EMET -- System32 .exe's won't run with it?

Discussion in 'other software & services' started by Hungry Man, Jun 23, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I have the entire system32 folder added but none of them have a "check" under "Running EMET"
     
  2. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Did you restart?
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes. I've restarted multiple times.
     
  4. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    That's odd, I've read somewhere that putting system files work. The author even put a script to automate the process. I can't just remember the link.
     
  5. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    53
    Hi,

    The application compatibility toolkit happens to be my current area of research. As a side project I have written a native interface for EMET with C++/asm rather than the piece of crap .NET GUI. I am adding support for many advanced features not present in the Microsoft GUI.

    Would you PM me if your interested in being my guinea pig?

    If your not interested then you can check this registry key to see if the applications are protected: HKLM\SOFTWARE\Microsoft\EMET\

    I have found some bugs in how Microsoft EMET handles the registry and application compatibility SDB entries... the EMET application is poorly designed and it is possible for registry orphans to be present. In laymens terms... I have found that sometimes the registry says ApplicationX is protected but the AppCompat database EMET actually uses will have no entry for the application.

    I have implemented a scanner in my GUI to check for these situations. You sound like a perfect candidate for testing it. Let me know if your interested.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    I don't know, but perhaps the option install for this user only instead of install for all users could affect this?
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I installed for all users I believe.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Is there a reason why you'd want to add the entire System32 folder .exe under EMET's protection?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Nope. Should it matter?
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If it matters depends on you... :D I was just wondering why you'd want to add all those .exes. That's all. :p
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Curiosity to see if it would cause system instability.
     
  12. x942

    x942 Guest

    Same issue here. Not sure why. I even tried adding them one by one but nothing?
     
  13. MessageBoxA

    MessageBoxA Registered Member

    Joined:
    Jun 20, 2011
    Posts:
    53
    Hello,

    This morning when I read this thread again... I realized that the 'Application Compatibility Toolkit' shim engine might not allow for patching of files protected by 'Windows File Protection'. Most of the files in the system32/SysWOW64 folders have signed catalog entries. Since this is what EMET is using to patch applications it would also be subject to this restriction.

    I don't know this for sure... its just my intuition. If I have time later this week...I'll try to to use WinDbg to confirm my suspicion.

    -MessageBoxA
     
Loading...
Thread Status:
Not open for further replies.