locked
EMET 5.0 -> explorer.exe -> INVALID_POINTER_WRITE_EXPLOITABLE RRS feed

  • Question

  • [v] Deep Hooks
    [v] Anti Detour
    [v] Banned Function

    [x] Stop on expoit

    All options for explorer.exe checked

    => Crash

    WinDbg as the postmortem debugger:

    0:024> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    FAULTING_IP: 
    EMET64!EMETSendCert+2442
    000007fe`f2704ece 48832300        and     qword ptr [rbx],0
    
    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 000007fef2704ece (EMET64!EMETSendCert+0x0000000000002442)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000001
       Parameter[1]: 0000000000120800
    Attempt to write to address 0000000000120800
    
    CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
    rax=00000000003a7c70 rbx=0000000000120800 rcx=0000000000000038
    rdx=00000000aa1a1088 rsi=00000000001220b4 rdi=00000000003a7c70
    rip=000007fef2704ece rsp=000000000736e940 rbp=000000000736eab0
     r8=000000000736e8f8  r9=000000000736eab0 r10=0000000000000000
    r11=0000000000000286 r12=0000000000000000 r13=0000000000000033
    r14=0000000000000033 r15=0000000000000000
    iopl=0         nv up ei pl nz na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
    EMET64!EMETSendCert+0x2442:
    000007fe`f2704ece 48832300        and     qword ptr [rbx],0 ds:00000000`00120800=0000000004a90000
    
    FAULTING_THREAD:  0000000000000b74
    
    PROCESS_NAME:  Explorer.EXE
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    EXCEPTION_PARAMETER1:  0000000000000001
    
    EXCEPTION_PARAMETER2:  0000000000120800
    
    WRITE_ADDRESS:  0000000000120800 
    
    FOLLOWUP_IP: 
    EMET64!EMETSendCert+2442
    000007fe`f2704ece 48832300        and     qword ptr [rbx],0
    
    NTGLOBALFLAG:  400
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APP:  explorer.exe
    
    ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre
    
    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE
    
    PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE_EXPLOITABLE
    
    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE
    
    LAST_CONTROL_TRANSFER:  from 000007fef2705215 to 000007fef2704ece
    
    STACK_TEXT:  
    00000000`0736e940 000007fe`f2705215 : 00000000`0736eb00 00000000`00000010 00000000`00000010 00000000`00010000 : EMET64!EMETSendCert+0x2442
    00000000`0736e9a0 000007fe`f2703871 : 00000000`00300002 00000000`aa1a1088 00000000`c00b0007 00000000`000000c9 : EMET64!EMETSendCert+0x2789
    00000000`0736ea30 000007fe`f26fa004 : 00000000`00000000 00000000`00000000 00000000`04a90000 000007ff`fff9c000 : EMET64!EMETSendCert+0xde5
    00000000`0736eae0 000007fe`fd46403e : ffffffff`ffffffff 00000000`04a90000 00000000`00000001 00000000`02dd7790 : EMET64!GetHookAPIs+0x4c0
    00000000`0736ebf0 00000000`770e2edf : 00000000`04a90002 00000000`00000000 00000000`00000022 00000000`0736ecfa : KERNELBASE!FreeLibrary+0xa4
    00000000`0736ec20 000007fe`fea17414 : 00000000`08c808c8 00000000`04c1fbf0 00000000`02080052 00000000`0736f4a0 : USER32!PrivateExtractIconsW+0x34b
    00000000`0736f140 000007fe`fea233a9 : 00000000`00331dec 00000000`00000000 00000000`00000000 00000000`00000000 : SHELL32!SHPrivateExtractIcons+0x393
    00000000`0736f410 000007fe`fe8d2a8c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SHELL32!SHDefExtractIconW+0x157
    00000000`0736f700 000007fe`fe8d28a8 : 00000000`003e3d60 000007fe`fd4d44e7 00000000`0641c4d0 00000000`003e3d60 : SHELL32!CIconCache::ExtractIconW+0x1d8
    00000000`0736f7a0 000007fe`fbb19570 : 00000000`003e3d60 00000000`00000001 00000000`003e3d60 00000000`000000d8 : SHELL32!CSparseCallback::ForceImagePresent+0x48
    00000000`0736f810 000007fe`fbb1968e : 00000000`0736f900 000007fe`fbb1d7de 00000000`003e3d60 00000000`00000001 : comctl32!CSparseImageList::_Callback_ForceImagePresent+0x74
    00000000`0736f860 000007fe`fbb1b14f : 00000000`00000001 00000000`00000000 00000000`000000d8 00000000`06402c30 : comctl32!CSparseImageList::_Virt2Real+0xc6
    00000000`0736f890 000007fe`fe9db1cc : 00000000`064059b0 00000000`04e031a0 00000000`064059b0 00000000`0643b6c0 : comctl32!CSparseImageList::ForceImagePresent+0x57
    00000000`0736f8d0 000007fe`fe8dc54c : 00000000`0641e660 00000000`06402c30 00000000`00000000 00000000`00000000 : SHELL32!CLoadSystemIconTask::InternalResumeRT+0x164
    00000000`0736f960 000007fe`fe90efcb : 80000000`01000000 00000000`0736f9f0 00000000`0641e660 00000000`0000000a : SHELL32!CRunnableTask::Run+0xda
    00000000`0736f990 000007fe`fe912b56 : 00000000`0641e660 00000000`00000000 00000000`0641e660 00000000`00000002 : SHELL32!CShellTask::TT_Run+0x124
    00000000`0736f9c0 000007fe`fe912cb2 : 00000000`04f7c8f0 00000000`04f7c8f0 00000000`00000000 00000000`003e1a28 : SHELL32!CShellTaskThread::ThreadProc+0x1d2
    00000000`0736fa60 000007fe`fd4d3843 : 000007ff`fff9c000 00000000`02e9a890 00000000`02df0d70 00000000`003e1a28 : SHELL32!CShellTaskThread::s_ThreadProc+0x22
    00000000`0736fa90 00000000`773115db : 00000000`04e805e0 00000000`04e805e0 00000000`00000001 00000000`00000006 : SHLWAPI!ExecuteWorkItemThreadProc+0xf
    00000000`0736fac0 00000000`77310c56 : 00000000`00000000 00000000`04f7c910 00000000`02df0d70 00000000`02e9fef8 : ntdll!RtlpTpWorkCallback+0x16b
    00000000`0736fba0 00000000`771e59ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x5ff
    00000000`0736fea0 00000000`7731c541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
    00000000`0736fed0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
    
    
    STACK_COMMAND:  .cxr 0x0 ; kb
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  emet64!EMETSendCert+2442
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: EMET64
    
    IMAGE_NAME:  EMET64.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  53d99f01
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_EMET64.dll!EMETSendCert
    
    BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_emet64!EMETSendCert+2442
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_exploitable_c0000005_emet64.dll!emetsendcert
    
    FAILURE_ID_HASH:  {f7d2108f-d68f-6bd5-d4b8-073af5241c2e}
    
    Followup: MachineOwner
    ---------

    0:024> lm vm EMET64
    start             end                 module name
    000007fe`f26d0000 000007fe`f279f000   EMET64     (export symbols)       C:\Windows\AppPatch\AppPatch64\EMET64.dll
        Loaded symbol image file: C:\Windows\AppPatch\AppPatch64\EMET64.dll
        Image path: C:\Windows\AppPatch\AppPatch64\EMET64.dll
        Image name: EMET64.dll
        Timestamp:        Thu Jul 31 05:42:25 2014 (53D99F01)
        CheckSum:         000CE0A3
        ImageSize:        000CF000
        File version:     5.0.0.0
        Product version:  5.0.0.0
        File flags:       0 (Mask 0)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Enhanced Mitigation Experience Toolkit
        ProductVersion:   5.0.0.0
        FileVersion:      5.0.0.0
        FileDescription:  EMET SHIM
        LegalCopyright:   © Microsoft Corporation. All rights reserved.

    0:024> lm vm explorer
    start             end                 module name
    00000000`ff220000 00000000`ff4e0000   Explorer   (pdb symbols)          x:\symbols\explorer.pdb\A1D0A380BD3C489DB80F0E8273C9719A2\explorer.pdb
        Loaded symbol image file: C:\Windows\Explorer.EXE
        Image path: C:\Windows\Explorer.EXE
        Image name: Explorer.EXE
        Timestamp:        Fri Feb 25 08:24:04 2011 (4D672EE4)
        CheckSum:         002C8AF6
        ImageSize:        002C0000
        File version:     6.1.7601.17567
        Product version:  6.1.7601.17567
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        1.0 App
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     explorer
        OriginalFilename: EXPLORER.EXE
        ProductVersion:   6.1.7601.17567
        FileVersion:      6.1.7601.17567 (win7sp1_gdr.110224-1502)
        FileDescription:  Windows Explorer
        LegalCopyright:   © Microsoft Corporation. All rights reserved.

