locked
Event logging in EMET 4.0 beta RRS feed

  • Question

  • Hi all,

    I've just installed the latest beta version of EMET 4.0, for which the latest improvements seem quite promising. The EMET Agent seems to be running all fine. However, I'm not seeing any events related to EMET in Event Viewer. 

    According to the EMET 4.0 User's Guide, events logged by EMET are logged in the "Application" log, with "EMET" as source. Actions like starting EMET Agent or modifying the configuration of EMET generate events, so there should be plenty of events after installing EMET, configuring some stuff and rebooting the computer. "Event Log" is checked in the Reporting configuration pop-up.

    Anybody has an idea of what could cause the issue, or where I should be looking for events?

    Cheers

    • Edited by MikeSec Monday, April 22, 2013 11:15 AM
    Friday, April 19, 2013 9:40 AM

All replies

  • Quick update: I created a rogue pinning rule to see what happens when the browser connects to a site with an untrusted certificate, and it actually logs an event of level "Warning", log "Application", source "EMET".

    So it looks like some events have been deactivated - intentionally or not - without updating the User's guide accordingly.

    Cheers

    • Edited by MikeSec Monday, April 22, 2013 11:15 AM
    Friday, April 19, 2013 1:52 PM
  • Hi MikeSec,

    Welcome to the EMET Support forum.

    I am sorry to learn of the issues you are experiencing with EMET interacting with the Windows Event Viewer. May I ask, what version of Windows you are using?

    I have so far installed EMET 4.0 Beta on a Windows 7 64 bit SP1 and a Windows XP SP3 system. It is working as expected with the Event Viewer. I am NOT trying to be patronizing or smart when I state this. Please find below screenshots from Windows 7 64 bit SP1 and Windows XP SP3 demonstrating this:

    Windows 7:

    Direct Links to Images:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_40_Beta_Event_Logging1.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_40_Beta_Event_Logging2.png

    Windows XP:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_40_Beta__WinXP_Event_Logging3.png

    With some searching of previous forum threads, I have located some related EMET event logging threads that may be of assistance to you:

    emet 3.0 Error writing to the event log

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/31a6b652-cab7-48ec-a01f-5cb437c3bc0c

    emet notifier crash on startup

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/e743d6b4-30d5-42a4-8eb0-ff01a3dd94b3

    As you have pointed out, the EMET Notifier has now been replaced by the EMET Agent. Please find below the command that I successfully used with EMET 4.0 Beta. There is no mention of this command in the User’s Guide. In addition, I did not receive a success message when I entered this command, but I also did not receive an error message. My EMET 4.0 Beta installations continue to work normally with the Event Viewer.

    EMET_Agent.exe --InitEventViewerSource --silent

    For detailed instructions of how to access and use the Command Prompt to enter this command, please see the first EMET forum thread linked to above.

    If the related EMET threads have not been assistance to you in resolving this issue, please find below a number of forum threads that detail various methods to repair the Windows 7 Event Viewer:

    http://answers.microsoft.com/en-us/windows/forum/windows_7-system/event-viewer-service-not-start/8cd86b1b-d46e-e011-8dfc-68b599b31bf5

    http://www.sevenforums.com/general-discussion/45729-event-viewer-troubles.html

    http://social.technet.microsoft.com/Forums/en-us/winserverManagement/thread/f97e84d6-115b-43d4-887f-021523626fda

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/76a2e7eb-029e-4613-9397-b469be24df6a

    For your information, in the following thread I explain how to access and more easily make use of the information logged by EMET within the Windows Event Viewer:

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/562e2284-e3ff-4621-a1a6-bc02b5388c12

    If none of the above information has been successful in resolving this issue, I would suggest sending an email to the EMET 4.0 Beta Feedback address as mentioned at the end of Page 40 of the EMET 4.0 Beta User’s Guide.

    I hope the above information is of assistance to you. If I can answer any further questions, please let me know.

    Thank you.

    • Edited by JamesC_836 Saturday, April 27, 2013 3:00 PM Minor correction
    Sunday, April 21, 2013 2:44 PM
  • Dear JamesC_386,

    Thanks for your message.

    I'm running Windows 7 SP1, 32-bits edition. To be on the safe side, I uninstalled EMET4.0 beta, deleted the related registry key in HKLM\Software\Microsoft\EMET, rebooted and installed it again, this time logged in as administrator (rather than escalating to admin from unprivileged account as I did the first time I installed EMET 4.0).

