locked
EMET 3.5 Issue RRS feed

  • Question

  • Here's a weird issue.  I'm using EMET 3.5, and I have a Livescribe Echo Smartpen.  When I plug the pen into my machine, if I click into any of my running applications EMET throws a Caller error and closes the app.  It doesn't matter what the app is.  If I remove the pen, all my apps work fine.  I don't even need to have the software that comes with the pen running, I could simply have the pen plugged into my machine charging.  Any help would be appreciated.  Thanks.
    Wednesday, May 29, 2013 4:52 PM

All replies

  • Hi RDinerman,

    When EMET 3.5 closes the application that it states caused the Caller Checks error, does it mention what application that was? You can review such errors in the Windows Event log to check if a certain application is consistently causing this.

    You mention that the software for the pen is not running, this only partially rules out what could be causing this. For example, 3rd party DLLs (from the software or hardware that we use) are loaded into various Windows processes to allow you to take advantage of the additional functionality that they offer. Please find below screenshots of explorer.exe from my Windows 7 PC that show DLLs from Nvidia, WinZip, Symantec and Atheros within explorer.exe:

    Direct Links to Images:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/WinExplorer_DLLs.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/WinExplorer_DLLs2.png

    In addition, within the Windows Spooler service (spoolsv.exe) there are 2 DLLs loaded for my printer. I am unsure why they don’t have a company name but it’s a Samsung printer:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Win7SpoolSvDLL_2.png

    The above Windows processes are the more common examples (there are more) of where 3rd party DLLs are loaded. Thus it is not necessary for a 3rd party process to be running to cause a conflict with EMET.

    When you determine what applications (processes) are conflicting with EMET, you should then be able to check what DLLS are being loaded into those applications which may conflict with EMET (any 3rd party DLL has the potential to conflict). If there are such DLLs, disabling the Caller Checks mitigation for that process should resolve the issue for you. However you may need to repeat this for any other application that conflicts.

    To check what DLLs are being loaded by a process, open Sysinternals Process Explorer and choose View->Lower Pane -> DLLs. You can then sort by Company Name by clicking the Company Name Column that is visible in the above screenshots. In some cases, you may still need to scroll through the list of DLLs looking for DLLs that are not Microsoft DLLs (since not all DLLs are always sorted correctly).

    Process Explorer is a separate program that you need to download. The good thing is that you don't install it, you simply extract it (i.e. unzip/decompress) to any location of your choice and double click procexp.exe to run it.

    I hope the above advice assists you in narrowing down or locating what is responsible for this conflict. It is very likely the only resolution to this will be to disable the Caller Checks mitigation for any application/process that conflicts with EMET.

    If I can provide any further assistance, please let me know. Thank you.

    Thursday, May 30, 2013 2:50 PM
  • Hi JamesC_836,

    Thanks for the help.  When I get the caller checks error, it says the application is whatever application I clicked in at the time.  So for example, lets say I have QuickBooks, Word, Outlook and Adobe Acrobat open.  When I attach my pen, if I click into Outlook to bring the focus to that program, it crashes with a Caller Checks error, saying Outlook crashed.  If I then click into Adobe Acrobat, the same thing will happen only it will now reference Adobe Acrobat.  And so on and so on.  If I remove the pen, all the applications function fine.

    I'll download process explorer and see if there are any dlls they all have in common.

    Monday, June 3, 2013 10:31 PM
  • Hi RDinerman,

    Thanks for your update. My apologies that this conflict with EMET is having such a wide ranging effect.

    If Process Explorer does show any 3rd party DLLs that these processes have in common, you may need to disable Caller Checks for each and every conflicting process. I realize that this is may not be a workable solution. It’s rare for a conflict with EMET to be this severe.

    One possible cause for such a wide ranging conflict would that the following Windows Registry key is being used to load a 3rd party DLL into each process that also loads user32.dll (most processes do load that Microsoft DLL). For your information, please find at the end of this post the steps detailing how to access this Windows Registry key and view its contents. I have provided a screenshot of the current value that this registry key is set to on my Windows 7 64 bit PC (it is still set to the default value, which is blank):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/AppInitDLLWin7.png

    -----------------------------------------------

    For All Versions of Windows:

    Once Regedit is open, navigate to the above registry key locations (keys are represented as folders). The AppInit_DLL value should then be visible in the right navigation pane (as shown in the above screenshot).

    -----------------------------------------------

    If your registry key is different, I would recommend leaving it that way. If you make a change to this key, you may then not be able to use your Smartpen (since you will be disabling a crucial part of how it interacts with Windows).

    You may also wish to try the final version of EMET 4.0 when it becomes available. It may not experience this conflict. Unfortunately I am unsure when EMET 4.0 will be made available (I am simply a volunteer contributor on this forum, so I only know what everybody else knows). The latest status on the release is available in the following blog post:

    http://blogs.technet.com/b/srd/archive/2013/05/28/a-few-more-days-before-emet-4.aspx

    If EMET 4.0 is still conflicting with your Smartpen you could submit a bug report/feedback to the EMET team about this issue.

    I hope the above information is of assistance to you. Please let me know of your findings. Thank you.

    -----------------------------------------------

    Note: My availability for the remainder of this week will be limited but I will attempt to respond to any updates on the same day. If I am not successful, it will be the following day.

    -----------------------------------------------

    Windows XP:

    Open Windows Regedit as follows:

    Press the Start button in the lower left corner of the screen. Click “Run”.

    Type “regedit” (without the quotes) into the white line of the Run box that appears. Click “OK”.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/WinXP_Regedit1.png

    For Windows Vista or Windows 7:

    Press the Start button in the lower left corner of the screen. Type “regedit” (without the quotes) into the white search box just above the Start button.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Windows7_Regedit1.png

    A blue cube icon with the title “regedit” will appear near the top of the Start menu, right click this icon and choose “Run As Administrator”. Click “OK” or “Continue” if prompted by Windows User Account Control (UAC) to open Regedit.

    -----------------------------------------------

    For Windows 8:

    Press the Windows Key (between the Ctrl and Alt keys in the lower left corner of your keyboard), to display the Start screen.

    Type the word “regedit” (without the quotes) you should see an icon for Regedit (a blue cube) appear on the left side of your screen:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Win8_Regedit1.png

    Right click this icon and choose the “Run As Administrator” (that appears at the bottom of the screen).

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Win8_Regedit2_HL.png

    Click “OK” or “Continue” if prompted by Windows User Account Control (UAC) to open Regedit.

    • Edited by JamesC_836 Tuesday, June 4, 2013 8:14 PM
    Tuesday, June 4, 2013 8:13 PM