EMET Can't enable Always ON

Discussion in 'other security issues & news' started by mimuweb, Mar 7, 2011.

Thread Status:
Not open for further replies.
  1. mimuweb

    mimuweb Registered Member

    Joined:
    Sep 28, 2009
    Posts:
    70
    Hi guys. I've installed last version of Enhanced Mitigation Experiencie Toolkit in my laptop (W7 Ultimate 32bits), but when i want to set Always ON in DEP (Data Execution Prevention) i get a message "Failed to set the system DEP policy"... I've tried to set this parameter via Control Panel, System.... but when i reboot my laptop DEP is again by default.

    Thanks for your help

    Regards


    Miguel Angel
     
  2. redgrum

    redgrum Registered Member

    Joined:
    Nov 16, 2010
    Posts:
    50
    Does it work on the system when EMET is not installed?

    Also, have you tried the global settings inside EMET? Are you running with elevated privileges?
     
  3. mimuweb

    mimuweb Registered Member

    Joined:
    Sep 28, 2009
    Posts:
    70
    Only works DEP by default (Windows programs and essential services), but not for all programs. I set for all programs, but when i reboot my computer and check DEP is again by default.

    Mmm, what are you refering to?

    Of course

    Thanks for your help
     
  4. redgrum

    redgrum Registered Member

    Joined:
    Nov 16, 2010
    Posts:
    50
    Have you tried the command line switches? Also, I noticed that you have to edit the BCD configuration to do that, so do you have any security/rollback software installed which prevents/undoes changes to this area?

    Perhaps your system cannot have 'always on' and needs application opt-out instead (you'd have to find which application I suppose), are there any likely entires in Event Viewer?


    The 'Configure System' button in EMET - if you click on the DEP line there are the global settings options
     
  5. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I'm not sure what your problem is, but some info:

    The DEP setting is configured in the Boot Configuration Data. You can view this info with bcdedit (http://www.windows7home.net/how-to-use-bcdedit-in-windows-7/).

    The current DEP setting is the "nx" value under Window Boot Loader. In theory, you can change this value using the /set command. EMET is trying to do the equivalent of:
    Code:
    bcdedit /set nx AlwaysOn
    The Control Panel, System.... method is trying to do the equivalent of:
    Code:
    bcdedit /set nx OptOut
    That's what's failing somehow...

    -- EDIT --
    redgrum got there before me...
     
  6. mimuweb

    mimuweb Registered Member

    Joined:
    Sep 28, 2009
    Posts:
    70
    Sure it's something about it. I've loaded an image that i created with Acronis True Image (a clean W7, without any application) and the problem is gone!

    Thanks for your support.

    Best regards

    Miguel Angel
     
Loading...
Thread Status:
Not open for further replies.