset: 0000812f
      OS Version: 6.1.7601.2.1.0.256.48
      Locale ID: 17417
      Additional Information 1: b628
      Additional Information 2: b6287eb38608c03c51f0e30bc059b95b
      Additional Information 3: dda5
      Additional Information 4: dda5a25c34804fd8baa0fa966fea80b9



    • Edited by Larry Patch Friday, July 19, 2013 9:18 AM added 32-bit
    Friday, July 19, 2013 9:18 AM
  • Acrobat Reader always hangs and eventually closes itself with EMET 4.0 installed. Works just fine when SEHOP is disabled for AcroRd32.exe.
    Thursday, August 15, 2013 9:43 AM
  • Brocade Switch configuration and other Java Web Start Applets: 

    "could not create the java virtual machine" caused by EMET 4.0 HeapSpray Mitigation.

    Solution: disable Heap Spray Mitigation for javaw.exe


    Tuesday, August 20, 2013 12:08 PM
  • Angebotsassistent e-Vergabe (http://www.evergabe-online.de/) does not work as long as EMET 4.0 is installed.

    Disabling all Mitigations does not seem to help - but it works again after EMET 4.0 is uninstalled.

    Tuesday, August 20, 2013 2:06 PM
  • Yahoo Messenger will not start with the DEP mitigation enabled.  EMET does not present an error or a log when this happens.

    EMET 4.0

    Win7 Pro 64-bit

    Tuesday, August 20, 2013 7:07 PM
  • The Think Cell addon for Powerpoint will trigger a Caller mitigation when importing data from Excel.  This will cause EMET to close Excel.  Disabling the Caller mitigation resolved this issue.

    EMET 4.0

    Win7 Pro 64-bit

    Wednesday, August 28, 2013 6:52 PM
  • I have seen the same thing with Outlook and a specific add-in.  EMET stops Outlook due to SimExecFlow.  Disable SimExecFlow, same issue.  Disable all mitigations, SAME ISSUE.  The only way around is to completely remove the process from EMET.  Currently working with Microsoft on this issue, I will update you if we get a resolution.
    Wednesday, September 11, 2013 11:31 PM
  • The PhonerLite VoIP softphone (http://www.phonerlite.de/download_en.htm) in its current version 2.11 gets prevented from starting up by the EMET's "SimExecFlow".

    See following forum thread for details: http://www.forum.phoner.de/YaBB.pl?num=1379779020
    Tuesday, September 24, 2013 4:39 PM
  • If you boot with a Windows Mobile device connected (at least when connected via USB), Windows Mobile Device Center (v6.1.6965) crashes on startup. You can start WMDC once the system has finished startup, and you can plug a device in after startup, either way WMDC will work fine. But if you startup with a device attached, WMDC try to start and will crash. This is with EMET 4.0 on Windows 7 Ultimate x64. Did not have this problem until after EMET was installed. WMDC services are set for Auto (delayed) start. WMDC is runing under EMET with all mitigations enabled.

    Also Speedfan 4.49 will not run under EMET. It fails with a SimExecFlow error. And seems to "load" in EMET twice or something. I had to disable all mitigations and remove it in the list in the Applications Configuration window, and again in the Running Processes list in the main window. I tried adding each mitigation separately, to see if a specific mitigation was the issue, but it simply would not work if any of the mitigations were enabled in EMET. Same computer as the WMDC issue.

    Saturday, September 28, 2013 6:23 PM
  • mmc.exe with AGPM 4.0 crashes when I switch to "Change Control" section. Fixed by uncheck EAF for mmc.exe.

    http://kf.lj.ru

    Sunday, October 27, 2013 4:43 PM
  • Chrome 31.0.1650.58 does not load tabs/websites, Mitigation "Caller" causes this problem. 

    I had this issue on several computers. Can't say for now whether it's new with Chrome 31 or EMET 4.1, since both updates were installed at the same time. Maybe someone else has this problem, too. 


    cu, Ingo

    Wednesday, November 13, 2013 10:14 PM
  • multiple DEP alert on Word 2013 (EMET 4.1 default values/Windows 7 64bits./INTEL Core2quad Q9950)

    Friday, November 15, 2013 5:27 PM
  • Adobe Acrobat 8.3.1.289
    Windows XP SP3

    EMET 4:
    EMET Detected caller mitigation and will close the application: acrobat.exe

    But, the notice is erroneous: It occurs after i disable Caller for Acrobat & it does not close acrobat. Additionally, the notice is set off when acrobat is launched without a pdf.

    Tuesday, November 19, 2013 7:35 PM
  • Windows 7 x64

    Office 2010

    We are seeing stackpivot mitigations for Outlook.exe for those users that have the MS CRM Plugin for Outlook installed FYI. All MS products and apparently not playing nicely.

    StackPivot check failed:  

    Application : C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

    User Name : DOMAIN\USER

    Session ID : 1 PID : 0x384 (900)

    TID : 0x10C (268)

    API name : kernel32.CreateFileMappingA

    ReturnAddress : 0x63474146

    CalledAddress : 0x769D54A6

    Thread stack area range: [0x18EC9000..0x18ED0000]

    StackPtr : 0x18EC5744

    

    Thursday, November 21, 2013 1:16 PM
  • I'm also experiencing a "SimExecFlow" error when using a specific application - even if all mitigations have been turned off. You have to actually remove the app from the apps list. The apps concerned are the DirectShow filters subsumed under the name "LAV Filters" (https://code.google.com/p/lavfilters/). If their ffmpeg part is compiled using gcc 4.8.x EMET will close them upon start. I'm testing it with the MPC-HC media player 1.7.1 (it comes with LAV Filters built in, so you don't have to download those extra), download below:

    http://mpc-hc.org/downloads/

    Tested with EMET 4.0 and EMET 4.1 under Windows 7 x64 SP1.

    To reproduce:

    Add mpc-hc to EMET list (or possibly other DirectShow players), open mpc-hc and make it use one of the LAV Filters by opening a file that needs them or changing their settings. (For the built-in ones: Options>Internal Filters>[one of the bottons at the bottom])

    • Edited by mwellm Sunday, December 01, 2013 11:49 PM
    Sunday, December 01, 2013 11:14 PM
  • I'm having reports from all our developers on the following Emet 4.1 issue:

    • Windows 7 64bit
    • EMET 4.1
    • Visual Studio 2010 (32 bit)
    • Internet Explorer 9 32bit
    • Silverlight 5 (5.1.20913.0)
    • F5 in Visual Studio, builds and attaches to IE for Silverlight debugging, loads start page hosting Silverlight plugin

    Result is silent end of IE process

    No log.

    Disabling all EMET checks does not resolve.

    Uninstalling EMET resolves.


    Monday, December 02, 2013 1:22 PM
  • On my Win7 w/ Office 64bit machine Excel crashes on launch with EMET 4.1. Problem with the Excel MS Power Query November update add-in. Disabled all mitigations but same result. Un-installing EMET fixes. 

    Wednesday, December 04, 2013 11:38 PM
  • ArcSoft TotalMedia Theatre 6.5.1.150

    Application crashes when try to play Blu-Ray disk with java apps on it. Caused by system-enabled DEP. The only workaround is to set system DEP setting to Application Opt In.


    http://kf.lj.ru

    Sunday, December 15, 2013 10:45 PM
  • Certificate Pinning feature conflicts with Comodo's certsentry (it's bundled with installer version of Comodo Dragon), causes lots of programs fail to connect internet properly, but connect to "no-dns-yet.ccanet.co.uk".

    Disabling the feature or uninstalling certsentry (i.e. uninstall Dragon & re-install Dragon portable version) immediately solve the problem.

    Somohow when both are enabled and system is restarted, the conflict seem not to appear immediatly, but seem to need several hours to produce the problem.

    Sorry for poor English!

    Tuesday, December 17, 2013 6:54 AM
  • I'm having reports from all our developers on the following Emet 4.1 issue:

    I'm not sure if this is similar or not, since our issue logs to the Windows OS Application log, but just in case -

    Our programmers who use Visual Studio with Internet Explorer applications and set breakpoints will trigger EMET EAF mitigation after pressing F10.  To fix that, we put that PC in its own OU inside its present OU, and then created a group policy for an OU with the following settings:

    Default Protections for Internet Explorer: Disabled

     Application Settings: Enabled & Show…. (note: no spaces before the asterisk):

                    *\Internet Explorer\iexplore.exe -EAF


    Friday, December 27, 2013 8:15 PM
  • Yuki2718,

    This problem can be solved as follows:at the command prompt as Administrator regsvr32 /u certsentry.dll and prohibiting in Group Policy application execution certsentry_setup.exe. Though the course is a crutch.



    Saturday, December 28, 2013 1:07 PM
  • EMET 4.0 with Outlook 2010 & CRM 2011 Plugin - Outlook crashing -stackpivot to fix

    I realize I can disable the stackpivot check however what if there is a real stackpivot vul that isn't CRM related? We would be unprotected. That and I thought MS products were EMET certified? I suppose I can ask them...

    In fact EMET isn't actually closing outlook when the stackpivot mitigation happens. We are just getting a lot of EMET alert (noise) emails.

    Friday, January 17, 2014 7:45 PM
  • Outlook 2007
    SalesForce For Outlook plugin
    https://na9.salesforce.com/setup/crmforoutlook/bin/SalesforceForOutlook.exe

    Login to SalesForce via the plugin. Outlook will crash and notify user about SimExecFlow. Turning this option off gets rid of the error.


    My idea of a party is a virtualization server and a room of TechNet DVDs

    Tuesday, January 21, 2014 10:59 PM
  • Turns out a reinstall of the CRM plugin fixed some cobwebs and EMET is no longer alerting on Stackpivot.

    I'd also like to point out that telling people to just turn off the mitigation kind of defeats the purpose of EMET. It is there to let you know you have some software doing bad (malware-like) things...and the correct action would be to fix said software. In the case of Outlook, I did not want to turn off any mitigations. Perhaps for small corner case LOB apps that is more doable.

    Wednesday, January 29, 2014 6:06 PM
  • Hi,

    I would like to report the following:

    Netbook with Intel Atom CPU
    OS : Windows 7 Starter (32Bit)


    EMET 4.1
    ======

    System-Wide Configuration:
    ------------------------------
    DEP - App-Opt-Out (instead of App-Opt-In)
    SEHOP - App-Opt-In
    ASLR - App-Opt-In
    CERT TRUST - Enabled


    Application/Trust Certificate Configurations:
    -----------------------------------------------
    Default Profiles provided via installed deployment folder:

    Popular Software.xml
    CertTrust.xml

    and manual additions of other installed applications.