    When I run the command you mentioned from cmd with admin rights ( '.\EMET_Agent.exe --InitEventViewerSource--silent' ), I get nothing but an pop-up and an event of type "ERROR" in the "Application" log from source "EMET", both having the same text: 

    Failed to initialize EMET helper process!
    183

    Still, not any "normal" event is logged upon configuration changes or restarting the computer.

    For your information, to review EMET events, I actually created a custom view in the Event Viewer, filtering "By source" on "EMET".

    I'll try to further investigate this issue -- I was expecting some users might be experiencing the same. Thanks anyway for your help. =)

    Mike

    Monday, April 22, 2013 7:39 AM
  • When I run the command you mentioned from cmd with admin rights ( '.\EMET_Agent.exe --InitEventViewerSource--silent' ), I get nothing but an pop-up and an event of type "ERROR" in the "Application" log from source "EMET", both having the same text: 

    Failed to initialize EMET helper process!
    183

    Still, not any "normal" event is logged upon configuration changes or restarting the computer.

    For your information, to review EMET events, I actually created a custom view in the Event Viewer, filtering "By source" on "EMET".

    I'll try to further investigate this issue -- I was expecting some users might be experiencing the same. Thanks anyway for your help. =)

    Mike

    Hi Mike,

    Thanks for your update.

    It would appear that for some reason a temporary EMET_Agent process is not being created when you run that command. When I ran the same command, 2x EMET_Agent processes temporary start and then end with no error. I was able to determine this by using Sysinternals Process Monitor, specifically its Process Tree which is accessible from Tools->Process Tree:

    Direct Links to Images:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_4_Beta_Agent_CMD_1.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_4_Beta_Agent_1.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_4_Beta_Procmon.png

    During the installation of EMET it asks if you wish to install for Everyone or Just Me. I chose Just Me since the test PC I am using has 1x Admin account and 1x standard user account. I installed EMET from the Admin account. As you mentioned, to configure EMET it is always necessary to run it with admin privileges, so it can still be configured from the standard account.

    To view the Event logs from the standard account I tried opening the Event Viewer with standard rights and could see current and past events from EMET. Running the Event Viewer with admin rights gave the same result.

    I also tried running the above command to the EMET Agent in the standard account (using a command prompt with admin rights) and the result was the same as using the admin account (as expected since command prompt is again running from the admin account).

    My reason for trying all of the above combinations was to try to reproduce the error you are experiencing but I have been unsuccessful. Is there another PC you could test this on? This should serve to narrow down what is causing this issue.

    Please let us know how your investigation progresses. I am more than happy to provide any assistance that I can to you.

    Thank you.

    • Edited by JamesC_836 Monday, April 22, 2013 10:35 AM Fixed Image Links
    Monday, April 22, 2013 10:28 AM
  • Dear MikeSec/JamesC_836,

    thank you for your feedback on EMET 4.0 Beta.

    Regarding MikeSec's comment:
    "According to the EMET 4.0 User's Guide, events logged by EMET are logged in the "Application" log, with "EMET" as source. Actions like starting EMET Agent or modifying the configuration of EMET generate events, so there should be plenty of events after installing EMET, configuring some stuff and rebooting the computer. "Event Log" is checked in the Reporting configuration pop-up."

    The part regarding "starting EMET Agent is not logged into Event Viewer" is correct, this behavior was present in EMET 3.0 and not in EMET 4.0 Beta, thanks for reporting this.

    We are not able to verify the second part ("modifying the configuration of EMET does not generate events"), because we are seeing the same behavior described by JamesC_836 with no issues. If you can provide more details to replicate this issue it will be helpful.

    Also please be aware that the command line switch "--InitEventViewerSource" is for internal use only with EMET 3.0 and may not be applicable with EMET 4.0 Beta.

    Thursday, April 25, 2013 9:07 PM
  • Also please be aware that the command line switch "--InitEventViewerSource" is for internal use only with EMET 3.0 and may not be applicable with EMET 4.0 Beta.

    From the above 2 EMET event logging threads that I linked to, it was not mentioned that the "—InitEventViewerSource" switch was for internal use only. My apologies for not being aware of this.

    Friday, April 26, 2013 12:01 PM