    0:024> vertarget Windows 7 Version 7601 (Service Pack 1) MP (8 procs) Free x64 Product: Server, suite: Enterprise TerminalServer SingleUserTS kernel32.dll version: 6.1.7601.18409 (win7sp1_gdr.140303-2144) Debug session time: Tue Sep 2 14:36:19.923 2014 (UTC + 4:00) System Uptime: 0 days 0:15:08.322 Process Uptime: 0 days 0:13:53.826 Kernel time: 0 days 0:00:03.385 User time: 0 days 0:00:04.290


    • Edited by EreTIk Friday, September 5, 2014 5:22 PM
    Tuesday, September 2, 2014 10:53 AM

Answers

  • I think this problem may be resolved with EMET 5.1

    I've been running various machines with EMET 5.1 for over two weeks now and have

    had no occurrences of the C0000005 exception in explorer.exe.  

    • Marked as answer by EreTIk Sunday, November 30, 2014 12:04 PM
    Thursday, November 27, 2014 8:19 AM

All replies

  • Similar abend with Windows 7 Professional 32-bit and EMET 5.0

    Following entry in the Event Log

    Log Name:      Application
    Source:        Application Error
    Date:          02/09/2014 18:33:32
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Description:
    Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d6727a7
    Faulting module name: EMET.DLL, version: 5.0.0.0, time stamp: 0x53d99ebe
    Exception code: 0xc0000005
    Fault offset: 0x000433b3
    Faulting process id: 0xa74
    Faulting application start time: 0x01cfc6d3722abd88
    Faulting application path: C:\Windows\Explorer.EXE
    Faulting module path: C:\Windows\AppPatch\EMET.DLL
    Report Id: 420c4dbd-32c7-11e4-ae0a-000ae4c96e19
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-09-02T17:33:32.000000000Z" />
        <EventRecordID>32788</EventRecordID>
        <Channel>Application</Channel>
        <Security />
      </System>
      <EventData>
        <Data>Explorer.EXE</Data>
        <Data>6.1.7601.17567</Data>
        <Data>4d6727a7</Data>
        <Data>EMET.DLL</Data>
        <Data>5.0.0.0</Data>
        <Data>53d99ebe</Data>
        <Data>c0000005</Data>
        <Data>000433b3</Data>
        <Data>a74</Data>
        <Data>01cfc6d3722abd88</Data>
        <Data>C:\Windows\Explorer.EXE</Data>
        <Data>C:\Windows\AppPatch\EMET.DLL</Data>
        <Data>420c4dbd-32c7-11e4-ae0a-000ae4c96e19</Data>
      </EventData>
    </Event>

    Tuesday, September 2, 2014 6:21 PM
  • Again:

    FAULTING_IP: 
    EMET64!EMETSendCert+2442
    000007fe`f3604ece 48832300        and     qword ptr [rbx],0
    
    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 000007fef3604ece (EMET64!EMETSendCert+0x0000000000002442)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000001
       Parameter[1]: 0000000000120800
    Attempt to write to address 0000000000120800
    
    CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
    rax=0000000000427c70 rbx=0000000000120800 rcx=0000000000000021
    rdx=0000000064efbd5f rsi=00000000001220b4 rdi=0000000000427c70
    rip=000007fef3604ece rsp=000000000723ced0 rbp=000000000723d040
     r8=000000000723ce88  r9=000000000723d040 r10=0000000000000000
    r11=0000000000000286 r12=0000000000000000 r13=0000000000000033
    r14=0000000000000033 r15=0000000000000000
    iopl=0         nv up ei pl nz na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
    EMET64!EMETSendCert+0x2442:
    000007fe`f3604ece 48832300        and     qword ptr [rbx],0 ds:00000000`00120800=0000000003d60000
    
    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE
    
    PROCESS_NAME:  explorer.exe
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    EXCEPTION_PARAMETER1:  0000000000000001
    
    EXCEPTION_PARAMETER2:  0000000000120800
    
    WRITE_ADDRESS:  0000000000120800 
    
    FOLLOWUP_IP: 
    EMET64!EMETSendCert+2442
    000007fe`f3604ece 48832300        and     qword ptr [rbx],0
    