    Reporting Options:
    --------------------
    Windows Event Log - On
    Tray Icon - On
    Early Warning - On


    Problem : Palemoon Version 24.3.0 (Atom) internet browser starts as indicated by Task Manager but does not launch. No alerts by EMET Agent Tray Icon.

    Offending Mitigation : ROP - SimExecFlow.

    Solution Applied : Unchecked ROP - SimExecFlow Mitigation.


    Hope this information helps other users.

    Friday, January 31, 2014 11:16 AM
  • Just as an FYI I've started a spreadsheet with issues. If you could when reporting add them to the spreadsheet it will help the community and us (MSFT) to tailor installs to our organizations as well as help drive to resolution issues that are encountered.

    http://social.technet.microsoft.com/wiki/contents/articles/22931.emet-known-application-issues-table.aspx is the wiki page however due to formatting issues the actual data is hosted in an Excel Web Page instead located at

    http://sdrv.ms/LS9PNV which should be open to all to edit.  Try to fill in fields as much as possible to help out when you encounter app issues.  The first page in the workbook is EMET mitigations which are the specific emet.dll injection mitigations provided to applications, the 2nd page is the System-Wide Mitigations (DEP/SEHOP/ASLR) which realistically are not EMET however can be controlled by EMET so if you do have a system-wide protection mechanism crash post it on the 2nd page.

    Thanks for your help with this :)

    Kurt Falde

    MSFT


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response/FOPE) Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

    Thursday, February 06, 2014 6:22 PM
  • I want to bring to your attention:

    Settings for Vlc.exe are proposed in popular software.xml

    Up to version 2.1.2 of vlc those settings are compatible.

    vlc 2.1.3 is not compatible with SimExecFlow.

    EMET notification: "EMET detected SimExecFlow mitigation and will close the application: vlc.exe"

    right after vlc.exe start.

    This has been reported as h...://social.technet.microsoft.com/Forums/security/en-US/b603ecaa-441c-4256-8f3f-ce5c33e3723a/

    There are also posts about this incompability as

    h...://trac.videolan.org/vlc/ticket/10583

    and as

    h...://forum.videolan.org/viewtopic.php?f=14&t=117231

    As the incompatible setting is part of a proposed and predefined set of settings this might be of interest for you.


    • Edited by happywing93 Wednesday, February 19, 2014 7:56 AM
    Wednesday, February 19, 2014 7:55 AM
  • Your EXEL ONLINE spreadsheet should be formated as table in order to let everyone be able to see table headers, even if doing edits in in high numbered rows.

    "Format as table" is available in web interface but there seems to be no obvious way to correct/revert table format for "everyone" users.

    So it might be necessary for Support personal to have a look at that table and think of a practical solution for this comfort/accebility problem/feature.

    Thank you.



    • Edited by Riopantr193 Friday, February 21, 2014 4:07 PM
    Friday, February 21, 2014 4:05 PM
  • Windows 7 x86 SP1, EMET 5.0 Technical Preview, system settings: DEP=Opt In, SEHOP=Opt In, ASLR=Opt In, CertTrust=Enabled.

    1) Adobe Reader 11.0.6 hang on opening the document due EAF enabled by default; when EAF disabled, crash on exit

    Problem signature:
      Problem Event Name: APPCRASH
      Application Name: AcroRd32.exe
      Application Version: 11.0.6.70
      Application Timestamp: 52b528e2
      Fault Module Name: EMET.DLL
      Fault Module Version: 5.0.0.0
      Fault Module Timestamp: 530b82f5
      Exception Code: c0000005
      Exception Offset: 0002b5cb
      OS Version: 6.1.7601.2.1.0.256.1
      Locale ID: 1049
      Additional Information 1: 45fc
      Additional Information 2: 45fc2d309b68ba45f0ab6d26aa89f613
      Additional Information 3: 2126
      Additional Information 4: 212673e4d3966f14628a4684356d1887

    2) Internet Explorer 10 while logging in to this very forum thread crashed twice:

    Problem signature:
      Problem Event Name: APPCRASH
      Application Name: iexplore.exe
      Application Version: 10.0.9200.16798
      Application Timestamp: 52ec7da1
      Fault Module Name: EMET.DLL
      Fault Module Version: 5.0.0.0
      Fault Module Timestamp: 530b82f5
      Exception Code: c0000005
      Exception Offset: 0002ad98
      OS Version: 6.1.7601.2.1.0.256.1
      Locale ID: 1049
      Additional Information 1: bda1
      Additional Information 2: bda121a38238ccf5ccb8b5cefddc9000
      Additional Information 3: 2e07
      Additional Information 4: 2e073306618385ff80227a2109092d69

    Wednesday, February 26, 2014 8:10 AM
  • Microsoft Office Word 2003 (11.0.8409.8405) SP3 crash on exit if any of DEP, EAF Mandatory ASLR are enabled.

