View Full Version : EMET -- System32 .exe's won't run with it?
Hungry Man
June 23rd, 2011, 04:05 AM
I have the entire system32 folder added but none of them have a "check" under "Running EMET"
skudo12
June 23rd, 2011, 04:55 AM
Did you restart?
Hungry Man
June 23rd, 2011, 04:59 AM
Yes. I've restarted multiple times.
skudo12
June 23rd, 2011, 05:13 AM
That's odd, I've read somewhere that putting system files work. The author even put a script to automate the process. I can't just remember the link.
MessageBoxA
June 24th, 2011, 07:09 PM
Hi,
The application compatibility toolkit happens to be my current area of research. As a side project I have written a native interface for EMET with C++/asm rather than the piece of crap .NET GUI. I am adding support for many advanced features not present in the Microsoft GUI.
Would you PM me if your interested in being my guinea pig?
If your not interested then you can check this registry key to see if the applications are protected: HKLM\SOFTWARE\Microsoft\EMET\
I have found some bugs in how Microsoft EMET handles the registry and application compatibility SDB entries... the EMET application is poorly designed and it is possible for registry orphans to be present. In laymens terms... I have found that sometimes the registry says ApplicationX is protected but the AppCompat database EMET actually uses will have no entry for the application.
I have implemented a scanner in my GUI to check for these situations. You sound like a perfect candidate for testing it. Let me know if your interested.
BoerenkoolMetWorst
June 26th, 2011, 05:31 PM
I don't know, but perhaps the option install for this user only instead of install for all users could affect this?
Hungry Man
June 26th, 2011, 08:29 PM
I installed for all users I believe.
m00nbl00d
June 26th, 2011, 08:55 PM
Is there a reason why you'd want to add the entire System32 folder .exe under EMET's protection?
Hungry Man
June 26th, 2011, 08:57 PM
Nope. Should it matter?
m00nbl00d
June 26th, 2011, 09:04 PM
-{ Quote: "Nope. Should it matter?" }-
If it matters depends on you... ;D I was just wondering why you'd want to add all those .exes. That's all. :P
Hungry Man
June 26th, 2011, 09:10 PM
Curiosity to see if it would cause system instability.
x942
June 26th, 2011, 10:48 PM
Same issue here. Not sure why. I even tried adding them one by one but nothing?
MessageBoxA
June 27th, 2011, 10:55 AM
Hello,
This morning when I read this thread again... I realized that the 'Application Compatibility Toolkit' shim engine might not allow for patching of files protected by 'Windows File Protection'. Most of the files in the system32/SysWOW64 folders have signed catalog entries. Since this is what EMET is using to patch applications it would also be subject to this restriction.
I don't know this for sure... its just my intuition. If I have time later this week...I'll try to to use WinDbg to confirm my suspicion.
-MessageBoxA
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums