locked
EMET 3.5 fails to install... RRS feed

  • Question

  • The system in question had been running EMET 3.5 for six month or so. The notification has given me an error today and suggested to reinstall EMET, which seemed like easy enough to do.

    After uninstalling EMET 3.5 the newly downloaded MSI file was executed, but instead of installing, it gave me this error message:

    It doesn't matter, if the installation has been started as "Run as administrator", or logged in as administrator. The error message is the same. The version 3.0 installation gives the same error message.

    The system in question is Windows 7 64-bits SP1, with all of the security updates installed. Any other program installation with "exe" file proceeds just fine, it is seemingly just the "msi" that gives this error message.

    While this is not really EMET issue, is there any changes that would need to be made for allowing EMET install to proceed?

    TIA...

    Friday, March 29, 2013 7:57 PM

All replies

  • Hi Secure-BITS,

    The error message suggests to me a Group Policy or another restriction such as AppLocker or Software Restriction Policies (SRP) could be the cause. A customized deployment of AppLocker could stop the Run As Administrator option from working. If you are not using Windows 7 Enterprise or Windows 7 Ultimate, it can’t be AppLocker.

    Have any other changes been made on this system recently (even un-related ones)? The only other suggestion I can give is to run Process Monitor as described in the thread linked to below in an effort to determine what is causing the issue:

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/77f80438-c477-4c25-b034-e053e5491f9f

    You can ignore the steps for including cmd.exe and emet_conf.exe in the trace. For any process that you feel is not relevant to the error/issue, you can right click it and exclude it as shown in the screenshot from the above linked to thread. Excluding items from the trace will make it easier to determine what the cause of the issue is. If you later feel any excluded process is relevant, you can re-include it in the trace by resetting the filter as shown in the screenshot below:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/ProcessMonitorResetFilter.jpg

    In addition, stopping Process Monitor from capturing events as soon as possible after installation error has occurred will significantly reduce the number of events in the trace you will have to interpret. Given that most installation routines can have thousands of entries, this small step can be crucial.

    I hope the above suggestions are at least of some assistance to you. My apologies that I don’t have any further insight into what could be causing this.

    Thank you.

    • Edited by JamesC_836 Saturday, March 30, 2013 2:50 PM Added further Process Monitor info
    Friday, March 29, 2013 8:34 PM
  • Hello James,

    Thank yo for your suggestions...

    The system is Windows 7 Professional SP1, 64-bits. The only "major" change to the system had been updating to IE 10, which was uninstalled for testing this issue, but the error message is the same.

    The "procmon" shows that the "msi" package is being processed by the "msiexec.exe" with errors such as "FILE LOCKED WITH ONLY READERS, FAST IO DISALLOWED, ACCESS DENIED, BUFFER TOO SMALL, BUFFER OVERFLOW, etc. I have not used "procmon" for awhile and don't really know what to look for.

    The the log file for "msiexec.exe" had been saved and here's some of the access denied section:

    Thanks for your help...

    Saturday, March 30, 2013 3:41 PM
  • Hi Secure_BITS,

    Thanks for your update.

    Please find below a Process Monitor trace from my Windows 7 Professional 64 bit SP1 test virtual machine. This is a fresh install of Windows. It has no programs installed. I captured a Process Monitor trace that is filtered to show only events from msiexec.exe. For comparison the full trace file can be downloaded from the following link:

    Windows 7 SP1 64 bit:

    https://skydrive.live.com/redir?resid=669356BE500E17FB!171&authkey=!AK-S2xQiPRN4bYE

    When the file appears in the browser window, right click it and choose Download. Please let me know if you encounter any issues downloading it.

    Here is what I found:

    I also experienced many BUFFER OVERFLOW errors as well as only 2 ACCESS DENIED errors within the Process Monitor trace only (i.e. no error messages visually appeared during the installation). Please find these 2 ACCESS DENIED errors pictured below:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Microsoft_EMET_35_TP_Acc_Denied.png

    The registry key referenced in both of these ACCESS DENIED cases is (IEInstal.exe is not a spelling error):

    HLKM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEInstal.exe

    To significantly reduce the number of entries visible in the trace and to compare it with your result, I chose to filter by including RegCreateKey as shown in the screenshot below. I could then filter by types of error message (the types are mentioned above) to make comparison much easier:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Microsoft_EMET_35_TP_Filter.png

    However the EMET installation was successful. For the screenshot that you have provided, I have attached an equivalent screenshot and the difference is immediately visible. All of the ACCESS DENIED errors you have demonstrated are SUCCESS in my case:

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Microsoft_EMET_35_TP_Sys_Certs_Success.png

    From what I can tell, there is a permissions error of some kind on that particular PC. I would suggest creating a new user account with Administrator privileges and using it to install EMET 3.5 Tech Preview. I used the “Just Me” install option (when asked who to install EMET for). On my physical Windows 7 64 bit SP1 PC, I have also used this option and can configure EMET from my standard user account by running EMET_GUI.exe with admin privileges. There is a possibility however that this issue may be at a deeper level than a user account.

