locked
EMET 4.1 caused windows service stopped running RRS feed

  • Question

  • I encountered an issue after enabled EMET on our service. the service will be stopped after started up.

    we got some exception call stack, could you please help if this can help to identify the root cause of it.

    FOLLOWUP_IP: 
    WINSTA!RpcGetCurrentSessionClientData+24
    7239b3c9 83c40c          add     esp,0Ch
    
    SYMBOL_STACK_INDEX:  5
    
    SYMBOL_NAME:  WINSTA!RpcGetCurrentSessionClientData+24
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: WINSTA
    
    IMAGE_NAME:  WINSTA.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  52157aa1
    
    STACK_COMMAND:  ~24s ; kb
    
    BUCKET_ID:  6ba_WINSTA!RpcGetCurrentSessionClientData+24
    
    FAILURE_BUCKET_ID:  APPLICATION_FAULT_6ba_WINSTA.dll!RpcGetCurrentSessionClientData
    
    WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/RNADirMultiplexor_exe/2_70_1400_8/535753bf/KERNELBASE_dll/6_3_9600_16408/523d4548/6ba/00012eec.htm?Retriage=1
    
    Followup: MachineOwner
    ---------
    
    1:024> kv fff
      Memory  ChildEBP RetAddr  Args to Child              
              012aa4b0 77381e47 000006ba 00000001 00000000 KERNELBASE!RaiseException+0x48 (FPO: [4,22,0])
           24 012aa4d4 77381e13 00000000 012aa4f0 773781e0 RPCRT4!RpcpRaiseException+0x2e (FPO: [0,1,4])
            c 012aa4e0 773781e0 000006ba 001e1e18 012aa93c RPCRT4!RpcRaiseException+0x16 (FPO: [1,1,0])
           10 012aa4f0 773eed56 012aa540 00000000 001e1e18 RPCRT4!NdrGetBuffer+0x58 (FPO: [3,0,0])
          44c 012aa93c 7239b3c9 723961f8 72395cde 012aa95c RPCRT4!NdrClientCall2+0x191 (FPO: [SEH])
           18 012aa954 7239b328 001e1e18 012aa998 012aa994 WINSTA!RpcGetCurrentSessionClientData+0x24 (FPO: [3,1,0])
           60 012aa9b4 7239b3e1 012aabd0 ffffffff 0000000a WINSTA!GetCurrentSessionClientData+0x61 (FPO: [SEH])
          1d4 012aab88 75292375 00000000 00000000 00000006 WINSTA!WinStationQueryInformationW+0x5f7 (FPO: [6,111,4])
           c0 012aac48 01b296d5 00000000 ffffffff 0000000a WTSAPI32!WTSQuerySessionInformationW+0xd4 (FPO: [5,37,4])
          ...
    (58.fe4): Single step exception - code 80000004 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=0002acf0 ebx=00000001 ecx=77a3acc8 edx=0002acc8 esi=77a10000 edi=738dd04c
    eip=77a68944 esp=03e5fa18 ebp=03e5fc28 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
    ntdll!LdrpSnapModule+0x1a8:
    77a68944 8b956cfeffff    mov     edx,dword ptr [ebp-194h] ss:002b:03e5fa94={ntdll!NtDllUserStubs <PERF> (ntdll+0x0) (77a10000)}
    1:007> kv
    
    ChildEBP RetAddr  Args to Child              
    03e5fc28 77a6847c a37eb553 002bcca0 03e5fcb0 ntdll!LdrpSnapModule+0x1a8 (FPO: [Non-Fpo])
    03e5fc60 77a68cb1 002bcca0 00248048 00000000 ntdll!LdrpMapAndSnapModules+0x62 (FPO: [Non-Fpo])
    03e5fc8c 77a69920 ffffffff 00000000 a37eb70f ntdll!LdrpPrepareModuleForExecution+0xb0 (FPO: [Non-Fpo])
    03e5fe3c 77a6500e 00000000 00000001 03e5fe84 ntdll!LdrpLoadDll+0x392 (FPO: [SEH])
    03e5fe74 37a3112e 00000001 03e5feb0 03e5fec0 ntdll!LdrLoadDll+0x67 (FPO: [Non-Fpo])
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    03e5fedc 777b68f6 03e5ff0c 00000000 00000000 0x37a3112e
    03e60130 777b681f 00276048 00276038 00000025 WS2_32!NSPROVIDER::Initialize+0x55 (FPO: [SEH])
    03e60154 777b69e7 00276010 a3b160e2 001e2a38 WS2_32!NSCATALOG::LoadProvider+0x91 (FPO: [1,1,4])
    03e60188 777bb632 03e601a8 0027bed0 0023dc80 WS2_32!LookupBeginEnumerationProc+0x11e (FPO: [SEH])
    03e601e0 777bb488 00000210 0023addc a3b16346 WS2_32!NSQUERY::LookupServiceBegin+0x151 (FPO: [2,15,4])
    03e6022c 777da8ce 001e2a38 00000210 03e6029c WS2_32!WSALookupServiceBeginW+0xe0 (FPO: [SEH])
    03e60274 777d64fc 03e602cc 00000210 03e6029c WS2_32!WSALookupServiceBeginA+0x87 (FPO: [SEH])
    03e602a4 777d70f7 03e604e0 777e6540 00000000 WS2_32!getxyDataEnt+0x62 (FPO: [3,4,4])
    03e604d4 004b0268 03e604e0 61636f6c 736f686c WS2_32!gethostbyname+0xde (FPO: [1,132,4])

    There were series exceptions of this kind.

    PS. this only happens on Win8&8.1 OS.

    Others works well.

    Thanks,

    Levi


    One world, one dream

    Monday, May 5, 2014 2:26 AM

All replies

  • does removing the emet client resolve the issue? The normal EMET mitigation's don't protect services but rather user mode applications. It could be changes to system wide mitigations though possibly

    GBS Premier Field Engineer Cybersecurity Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

    Monday, May 5, 2014 4:18 AM
  • Thanks Kurt,

    We found the issue seems was caused by call OutputDebugString in session 0

    after remove this api call, our application works fine.

    they are trying to create a simple project to reproduce this issue for you to get help fix.

    Thanks,

    Levi


    One world, one dream

    Tuesday, May 13, 2014 8:38 AM