      Problem Event Name: APPCRASH
      Application Name: WINWORD.EXE
      Application Version: 11.0.8409.0
      Application Timestamp: 52a8dbe1
      Fault Module Name: EMET.DLL
      Fault Module Version: 5.0.0.0
      Fault Module Timestamp: 530b82f5
      Exception Code: c0000005
      Exception Offset: 0002ad98
      OS Version: 6.1.7601.2.1.0.256.1
      Locale ID: 1049
      Additional Information 1: bda1
      Additional Information 2: bda121a38238ccf5ccb8b5cefddc9000
      Additional Information 3: 2e07
      Additional Information 4: 2e073306618385ff80227a2109092d69

    Wednesday, February 26, 2014 9:35 AM
  • Internet Explorer 10 crash on exit when any of these settings are enabled: Mandatory ASLR, LoadLib, MemProt, Caller, SimExecFlow, StackPivot.
    Wednesday, February 26, 2014 10:47 AM
  • If you have experienced application compatibility problems with EMET, please share your experiences on this thread. 


    NOPDB.EXE 19.0.0.8 (7.00.0.24) 11/03/2005 21:44 Size: 176,193
    Copyright (c) 1997-2005 Symantec Corporation
    C:\Program Files\Norton SystemWorks Basic Edition\Norton Utilities\Speed Disk

    Running under XP SP3.

    With EMET 4.1 DEP set to "Always On" (System Setting) this program errors at boot time with
    "cannot write to memory" error. No problems when DEP is set to "Application Opt Out".

    - Wayne

    Thursday, February 27, 2014 12:54 AM
  • I don't see anything here about windows update.  If anyone else has this problem I'd be interested in the solution.  Since EMET install time, I always receive error code 80244019 when trying to run windows update.   I have switched to downloading them manually when they appear.   I'd like to know how to enable EMET to allow windows updates to work again.  Have reinstalled the update services and tried stopping and starting a variety of services to re-enable Windows Update. I'm not sure how to turn EMET off... thought about uninstalling but figure if it even blocks the big virus we call windows update, then it can't be all that bad. But, it would be nice to get that automated process working again.

    R, J

    Thursday, February 27, 2014 11:49 AM
  • EMET 5.0, Google Chrome is prevented from running. You have to opt out from caller. Then everything seems to work fine.
    Saturday, March 01, 2014 5:19 PM
  • Tell me more...   I don't install Google Chrome.  But I am running IE... could there be the same overlap...What do you mean "opt out from the caller"?

    R, J

    Saturday, March 01, 2014 8:29 PM
  • Hi Devid’,

    I experienced the same behaviour as you on both Windows 7 64 bit SP1 and Windows 8.1 64 bit with regard to Google Chrome. Thanks for pointing out.
    Sunday, March 02, 2014 5:27 PM
  • Hi everyone,

    Using Google Chrome Beta v34.0.1847.11 with EMET 4.1 when installed on Windows 8.1 64 bit resulted in the Caller Checks mitigation needing to be disabled for Chrome to continue to launch. This did not occur with previous versions of Chrome.

    Disabling all extensions (using chrome://extensions) and plugins using (chrome://plugins) still resulted in the same change to EMET being necessary.

    Thanks.

    Sunday, March 02, 2014 5:28 PM
  • Hi everyone,

    I have completed some initial testing of EMET 5.0 Technical Preview (TP) on Windows 7 64 bit and Windows 8.1 64 bit and wished to share my findings.

    In general, EMET 5.0 TP with Windows 7 64 bit SP1 needed many changes to its configuration to prevent application crashes either on start up or on exit (mostly on exit). For Windows 8.1 only Google Chrome needed a settings change to prevent it crashing on launch. I have provided a full list of settings below with the config files downloadable from my OneDrive.

    According to the following forum thread (and the link below) the many Windows Error Reporting dialogs that are encountered are due to a bug in this preview version of EMET:

    http://social.technet.microsoft.com/Forums/security/en-US/8b0149ad-da1b-4de0-a824-b9672cc1fb8a/emet-detected-asr-mitigation-in-iexploreexe-component-adobe-flash-player-120-r0?forum=emet

    http://0xdabbad00.com/2014/02/27/emet-5.0-review/

    Many thanks to Susan Bradley for highlighting this issue and the multiple ASR prompts issue.

    Only the necessary changes to the default configuration of all mitigations being enabled are mentioned below:

    In all cases (Windows 7 and Windows 8.1), EAF+, Anti Detours, Banned Functions and Deep Hooks remained enabled.

    In addition, only the minimum number of changes needed to have an application work correctly are shown.

    The system wide settings for EMET for each version of Windows are provided in the following screenshot links:

    System wide Settings Screenshots:

    Windows 7:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_50_Settings_Win7.png

    Windows 8.1:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_50_Settings_Win81.png

    I hope that this information is helpful to you. Thank you.

    ========================

    Windows 7 64 bit SP1

    Adobe Reader XI (v11.0.06): No changes necessary (please see hypothesis’ post above if you are having issues)

    Google Chrome Beta (v34.0.1847.11):  Caller Checks: Disabled

    DosBox v0.74: Mandatory ASLR: Disabled

    Auslogics Duplicate File Finder v3.5.1.0: Mandatory ASLR: Disabled

    Mozilla Firefox v27.0.1:

    Load Library Checks: Disabled

    Memory Protection Checks: Disabled

    Caller Checks: Disabled

    Simulate Execution Flow: Disabled

    Stack Pivot: Disabled

    Internet Explorer 11 64 bit: Mandatory ASLR: Disabled

    Notepad++ v6.54: Mandatory ASLR: Disabled

    Apple iTunes v11.1.5 64 bit: Mandatory ASLR: Disabled

    Skype v6.14.104: No changes necessary.

