locked
EMET Blocks - Stack Pivoting RRS feed

  • Question

  • Hi team,

    One of our users kept getting stack pivoting events while opening excel, pdf and word within an email from Outlook. Below is an example of the event logs, please investigate and advise.

    EMET detected StackPivot mitigation and will close the application: EXCEL.EXE StackPivot check failed: Application : C:\Program Files\Microsoft Office\Office15\EXCEL.EXE User Name : TOYOTA\t27851 Session ID : 1 PID : 0x23D4 (9172) TID : 0x162C (5676) API name : ntdll.NtSetContextThread ReturnAddress : 0x767F0E7C CalledAddress : 0x771A65C0 Thread stack area range: [0x269EE000..0x269F0000] StackPtr : 0x26D6F6D8

    Regards,

    Kenneth

    Monday, September 14, 2015 6:39 AM

All replies

  • Doesn't seem to be much discussion on how to investigate and resolve individual user problems or specific events.  Have a number of these kinds of things where 2 or 3 users out of 10K have an issue and trying to dig into their configurations to determine why these occur and how to stop them is difficult.  There are a few such a loadlibrary that are more obvious and curable.  Assume that if the user saves the file from Outlook to his file system and then opens them that all works as expected and that this is for lots of issues but only when launched from Outlook.  If you stumble across a supportive group for issues like this would appreciate a heads up.

    Jim Kelly

    Thursday, September 17, 2015 7:19 PM