WARNING: DATA LOSS - EMET 4 reporter deletes files RRS feed

  • Question

  • NOTE:  This EMET issue was moved here from this original post:  http://answers.microsoft.com/en-us/windowslive/forum/gallery-wlsettings/photo-gallery-crash-emet-reporter-deletes-file/e5a510c8-e0fb-4d33-8179-8ee7a18d11e5?rtAction=1377879230389

    Discovered a bug in EMET 4.0 running on Windows 8 (desktop).
    Steps to reproduce:

    1. open a .jpg graphic... opens in Photo Gallery.
    2. hit the "Edit, Organize, or Share" button, top left menu bar.
    3. Program crashes and opens a "Photo Gallery has stopped working"/Close program prompt.
    4. EMET opens up a "Do you want to send more information about this issue?" prompt.
    5. When you click Yes/Send with the EMET prompt it DELETES YOUR FILE - no recycle bin, no warning.

    It appears to be a problem with EMET.  I closed the Photo Gallery prompt and the program closed, file deletion did not occur until the EMET prompt was sent/closed.

    UPDATE:  Discovered a new unwanted behavior... it will delete the file when you hit the DONT report button as well.  I guess the only way is to close the prompt window and not to choose the REPORT or DON'T REPORT buttons.

    Friday, August 30, 2013 4:37 PM

All replies

  • UPDATE #2:  I just wanted to give another update to this problem... it seems that even if you close the reporter prompt with the window close button (top right) it still deletes your file.  So to clarify, when the EMET 4 reporter initiates all means of exiting the window, sending or not sending or closing window, will delete data.

    To turn off reporting in EMET 4?  From the main EMET window you just need to uncheck “Early Warning”:
    Saturday, August 31, 2013 12:34 AM
  • NOTE:  The below entry describes a problem with the default EMET 4 configuration for Windows Photo Gallery which led to the discovery of this bug.  It is taken from (duplicated from) this post...   http://answers.microsoft.com/en-us/windowslive/forum/gallery-wlsettings/photo-gallery-crash-emet-reporter-deletes-file/e5a510c8-e0fb-4d33-8179-8ee7a18d11e5


    I did not reinstall Photo Gallery here (not needed)... I think the problem is with EMET.  

    With the previous entry, where I was asked to disable EMET and test Photo Gallery, I may not have disabled it fully via the task manager... so I got the expected crash.  I just tested with EMET running but with all the mitigation checkboxes unchecked for WLXPhotoGallery.exe, and I was able to use the "Edit, Organize, or Share" button in Photo Gallery properly with no crash. 

    I will have to experiment with which EMET mitigation check is causing the crash when using the "Edit, Organize, or Share" button.  The default EMET installation list had all mitigation checkboxes checked for this program.  If someone happens to know the proper checkbox configuration for WLXPhotoGallery.exe please post.

    • Edited by ENEN1 Saturday, August 31, 2013 2:34 AM correction
    Saturday, August 31, 2013 2:07 AM
  • The proper EMET 4 mitigation configuration for Photo Gallery WLXPhotoGallery.exe:

    As mentioned above, the default EMET 4 mitigation configuration for WLXPhotoGallery.exe was all on.  I just went through the checkboxes and found the crash problem is if the "Caller" mitigation is checked for WLXPhotoGallery.exe in Apps Configuration.  For proper non-crash functioning of "Edit, Organize, or Share" button in Photo Gallery the "Caller" should be unchecked (at least on my system).

    *Caller (Tooltip: ROP mitigation that checks if critical function was called and not returned into).
    • Edited by ENEN1 Saturday, August 31, 2013 2:30 AM amended
    Saturday, August 31, 2013 2:28 AM
  • Hi, Thank you for posting this.

    I created a PDF file yesterday and opened it, closed it, and then opened it again and EMET 4.0 (Win 7 Pro SP1 64-bit) came up and said that it had prevented an exploit (or something like that). I figured it was a false positive so I clicked to Send Feedback... I continued working with the PDF file until the end of the day... Today when I unlocked my computer, the PDF file was gone....

    I thought I was going crazy or my computer was corrupted, but then I remembered that EMET popped up so I thought it might be an issue with that. I'm glad that it was EMET and not something else (more difficult to determine).

    Is Microsoft going to release an update to fix this problem?

    Thursday, October 17, 2013 6:03 PM
  • Hello,

    we opened an investigation for this issue and we'll follow up with a bugfix in next major/minor release soon.

    Thanks for reporting this feedback.

    EMET Support

    Thursday, October 31, 2013 8:08 AM
  • Yes, the same on Win 8.1 RTM.

    Had a false positive (PDF file, file was OK as it has been created by myself) reported by EMET. I clicked on 'Don't send' and it deletes my PDF :( !

    Please fix this asap! Thank you!

    Monday, November 25, 2013 11:24 PM
  • It looks like Microsoft has responded and changed the protection profile and group policy settings for those three programs (among others) in EMET 4.1 which was released on November 12:

    Acrobat: *\Adobe\Acrobat*\Acrobat\Acrobat.exe -MemProt
    AcrobatReader: *\Adobe\Reader*\Reader\AcroRd32.exe -MemProt
    PhotoGallery: *\Windows Live\Photo Gallery\WLXPhotoGallery.exe -Caller

    Do you still have the issues after installing 4.1 and using the new Protection Profiles (or using group policy created with the new EMET.adm* files)?

    Wednesday, November 27, 2013 4:00 PM
  • The EMET 4.1 documentation on page 41 ("Table 7: Common Software Compatibility Matrix") lists "Simulate execution flow" instead of "Memory protection checks" as incompatible for Adobe Acrobat and Adobe Acrobat Reader.

    Friday, November 29, 2013 10:07 AM
  • Dear EMET support.

    Please give an update!

    Has this issue been resolved in EMET 4.1 ?

    Tuesday, December 10, 2013 12:30 PM
  • Ping!  Microsoft this one is yours.

    Do you ever fix bugs or just argue about them until people stop asking?

    Thursday, January 9, 2014 10:33 PM
  • pc vista blocked after installation of emet5.5
    Sunday, June 5, 2016 8:26 PM