    TrueCrypt 7.1a: Mandatory ASLR: Disabled

    VLC v2.1.4 64 bit:  Mandatory ASLR and EAF: Disabled

    YouTube Downloader v4.72:

    Mandatory ASLR: Disabled

    Load Library Checks: Disabled

    Memory Protection Checks: Disabled

    Caller Checks: Disabled

    Simulate Execution Flow: Disabled

    Stack Pivot: Disabled

    ========================

    Windows 8.1 64 bit:

    Adobe Reader XI (v11.0.06): No changes necessary.

    Google Chrome Beta (v34.0.1847.11):  Caller Checks: Disabled

    DosBox v0.74: No changes necessary.

    Auslogics Duplicate File Finder v3.5.1.0: No changes necessary.

    Mozilla Firefox v27.0.1: No changes necessary.

    Internet Explorer 11 64 bit: No changes necessary.

    Notepad++ 6.54: No changes necessary.

    Apple iTunes v11.1.5 64 bit: No changes necessary.

    Skype v6.14.104: No changes necessary.

    TrueCrypt 7.1a: No changes necessary.

    VLC 2.1.4 64 bit:  No changes necessary.

    YouTube Downloader v4.72: No changes necessary.

    • Edited by JamesC_836 Wednesday, July 16, 2014 1:53 PM Removed EMET Config File Links
    Sunday, March 02, 2014 5:30 PM
  • I suppose an experienced user would understand about getting applications recognized within the interface but in general I find it hard to navigate.  After months of problems with Windows Update (first installed 3.5, upgraded to 4.0 then 4.1 and finally 5.0) I gave up and uninstalled EMET but after some thought, attempted a reinstall and now the Windows Updates are working.   That's curious.   I accepted default configurations on all builds.  The reinstall was build 4.1.    I see no one else with Windows Update problems so I can assume I am alone with the problem but it is clear that the interface is rather unfriendly as all here seem to have issues with ASR and ASLR.

    On the KREB's site, there is talk about something in the lower right corner that only exists as a refresh button on the versions I've seen.   I suspect that website may be outdated and misleading.   I think it is open season on someone with a good website explaining how to configure the EMET and especially tricky for the EMET developers to find a way to make the interface more user friendly and the tool bar less cluttered with options.

    My two cents.  But I like the product regardless of its awkward handling.


    R, J

    Sunday, March 02, 2014 8:24 PM
  • With EMET 4.1 installed, installing WinZip 17.5 causes Microsoft Outlook to not start due to the WinZip ZipSend Outlook add-in.  With EMET 5.0 TP installed, there is no issue.

    [R, J: For GUI, the EMET User Guide says to send feedback and suggestions to emet_feedback@microsoft.com]

    Tuesday, March 04, 2014 3:53 PM
  • He's using DAMN NFO viewer for warez distributions because it's pretty
    Saturday, March 29, 2014 2:56 AM
  • Same Here. I have to disable StackPivot on both 'Outlook.exe' processes listed in the Configuration screen. Not sure why there are two.

    Outlook 2010 fully patched

    CRM 2011 latest UR15


    Scott M. Phoenix, AZ

    Thursday, April 24, 2014 3:44 PM
  • Thanks Олег Дивов, I know how to unregister a dll by regsvr32, but it disables Certsenty itself, but surely it's a solution I didn't noticed.

    Sorry for quite late reply.

    Wednesday, May 07, 2014 2:50 PM
  • IMHO, these are similar in functionality, but differ in the method of implementation technologies are incompatible, so the living can be only one.
    Wednesday, May 07, 2014 3:03 PM
  • If you apply any ROP mitigation to iexplorer.exe (I'm using IE11 on Win7x64), Quarri MyPOQ's protected browser will crash.

    I'm now using EMET 5.0 RP2.

    BTW, am I only one who experience occasional crash of flash player when I apply Heapspray mitigation to firefox.exe & plugincontainer.exe and watch Flash videos?

    It happens from time to time, not always, and remove Heapspray from both resolve the problem.

    Also when I set ASLR in AlwaysOn, Comodo Cleaning Essentials couldn't finish it's scan.

    It always stops (not crash, just silently ends) at Program Files\Internet Explorer\en-US\eula.rtf.

    Putting back ASLR to Opt-in resolve the matter.

    However, last time I used CCE was several month ago. I'll confirm and maybe report to Comodo when I have a time.

    Wednesday, May 07, 2014 3:05 PM
  • Java 7 Update 55 requires SEHOP to be disabled as well (Win 8.1 Pro, x64, IE11).
    Friday, May 09, 2014 5:09 PM
  • Sorry again, I somehow missed your reply.

    Well, similar but different.

    AFAIK, so far CertSentry's function is gathering statistical info about certificate revocation checking system, so in the default setting it doesn't offer any additional protection.

    But you can make it enforce revocation checking for all apps which uses Microsoft CryptAPI so it protects a user from being fooled by revoked certificate.

    OTOH, EMET's pinning demands certain website to show certain certificate (exactly speaking, certificate which belongs to certain root CA), it works when a CA is compromised or made a serious mistake,  malicious people get completely legitimate certificate(s), and then abuse it e.g. launch malicious website with the certificate while trick people by DNS poisoning, or more likely uses the cert for MITM attack.

    EMET can prevent such attacks proactively, but CertSentry (with enforced checking) can help only after the CA revoked those compromised certs.

    BTW Chrome has same function as EMET pinning.