    NTGLOBALFLAG:  400
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APP:  explorer.exe
    
    ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre
    
    FAULTING_THREAD:  00000000000003b8
    
    PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE
    
    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE
    
    LAST_CONTROL_TRANSFER:  from 000007fef3605215 to 000007fef3604ece
    
    STACK_TEXT:  
    00000000`0723ced0 000007fe`f3605215 : 00000000`0723d090 00000000`77b0f6b8 00000000`03d600e0 00000000`0723cfd8 : EMET64!EMETSendCert+0x2442
    00000000`0723cf30 000007fe`f3603871 : 00000000`00300002 00000000`64efbd5f 00000000`c000008a 00000000`00000000 : EMET64!EMETSendCert+0x2789
    00000000`0723cfc0 000007fe`f35fa004 : 00000000`00000000 00000000`00000000 00000000`03d60000 000007ff`fff9a000 : EMET64!EMETSendCert+0xde5
    00000000`0723d070 000007fe`fd9b403e : ffffffff`ffffffff 00000000`03d60000 00000000`00000005 00000000`02cf7790 : EMET64!GetHookAPIs+0x4c0
    00000000`0723d180 00000000`778c2edf : 00000000`03d60002 00000000`00000000 00000000`00000022 00000000`0723d28c : KERNELBASE!FreeLibrary+0xa4
    00000000`0723d1b0 000007fe`fe79aab3 : 00000000`08c808c8 00000000`0bee0320 00000000`02080050 00000000`0723da30 : user32!PrivateExtractIconsW+0x34b
    00000000`0723d6d0 000007fe`fe79ac28 : 00000000`0723d9f0 00000000`00000040 00000000`0ba595d0 00000000`0723df54 : shell32!SHPrivateExtractIcons+0x50a
    00000000`0723d9a0 000007fe`fe8ce4ca : 00000000`00000004 00000000`00000000 00000000`0bca5110 000007fe`fe7a8186 : shell32!SHDefExtractIconW+0x254
    00000000`0723dc90 000007fe`fe7a3435 : 00000000`00000282 000007fe`fe8cc874 00000000`0bc26c20 00000000`0bc26c20 : shell32!CFSFolderExtractIcon::_ExtractW+0x37
    00000000`0723dcd0 000007fe`fe8cd7db : 00000000`0723df50 00000000`0bca5110 00000000`03d96178 00000000`0723df60 : shell32!CExtractIconBase::Extract+0x21
    00000000`0723dd10 000007fe`fe7a36cd : 00000000`00000000 00000000`0723f2d0 00000000`ffffffff 0000c769`4dc5ef38 : shell32!CShellLink::Extract+0xc2
    00000000`0723dea0 000007fe`fe8cd529 : 00000000`0000020a 000007fe`fe7a8186 00000000`ffffffff 00000000`ffffffff : shell32!CIconAndThumbnailOplockWrapper::Extract+0x21
    00000000`0723dee0 000007fe`fe8cd2da : 00000000`ffffffff 00000000`0723e3f0 00000000`8000000a 00000000`00000000 : shell32!IExtractIcon_Extract+0x43
    00000000`0723df20 000007fe`fe79fff0 : 00000000`00000202 00000000`08d4099e 00000000`00000000 00000000`08d4099e : shell32!_GetILIndexGivenPXIcon+0x22e
    00000000`0723e3c0 000007fe`fe863307 : 00000000`00000000 00000000`00000001 00000000`0723f2d0 00000000`00000002 : shell32!_GetILIndexFromItem+0x87
    00000000`0723e460 000007fe`fe7cfaaf : 00000000`00000000 00000000`0ba59600 00000000`00000000 00000000`778c62e0 : shell32!CFSFolder::GetIconOf+0x41d
    00000000`0723f200 000007fe`fe7a29df : 00000000`00000000 00000000`08d4099e 00000000`0ba59600 0000c769`4dc5c358 : shell32!SHGetIconIndexFromPIDL+0x3f
    00000000`0723f230 000007fe`fe7a2925 : 00000000`00464f80 00000000`0beb3120 00000000`00000000 00000000`00000000 : shell32!SHMapIDListToSystemImageListIndex+0x87
    00000000`0723f2a0 000007fe`fe79c54c : 00000000`08734ee0 00000000`02d93890 00000000`00000000 000007fe`fe7cf07c : shell32!CGetIconTask::InternalResumeRT+0x7d
    00000000`0723f300 000007fe`fe7cefcb : 80000000`01000000 00000000`0723f390 00000000`08734ee0 00000000`0000000c : shell32!CRunnableTask::Run+0xda
    00000000`0723f330 000007fe`fe7d2b56 : 00000000`08734ee0 00000000`00000000 00000000`08734ee0 00000000`00000002 : shell32!CShellTask::TT_Run+0x124
    00000000`0723f360 000007fe`fe7d2cb2 : 00000000`0894dd20 00000000`0894dd20 00000000`00000000 00000000`00000000 : shell32!CShellTaskThread::ThreadProc+0x1d2
    00000000`0723f400 000007fe`fdd93843 : 000007ff`fff9a000 00000000`02db51e0 00000000`02d10d70 00000000`00000000 : shell32!CShellTaskThread::s_ThreadProc+0x22
    00000000`0723f430 00000000`77af15db : 00000000`0b755110 00000000`0b755110 00000000`00000000 00000000`00000003 : shlwapi!ExecuteWorkItemThreadProc+0xf
    00000000`0723f460 00000000`77af0c56 : 00000000`00000000 00000000`0894dd60 00000000`02d10d70 00000000`08b8f7b8 : ntdll!RtlpTpWorkCallback+0x16b
    00000000`0723f540 00000000`779c59ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x5ff
    00000000`0723f840 00000000`77afc541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
    00000000`0723f870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
    