    I have located the following resources for resetting registry and file permissions on Windows 7 but I CANNOT guarantee they will work. When I carried out the registry reset steps on another Windows 7 PC recently, the result was even worse after the “fix”. USE THESE AT YOUR OWN RISK:

    Registry Permissions Reset (claims compatibility with Windows Vista and Windows 7):

    http://purconn.net/blog/2009/09/reset-registry-permissions-on-windows-xp/

    File and Folder Permissions:

    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/d09a393b-68df-43de-9f31-735f83242497/

    If the creation of the new administrator account does not resolve this issue I would suggest re-installing Windows since I do not possess the required knowledge to resolve these permission errors. The above reset links I have provided for reference but I cannot guarantee their success (I did NOT create/develop those steps).

    My apologies that I cannot be of more assistance to you. If you have access to Microsoft Services Premier and Professional Support for EMET, this would be the next level of support that could assist with resolving this issue. The only other means of support is this forum which is used by volunteers like me.

    Official support from Microsoft used to be provided on this forum but the poster named EMET Support has not posted on this forum for almost 5 months. I am unsure why they have not posted in such a long time, but I hope they return soon.

    If you have any difficulties reading any of the content of any of the above screenshots, please let me know.

    I hope the above information is of some assistance to you. Thank you.


    • Edited by JamesC_836 Saturday, March 30, 2013 8:19 PM Added extra info
    Saturday, March 30, 2013 6:25 PM
  • Hi James,

    Thank you for your assistance and suggestions...

    I've used the filter for monitoring EMET install and at this time, there was no "ACCESS DENIED" errors, but the installation still failed. Creating a new admin account didn't help either, still the same error for EMET install.

    Resetting the registry permission requires downloading and installing the "subinacl.msi" file. While I didn't want to fix the registry, it was downloaded for testing another MSI installation package from MS. This one had no issues and installed just fine.

    Everything else seems to work just fine and I am going to let it go. The system is about four years old and it is due for a reinstall, or an in place repair, even if I am not a fan of.

    Again, thanks for your help...

    Monday, April 1, 2013 10:27 AM
  • Hi Secure-BITS,

    I am sorry that the installation is still failing. It’s strange that installing another program using an MSI file works fine while the EMET installation (which uses the same technique) fails.

    Permissions errors are notoriously difficult to resolve. I have been able to resolve permissions issues on file and folders (with assistance from the TechNet forum) but never issues with the registry. As I mentioned the “fix” involving the use of subinacl.msi while it succeeded without error when I tested it a number of months ago, it didn’t correct the original issue and actually caused further issues. For these reasons your choice of re-installing Windows is in my opinion the best option.

    Does this issue only occur on 1 of your PCs? I would hate to think that you have to re-install Windows on many PCs.

    Thanks very much for voting my post above as helpful. I just wish I could have helped out more. As always if any other of this forums members or I can be of any further assistance, please let us know.

    Thanks again.

    Monday, April 1, 2013 2:38 PM
  • This is actually my own small business PC and have not noticed this issue anywhere else. As stated earlier, this installation of W7 SP1 64-bits is running for about four year; it's been through a number of things such as power failures, burned up motherboard, new hardware, etc. It handled the new hardware rather well, just needed a reboot for the new devices and had been working ever since.

    While I'd advise my client to reinstall windows in similar cases, I'd just hate to build up new system. Maybe I'll just restore my system from an earlier image backup and see, if that resolves it. I am still suspicious of IE10 changing some settings that prevented EMET installation. I did make an image backup prior to upgrading the system to IE10.

    Thanks for your help...

    Monday, April 1, 2013 3:09 PM
  • While I'd advise my client to reinstall windows in similar cases, I'd just hate to build up new system. Maybe I'll just restore my system from an earlier image backup and see, if that resolves it. I am still suspicious of IE10 changing some settings that prevented EMET installation. I did make an image backup prior to upgrading the system to IE10.

    Thanks for your help...

    Hi Secure-BITS,

    That’s great news. I like the sound of that. If you have a working backup, give it a try.