    • Edited by Yuki2718 Wednesday, May 14, 2014 9:24 AM
    Wednesday, May 14, 2014 9:22 AM
  • Hi, I'm using Windows Server 2008 Enterprise (Build 6002, SP2) 64-bit English running as the only productive domain controller, IIS and SQL-Server and I updated EMET from 4.1 to 5.0TP2 and after reboot the system didn't start anymore. First I had to circumvent a hardware problem (with a monitor connected, the harddrive doesn't start), then I couldn't log in due to missing cached credentials (I always log in remotely) and couldn't find the DomainAdmin password. Finally I could log in with SafeMode+Net, but uninstalling EMET is not possible in SafeMode. After I got that solved I could boot again. Trying to install EMET4.1U1 caused the same problems. It seems like the following applications are crashing, sometimes with error "DEP detected", sometimes they simply crash and EMET doesn't even detect the module. But finally, with some tweaking, I got it working. Here's the list of non-compatible programs, all of them don't work with EAF (Export Address Table Access Filtering) and run fine with EAF turned off (all are .exe):

    • EMET_GUI
    • EMET_Agent
    • Explorer
    • mmc
    • taskeng (Task Scheduler Engine)
    • Dwm (Desktop Window Manager)
    • lsass (*)
    • lsm (*)
    • services (*)
    • svchost (*)
    • w3wp
    • inetmgr
    • dns
    • ismserv
    • msdtc
    • spoolsv
    • dfssvc
    • inetinfo
    • DFSRs
    • NamecheapDDNSClient
    • sqlservr
    • sqlwriter
    • SQLAGENT
    • iexplore

    The ones with the star (*) are responsible for not being able to boot. All generic options are enabled or at highest level.

    Why is EAF for most applications not working? Is there some general incompatibility with Windows Server 2008? Would you recommend to turn off EAF for all applications, even for those that seem to work (like RegEdit)? Or is the machine pwned?

    Saturday, May 17, 2014 12:11 AM
  • We have noticed that Google Chrome web browser has started to cause dozens of "EMET detected Caller Mitigation and will close the application: chrome.exe" errors when started since 5/21/2014, and have found a related article: http://www.chromium.org/Home/chromium-security/chromium-and-emet.

    Update: Unfortunately, adding a number of variations of the path including just "chrome.exe -Caller" into the group policy "Application Configuration" section didn't work to override the setting for Chrome used in the "Default Protections for Popular Software" section of group policy.  To get it to work we had to manually change the chrome line in the group policy .admx file to "<string>*\Google\Chrome\Application\chrome.exe -SEHOP -Caller</string>" and then change the Popular Software section in group policy to Not Configured and then Enabled again.

    Thursday, May 22, 2014 3:57 PM
  • EMET 4.1 U1 and Windows 7 SP1 x86.

    Personal Software Inspector (PSI) - after scanning for vulnerable applications and closing PSI, crashes psia.exe code C0000005. For normal operation of PSI must disable DEP for psia.exe.

    Screamer Radio - To run the application, you must disable all the values ​​in the ROP - LoadLib, MemProt, Caller, SimExecFlow, StackPivot.

    KeePass 1.27 released - often, but not always, a message appears, when you drag and drop your password - "EMET detected DEP mitigation and will close the application: C:\Program Files\KeePass Password Safe\KeePass.exe"

    Monday, May 26, 2014 12:20 PM
  • After I installed this, my user account control access was changed and I now no longer have administrative rights and don't know how to fix this.  Very very frustrating. Sorry I ever downloaded it.
    Tuesday, June 03, 2014 2:59 AM
  • EMET 4.1 U1 and Windows 7 SP1 x86.

    ImgBurn v2.5.8.0 - SimExecFlow

    Recuva 1.51.0.1063 -  Caller.

    Friday, June 06, 2014 2:28 PM
  • Chrome.exe issue is fixed after installing EMET 4.1 Update 1

    http://www.microsoft.com/en-us/download/details.aspx?id=41138

    Friday, June 06, 2014 7:55 PM
  • Chrome Caller Mitigation fixed by installing EMET 4.1 Update 1

    http://itcalls.blogspot.com/2014/06/emet-detected-caller-mitigation-and.html

    Sunday, June 08, 2014 7:43 AM
  • I'm running EMET 4.1 Update 1.  We have some users that have to connect to another network from time to time.  When they switch networks, they get a Telco Systems' EdgeGenie error.  "Could not create the Java Virtual Machine."  Disabling mitigations didn't help.  The only way I could get the virtual machines to create is uninstalling EMET.

    --UPDATE--

    I was able to get EMET 4.1 Update 1 to work by turning off every mitigation except DEP, SEHOP, NullPage and BottomUpASLR.  I had to use a config file.  If I use group policy to enforce mitigation, the java virtual machines crash.

    • Edited by ShoMeNick Wednesday, June 11, 2014 1:35 PM Update Post
    Monday, June 09, 2014 4:40 PM
  • Latest Adobe Flash ActiveX control installer crashes on Win7 SP1 x64 running EMET 4.1 Update 1. Figured out that I have to disable ASLR under System Status and reboot, install Flash, then enable ASLR and reboot again.

