locked
EMET 5.1 crashes all protected applications on Lenovo m91p PCs with enabled VT and TxT RRS feed

  • Question

  • Until last week we successfully used EMET 5.0 on all our PCs.

    After upgrading to EMET 5.1 all EMET-protected applications crash on all our Lenovo m91p PCs when VT-d and TxT is enabled.

    The protected applications do not start at all, no balloon-tip or errordialog is shown, only Eventlog shows what happened:

    EventLog IE:
    Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x53f262eb
    Faulting module name: EMET64.dll, version: 5.0.0.0, time stamp: 0x545ffdbb
    Exception code: 0xc0000005
    Fault offset: 0x000000000008bc58
    Faulting process id: 0x96c
    Faulting application start time: 0x01d002698f0cb97d
    Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
    Faulting module path: C:\Windows\AppPatch\AppPatch64\EMET64.dll
    Report Id: ccc2c9df-6e5c-11e4-86f2-4437e689f575

    EventLog Word:
    Faulting application name: WINWORD.EXE, version: 14.0.7125.5000, time stamp: 0x53745315
    Faulting module name: EMET.DLL, version: 5.0.0.0, time stamp: 0x545ffd74
    Exception code: 0xc0000005
    Fault offset: 0x00064df3
    Faulting process id: 0x18a8
    Faulting application start time: 0x01d0026993d43cca
    Faulting application path: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    Faulting module path: C:\Windows\AppPatch\EMET.DLL
    Report Id: d196340d-6e5c-11e4-86f2-4437e689f575

    Some facts we figured out:

    • Tested (crashing) applications for example: Internet Explorer 11, Word 2010, Excel 2010, Firefox 31 ESR, ...
    • OS is Windows 7 x64 SP1 Enterprise
    • It doesn't matter if it was an upgrade from EMET 5.0 to EMET 5.1 or reinstalling the PC and doing a fresh install of EMET 5.1 on a fresh machine.
    • Before Installing EMET 5.1 we used EMET 5.0 on the identically configured Machines (VT + TxT enabled) and there was no problem at all - the Problem is caused by EMET 5.1 and wasn't there with EMET 5.0
    • Problem disappears if we disable VT in the BIOS of the Lenovo m91p Machines, but this is not a Solution as we depend on using VT for virtualization-purposes.
    • Lenovo m91p PCs are equipped with: Intel Core i5-2400CPU, 8GB RAM, Onboard-SandyBridge Intel HD Graphics 2000, Mainboard: Lenovo IS6XM Rev.01, Intel Sandy Bridge rev.09, Intel Q67 rev. B3
    • Other Dell-Notebooks we use (EMET configured identically) don't show this problem, even if VT and TXT is enabled.
    • Basically we use the EMET Configuration "Popular Software.xml" which is included in the EMET 5.1 MSI Package, additionally we configure DEP=ApplicationOptOut ASLR=ApplicationOptIn SEHOP=ApplicationOptOut Pinning=Enabled and enable AdvancedRopSettings DeepHooks=True AntiDetours=True BannedFunctions=True

    Additional Information:

    • TxT (Trusted Execution Technology) is a sub-feature of VT-d in the Bios of the Lenovo m91p PCs, when disabling VT it also disables TxT. We just figured out that we can leave VT turned on but have to disable TxT to get the machines with EMET 5.1 working again. BUT: It's not an easy solution for us to disable TxT in BIOS on all machines. And as everything worked fine with EMET 5.0 we really think this problem should be solved by an EMET Patch.




    Monday, November 17, 2014 2:53 PM

All replies

  • I'm also experiencing the same issue as the OP, however I'm experiencing this on Lenovo M90p desktops with Windows 7 professional.  I was previously running EMET 4.1 and upgraded to 5.1 recently.  I cannot reproduce this on a Lenovo M92p with Windows 8.1 Enterprise, nor a Lenovo X1 Carbon with Windows 7 enterprise.

    Tuesday, November 18, 2014 6:45 PM