    I will update my test VM of Windows 7 to IE 10 and will test if EMET 3.5 Tech Preview installs. In preparation for that, I will install all other Windows/security updates. I will let you know how it progresses.

    Thanks for your update.

    Monday, April 1, 2013 4:26 PM
  • Restoring the image backup that was created just prior to updating to IE 10 did fix the issue. EMET is running and so is the EMET notifier without issues. I did not try installing EMET since it is up and running without errors.

    One of the possibilities is that IE 10's virtual box mode made some system changes that prevents "msiexec.exe" writing to some of the registry settings, causing the program installation to fail. The other is the security patches from March could've had the same effect; the image restore effectively removed these security patches.

    I'll apply the security patches, check EMET operation, and then update to IE 10 keeping my fingers crossed. IE 10 is most secure browser from Microsoft and I liked it.

    Once a month, or more frequently if major changes are made to the system, a backup image is created for W7 using Macrium Reflect. At times, I'll use W7's image backup. More of a backup for Reflect, in case it wouldn't work W7 restore could come handy. With SSD for the OS and eSATA III for backup drive, the whole process takes around 15-18 minutes to create an image.

    Monday, April 1, 2013 7:04 PM
  • Restoring the image backup that was created just prior to updating to IE 10 did fix the issue. EMET is running and so is the EMET notifier without issues. I did not try installing EMET since it is up and running without errors.

    Hi Secure-BITS,

    I am really glad to hear that the restoring the backup resolved the issue for you. Your backup routine is an excellent practice. I follow a similar practice and it has saved me from trouble a few times.

    In order to obtain more insight into what is causing this issue, I set up the following configurations using a fresh Windows 7 Professional 64 bit SP1 virtual machine:

    ------------------------------------------------------------------------------------------------

    Windows 7: All security updates installed (including March 2013) + IE9

    Windows 7: All security updates installed (including March 2013) + Platform Update kb2670838 + IE 9

    Windows 7: All security updates installed (including March 2013) + Platform Update kb2670838 + IE 10 (with EPM enabled)

    ------------------------------------------------------------------------------------------------

    In all of the above configurations, EMET 3.5 Tech Preview successfully installed. I had IE 10 open while installing EMET. I also verified that in each of the above configurations EMET was protecting the programs included in its All.xml deployment profile. This leads me to believe that something else is causing this issue.

    You are correct IE 10 does feature enhanced memory protections and Enhanced Protected Mode (EPM) (which on Windows 8 isolates IE 10 within an AppContainer). On Windows 7, IE 10 will run as a 64 bit process and with Low Integrity when EPM is enabled.

    You’re right, IE 10 is the most secure version of IE that has been created. However these security features are designed to prevent installation of malicious items when executed within IE e.g. drive by downloads. They don’t have any effect on an installer that you manually run when it is stored on your hard drive (i.e. locally rather than remotely).

    Since the backup you have restored to has a working version of EMET, I agree that you should proceed with your suggestion of installing IE 10 and see what happens. If you have any older backups than the one you have already mentioned, that could also be an option for you.

    I would be interested to know of any further progress/developments that you make. Thank you.

    • Edited by JamesC_836 Tuesday, April 2, 2013 10:55 AM Spelling error
    Tuesday, April 2, 2013 10:34 AM
  • James,

    Thank you for verifying that it is not IE10, or March security patches that prevented the installation of EMET 3.5 on your system that is relatively clean. My system is anything than clean and that could be contributing to the issue. After installing the March patches and IE10, EMET did stop working and won't install, pretty much the same error.

    I did waste lot of times already on this issue and getting ready to reinstall everything, OS, programs, etc. The system is due for one anyway and should've done it, when Sandy storm burned my motherboard. Having system backup in image format just make me lazy and it is easier to restore than rebuild...

    Thanks again for your help...

    Tuesday, April 2, 2013 9:52 PM
  • My system is anything than clean and that could be contributing to the issue. After installing the March patches and IE10, EMET did stop working and won't install, pretty much the same error.

    I did waste lot of times already on this issue and getting ready to reinstall everything, OS, programs, etc. The system is due for one anyway and should've done it, when Sandy storm burned my motherboard. Having system backup in image format just make me lazy and it is easier to restore than rebuild...

    Thanks again for your help...

    Hello again Secure-BITS,

    I am sorry to hear that the installation error is again occurring after installing IE 10 and the March 2013 security updates.

    I totally agree that having a system image is easier than rebuilding which is why I have a separate image of my physical PC (not a virtual machine) that I created the day I built it so that I can restore it without re-installing Windows. It has been particularly useful several times and I only need to re-install my programs and update some routine drivers. I don’t think it is a "lazy" approach. I would call it planning ahead so that you can get back to a working state faster.