    Faulting application name: install_flashplayer14x32ax_gtbd_awe_aih.exe, version: 3.5.4.25, time stamp: 0x537d2fbd
    Faulting module name: install_flashplayer14x32ax_gtbd_awe_aih.exe, version: 3.5.4.25, time stamp: 0x537d2fbd
    Exception code: 0xc0000005
    Fault offset: 0x00065ea4
    Faulting process id: 0xfbc
    Faulting application start time: 0x01cf8b15d91bfdd0
    Faulting application path: C:\Users\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFH7ATP7\install_flashplayer14x32ax_gtbd_awe_aih.exe
    Faulting module path: C:\Users\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFH7ATP7\install_flashplayer14x32ax_gtbd_awe_aih.exe
    Report Id: 17cffa14-f709-11e3-bbb7-005056c00001


    • Edited by Lucas Z. _ Wednesday, July 16, 2014 5:50 PM
    Wednesday, June 18, 2014 5:48 PM
  • Running EMET 5.0 TP3 on Windows 8.1 x64


    EMET detected ASR mitigation in IEXPLORE.EXE

    ASR check failed:
      Application  : C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      Module  : scrrun.dll
      Web address  : http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate%20update
      Url zone  : Internet

    scrrun.dll

    Name:                   Scripting.Dictionary
    Publisher:              Microsoft Corporation
    Type:                   ActiveX Control
    Architecture:           32-bit and 64-bit
    Version:                5.8.9600.16384
    Class ID:               {EE09B103-97E0-11CF-978F-00A02463E06F}
    File:                   scrrun.dll
    Folder:                 C:\Windows\System32

    Thanks,

    Tero

    Wednesday, June 25, 2014 1:02 PM
  • Interesting, I have been having multiple crashes with Opera and Internet Explorer, and I am examining logs now and testing to see if this is Emet's fault.

    Please post if you have any crashes with these browsers.

    thanks

    Wednesday, June 25, 2014 6:04 PM
  • Install McAFEE HIPS 8 Patch 4

    Problem
    When the Microsoft Enhanced Mitigation Experience Toolkit (EMET) software is installed on a system running the Host IPS software and the EMET "Deep Hooks" feature is enabled, any application that is hooked by both EMET and Host IPS will become unresponsive on start up.

    Cause
    When Host IPS functionality is enabled, along with Microsoft EMET "Deep Hooks" functionality, both products attempt to protect an application with similar hooking functionality. 

    Solution
    This issue is resolved for Host IPS 8.0 in Host IPS 8.0 Patch 4, released in February 2014. For known issues, see KB78494. For Release Notes, see PD25043.

    Thursday, June 26, 2014 12:36 AM
  • It seems as though there are a lot of issues with this, is it really worth it?  I am sure it is not for me as I don't understand most of what you folks are talking about.  I was really hoping that I could use this on my XP System but I don't know it I want the headache.

    Also interested in why the members here don't have there configuration posted so that others will be able to utilize this information properly?

    Oh, I am sorry It appears this is just for reporting issues? I will look around to see if I can post questions somewhere.
    • Edited by pcpunk Wednesday, July 09, 2014 2:16 AM
    Wednesday, July 09, 2014 2:09 AM
  • I haven't experienced PSI issue.

    I made DEP setting AlwaysOn and even added psi.exe, psia.exe and psi_tray.exe into app config, disabled EAF+, LoadLib, caller, and SimExecFlow (not because specific problem, but just to avoid unexpected problem as those mitigation often cause problem), then no problem found.

    EMET5.0 TP3; Win7 SP1 x64

    Friday, July 11, 2014 1:04 PM
  • It's not an issue, but it is how ASR mitigation work.

    If you don't want it, you can configure ASR mitigation in iexplore.exe.

    In app config screen, select iexplorer.exe and click "Show All Settings".

    Then remove scrrun.dll from ASR tab.

    BTW, I admit it's annoying every time we have to see ASR warning when it comes into play.

    I made custom rules for Adobe Reader which disable scripts, 3D contents, and flash.

    Then every time the reader try to use those function, warning come.

    I want to DISABLE ONLY ASR WARNING while keep all other warnings active. 

    Friday, July 11, 2014 1:12 PM
  • EMET 4.1 U1 and Windows 7 SP1 x86.

    After the July update of the Windows 7 there are many positives Emet, then appear in the journal describing the error with frequent mention msvcrt.dll.

    Download Master - dmaster.exe - SimExecFlow (in the journal referred to msvcrt.dll)

    C:\Windows\system32\mrt.exe - Caller  (in the journal referred to msvcrt.dll)

    C:\Windows\system32\Wat\WatAdminSvc.exe - Caller +  SimExecFlow (in the journal referred to msvcrt.dll)  

    Firefox.exe 24.6.0.5273  -  0xc0000005 - DEP (Memory).

    Saturday, July 19, 2014 3:25 PM
  • Since upgrading to 5.0 on Windows 7 x64 SP1 I experience crashes with a number of different programs. Often (but not always) when using the Windows save file or Windows open file dialog the given program would crash. EMET would not detect any attack or similar but disabling EMET for the given program completely gets rid of the crashes.
    Sunday, August 03, 2014 1:28 PM
  • Same problem here.

    Since 5.0 I can for example still run wmplayer.exe without problems, but if I try to start it opening a video file, wmplayer.exe will crash in EMET.DLL. This is the case on several machines running Windows 8.1 or Windows 7.