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  emet64!EMETSendCert+2442
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: EMET64
    
    IMAGE_NAME:  EMET64.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  53d99f01
    
    STACK_COMMAND:  ~27s; .ecxr ; kb
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_EMET64.dll!EMETSendCert
    
    BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_emet64!EMETSendCert+2442
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_emet64.dll!emetsendcert
    
    FAILURE_ID_HASH:  {6fa53035-3ddf-2da0-e167-d0eae56d2591}
    
    Followup: MachineOwner
    

    I can provide the user mini dump with full memory (or any other assistance in testing this issue)

    Friday, September 5, 2014 5:20 PM
  • Did you (also) post an issue on the Microsoft Connect EMET 5.0 Feedback program (https://connect.microsoft.com/emet/Feedback) or mailed Microsoft's EMET team at emet_feedback@microsoft.com?


    W. Spu

    Friday, September 5, 2014 5:41 PM
  • Thank you, wrote a letter
    Friday, September 5, 2014 8:12 PM
  • Please update this thread If you get a reaction/answer. Did you also check the Microsoft Connect EMET 5.0 Feedback program? Currently there seems to be a problem with the Microsoft Connect EMET 5.0 Feedback program which prevents users to post an issue or to view the existing feedback.

    W. Spu

    Friday, September 5, 2014 8:49 PM
  • Of course. I wait for a response by email.

    Friday, September 5, 2014 9:25 PM
  • Answer: "You should not enable EMET for explorer.exe"

    Shell extension may be vulnerable :(

    • Proposed as answer by W. Spu Saturday, September 6, 2014 11:04 AM
    Saturday, September 6, 2014 10:40 AM
  • There's certainly something wrong with the EMET.DLL and it being

    used with Windows Explorer. I get the access violation problem

    fairly regularly on multiple Windows 7 Professional 32-bit systems.

    By way of comparison, those same systems ran both EMET 4.0 and EMET 4.1

    protecting Windows Explorer and never suffered any abends.


    • Edited by AshleyST Thursday, September 11, 2014 1:24 PM Improve clarity
    Thursday, September 11, 2014 1:20 PM
  • My problems also started after the upgrade: EMET 4.1 -> EMET 5.0

    Prior to that used EMET 4.0 (without explorer.exe crash)

    Thursday, September 11, 2014 2:36 PM
  • I can confirm this. Also happens on our Network with Windows 8.1 and Server 2012R2. EMET 4.1 worked flawlessly with the same settings.
    Saturday, September 13, 2014 7:33 AM
  • I think this problem may be resolved with EMET 5.1

    I've been running various machines with EMET 5.1 for over two weeks now and have

    had no occurrences of the C0000005 exception in explorer.exe.  

    • Marked as answer by EreTIk Sunday, November 30, 2014 12:04 PM
    Thursday, November 27, 2014 8:19 AM