    I realize that I have the advantage of test installing EMET 3.5 Tech Preview on a newly installed Windows 7 SP1 64 bit Professional virtual machine. I maintain such a VM since it is perfect for this kind of root cause analysis. With no programs installed, there is minimal possibility of a conflict.

    I hope that I am not frustrating you by stating that it is working fine for me; that is NOT my intention. I am here to assist you in resolving this EMET installation issue.

    Unfortunately I have come to realize that Windows deteriorates from the day it is installed through no fault of the person using it or a fault from Microsoft. While installation can work perfectly for years (I have had similar success to you in terms of how long Windows can work reliably) but there comes a time when a new install is in order. (Apologies for going off-topic.)

    I have been thinking of other ways to repair the permissions of Windows (both registry and file permissions) without causing further issues. Last year I encountered a utility that can be used for repairing a PC after it has been damaged by malware. I successfully used it last year and I found it to be helpful. It is called Ultra Virus Killer (UVK) 5.1. It is available from the following download link:

    http://www.majorgeeks.com/UVK_Ultra_Virus_Killer_d7653.html

    The utilities home page is:

    http://www.carifred.com/uvk/

    If you are suspicious of the utilities name, I admit, it sounds strange. I have scanned it today with VirusTotal and Virus Scan by Jotti. Only false positives were returned (the links above show the actual results). Malwarebytes and Microsoft Security Essentials also declared this utility clean. This installation file is also digitally signed (which helps to boost its credibility).

    I restored my Windows 7 virtual machine back to an initial install state and used the following system repair options of UVK. I then repeated the installation of all updates as mentioned in my previous post (above) while also testing if EMET 3.5 Tech Preview would install each time.

    Here is a step by step process of how I used UVK:

    1. Download and install it from the above link. It is up to you which options you tick during installation, here are the options that I chose:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/UVK1.png

    2. Open UVK (use the icon on your desktop) and choose System Repair.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/UVK2.png

    3. Select each of the following entries in the list (press the Ctrl key and click each option in the list)

                    Reset registry and file permissions

                    Reset user default settings

    4. Choose "run selected fixes" and then reboot your PC.

    Direct Link to Image:            

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/UVK3.png

    5. I also noticed the following option which may be of assistance to you (scroll down the list of fixes to the second section: Fixes for common Windows problems):

                    Fix install problems

    6. I also performed this repair and rebooted.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/UVK4.png

    7. I then installed all security updates as mentioned previously while testing EMET 3.5 Tech Preview each time (I restored to a clean configuration each time (but re-ran the UVK fixes each time) so that I did not need to uninstall EMET during this process). No issues were encountered and EMET also installed without issue every time.

    I am unsure if this utility will be of assistance to you, but if it saves you from having to fully reinstall Windows, it will be worth it to give it a try. UVK did not damage the installation of Windows in any way that I could tell, everything worked normally.

    Also, if the above steps have not resulted in success, the following Microsoft Fixit solutions may be of assistance, the first repairs policies of Windows (among many other fixes; policies are related to permissions, but aren’t quite the same thing) while the second Fixit can resolve application installation issues:

    These Fixit tools require the .Net Framework to be installed on your PC, although it is very likely that it is already installed since EMET also requires it:

    http://support.microsoft.com/mats/Malware_Prevention/en-us

    http://support.microsoft.com/mats/Program_Install_and_Uninstall/en-us

    I hope this helps and please keep us informed of your progress. As always, I will be available to assist you in any way that I can.  Thank you for voting my previous posts as helpful, it is much appreciated.

    --------------------------------------------------------------------------------------------

    Please note that I while suggested a re-install of Windows in this thread it is not a recommendation that I provide lightly. If all of the suggestions in this thread fail to resolve the original issue, then a re-installation of Windows can be a solution. I realize that this suggestion is often over-used when a more challenging issue requires troubleshooting.

    In addition, the above reason is not the only reason that I suggested a re-installation of Windows. Secure-BITS mentioned that he has already spent a lot of time trying to resolve this issue. When troubleshooting an issue you have to balance the time a person spends trying to fix an issue that with the suggested steps, may not be possible versus the time spent on a re-installation that is much more likely to yield a successful outcome. Once the troubleshooting time becomes significant, a re-installation can be a less frustrating and potentially time saving option.

    --------------------------------------------------------------------------------------------

    • Edited by JamesC_836 Sunday, April 21, 2013 3:18 PM Fixed spelling error and added further explanation
    Wednesday, April 3, 2013 4:38 PM