    Monday, August 04, 2014 7:59 AM
  • EMET 5.0.5324.31804
    Windows 8.1 Pro (Up-to-date)

    I had to disable the "Stack Pivot" mitigation to make Skype (6.18.0.105, Desktop version) work. Otherwise the process would just crash after a few seconds without any GUI appearing. "EAF", "EAF+" and "ASR" were already disabled by default.

    Event Log entry (in german):
    Name der fehlerhaften Anwendung: Skype.exe, Version: 6.18.0.105, Zeitstempel: 0x53b3f36a
    Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17055, Zeitstempel: 0x532943a3
    Ausnahmecode: 0x000006a6
    Fehleroffset: 0x00011d4d
    ID des fehlerhaften Prozesses: 0x1034
    Startzeit der fehlerhaften Anwendung: 0x01cfb00706ddde85
    Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Skype\Phone\Skype.exe
    Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\KERNELBASE.dll
    Berichtskennung: 45191bab-1bfa-11e4-8283-74d435819821

    Monday, August 04, 2014 5:28 PM
  • The following crash in EMET 5.0 that didn't in EMET 4.1.1:

    Adobe Premiere CS4 - *\Adobe Premiere Pro.exe
    Crashes when opening a new project.  Stores a 'EMET detected DEP mitigation and will close the application' error in Event Viewer, however it's EAF and StackPiviot that need disabling, not DEP.

    Adobe Bridge CS4 - *\Bridge.exe
    Crashes when right-clicking on an image and going to 'File Info'.  Stores a 'EMET detected DEP mitigation and will close the application' error in Event Viewer, however it's EAF and StackPiviot that need disabling, not DEP.


    • Edited by AnaBna Monday, August 11, 2014 2:02 AM
    Monday, August 11, 2014 2:02 AM
  • I added custom entry for ASR, and exported it to a XML file.

    Then deleted all app config through emet_conf.exe and when I imported the settings, those custom ASR entry were not recoverd.

    However, there was correct description about that ASR entry in the XML file.

    Wednesday, August 13, 2014 2:26 PM
  • There is a similar problem reported for IE 11, in a separate thread:

    http://social.technet.microsoft.com/Forums/security/en-US/8453f63f-7b60-46ac-99e5-558eef9a90a2/emet-causes-ie-crash?forum=emet

    IE 10 crashes while viewing web page (http://www.phonearena.com/phones/size). There are no corresponding entries in the event log.

    It's not reproducible 100% of the time. It took many attempts to reproduce it with ProcMon running, but I do have a couple ProcMon logs - if it would help.

    ------------

    Here are the details:

    Problem signature:
      Problem Event Name:    APPCRASH
      Application Name:    IEXPLORE.EXE
      Application Version:    10.0.9200.17054
      Application Timestamp:    53d0b9f0
      Fault Module Name:    EMET.DLL
      Fault Module Version:    5.0.0.0
      Fault Module Timestamp:    53d99ebe
      Exception Code:    c0000005
      Exception Offset:    000012ee
      OS Version:    6.1.7601.2.1.0.256.4
      Locale ID:    1033
      Additional Information 1:    d460
      Additional Information 2:    d460871d13a9e4a764be2b9055549e1a
      Additional Information 3:    60f8
      Additional Information 4:    60f89cbcea4f357f65086eac6a24b3fa

    Read our privacy statement online:
      http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

    If the online privacy statement is not available, please read our privacy statement offline:
      C:\Windows\system32\en-US\erofflps.txt




    • Edited by mmiikkeeuu Sunday, August 17, 2014 5:52 PM Added details
    Sunday, August 17, 2014 4:11 PM
  • EMET 5.0.5324.31804
    Windows 8.1 Pro (Up-to-date)

    I had to disable the "Stack Pivot" mitigation to make Skype (6.18.0.105, Desktop version) work. Otherwise the process would just crash after a few seconds without any GUI appearing. "EAF", "EAF+" and "ASR" were already disabled by default.

    Event Log entry (in german):
    Name der fehlerhaften Anwendung: Skype.exe, Version: 6.18.0.105, Zeitstempel: 0x53b3f36a
    Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17055, Zeitstempel: 0x532943a3
    Ausnahmecode: 0x000006a6
    Fehleroffset: 0x00011d4d
    ID des fehlerhaften Prozesses: 0x1034
    Startzeit der fehlerhaften Anwendung: 0x01cfb00706ddde85
    Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Skype\Phone\Skype.exe
    Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\KERNELBASE.dll
    Berichtskennung: 45191bab-1bfa-11e4-8283-74d435819821

    I just wanted to say I've run into the same issue on Windows 8.1 Pro x64 with 6.18.106. I believe it only occurred following my upgrade from EMET 4 to EMET 5. I'm running the English version of Skype 

    • Edited by Quitch 18 hours 56 minutes ago
    18 hours 58 minutes ago
  • It should be noted that ATI resolved their ASLR driver issues in release 12.6.
    18 hours 54 minutes ago
  • System Explorer 5.9.2.5250 crashes when SimExecFlow is applied to.

    Win7HPx64, EMET5.0 with DH. AD, BF enabled.

    BTW this site took quite long time to be displayed on IE, even worse when I clicked 'reply' on Chrome, I logged out automatically so cannot reply at all.

    Finally I used Firefox but it temporarily goes unresponsive.

    Also popup about MS data collection is quite annoying.

    11 hours 57 minutes ago
  • Zemana Antilogger (Antilogger.exe) and SecuniaPSI (psia.exe) can't start if StackPivot is applied to.
    10 hours 21 minutes ago