locked
Inconsistent EMET behavior with Word and PowerPoint attachments opened from Outlook RRS feed

  • Question

  • Hi,

    I am working with a customer that is piloting EMET v3 in their environment.  They have about 500 pilot users and 3 of them are experiencing intermittent issues when opening Word and PowerPoint email attachments in Outlook.  When opening some attachments (not all), EMET will prevent Word or PowerPoint from opening the attachment the first time it is opened.  After the initial opening of the attachment, EMET will no longer prevent the attachment from opening.  The document will ask to recover the document the second time you open it and from that point on it will simply open.  This makes getting a reproduction of the issue very difficult because we do not know when it will happen and once it has happened the first time, we can no longer get EMET to block the launch.

    Is there a way to clear the EMET cache or is there verbose logging that we can turn on for EMET on these 3 users' systems?  We have attempted to clear Office, Internet, and Temp caches to reproduce the behavior without success.  Any additional information that will help us resolve this issue would be appreciated.


    Thanks, Kevin

    Wednesday, July 11, 2012 2:59 PM

All replies

  • We have managed to get a procmon capture when the event occurs and I will review that to see what I can find.  At the time of the occurrence, we get the event below, but it is not very helpful.  Is there any additional log information I should be attempting to capture?

    Log Name:      Application

    Source:        EMET

    Date:          7/11/2012 9:57:08 AM

    Event ID:      2

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      

    Description:

    EMET_DLL module logged the following event:

    EMET detected DEP mitigation and will close the application: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="EMET" />

        <EventID Qualifiers="0">2</EventID>

        <Level>2</Level>

        <Task>0</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2012-07-11T16:57:08.000000000Z" />

        <EventRecordID>13937</EventRecordID>

        <Channel>Application</Channel>

        <Computer></Computer>

        <Security />

      </System>

      <EventData>

        <Data>EMET_DLL module logged the following event:

    EMET detected DEP mitigation and will close the application: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE</Data>

      </EventData>

    </Event>

    Log Name:      Application

    Source:        Application Error

    Date:          7/11/2012 9:57:09 AM

    Event ID:      1000

    Task Category: (100)

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      <snip>

    Description:

    Faulting application name: WINWORD.EXE, version: 12.0.6661.5000, time stamp: 0x4f7cd9da Faulting module name: Winspool.DRV, version: 6.1.7601.17514, time stamp: 0x4ce7ba4b Exception code: 0xc0000005 Fault offset: 0x00001364 Faulting process id: 0x1bd8 Faulting application start time: 0x01cd5f8634bbc0a7 Faulting application path: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE Faulting module path: C:\Windows\system32\Winspool.DRV Report Id: 732243ed-cb79-11e1-8ab2-ef1e1ad633bc

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="Application Error" />

        <EventID Qualifiers="0">1000</EventID>

        <Level>2</Level>

        <Task>100</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2012-07-11T16:57:09.000000000Z" />

        <EventRecordID>13938</EventRecordID>

        <Channel>Application</Channel>

        <Computer></Computer>

        <Security />

      </System>

      <EventData>

        <Data>WINWORD.EXE</Data>

        <Data>12.0.6661.5000</Data>

        <Data>4f7cd9da</Data>

        <Data>Winspool.DRV</Data>

        <Data>6.1.7601.17514</Data>

        <Data>4ce7ba4b</Data>

        <Data>c0000005</Data>

        <Data>00001364</Data>

        <Data>1bd8</Data>

        <Data>01cd5f8634bbc0a7</Data>

        <Data>C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE</Data>

        <Data>C:\Windows\system32\Winspool.DRV</Data>

        <Data>732243ed-cb79-11e1-8ab2-ef1e1ad633bc</Data>

      </EventData>

    </Event>


    Thanks, Kevin


    Wednesday, July 11, 2012 5:17 PM