Hehehe...okay first off, anyone that knows me knows that I do love EMET quite a bit. It's clean, yet very powerful, is very proactively being developed, and with just a few clicks you can add invaluable layers of protection to your system that prevent other layers of your security from getting exploited as well as protect you from your own software being used against you. As for the whole experience of EMET...it's mostly grand. Until you uncheck DEP for a program...and DEP still terminates it. So we begin our tale. I asked this question awhile back and HungryMan informed me "EMET isn't meant to exclude something...it either forces it or does not force it." Erm...okay. I sort of get that. But here's my issue with that. It's confusing! And it's not explained well! And quite frankly, it should be better! Admittedly, someone will find a pro-reason why it cannot or is not like the way I wish it to be, but still...don't I at least make a good point? Here's how EMET currently works (assuming you have a basic knowledge of system mitigation opt in vs opt out already): System Mitigations - always off, always on, self-explanatory. If you choose those settings of course there can be no exceptions. That's the point. Opt in - I believe you can opt apps in through EMET using Configure Apps. Opt Out - Ah...but what's this...DEP crashes a program, so I add it to EMET Configure Apps list and uncheck DEP...it still crashes. I still have to add this to my DEP exception list in the Control Panel / System of Windows? Why?! Not only is that confusing, unintuitive, inconvenient, and frankly annoying, but it is risky. If EMET cannot opt out programs from your system mitigations, what happens if SEHOP crashes a program? Then there's no way to opt it out because there is no other way of turning off SEHOP other than EMET...unless you go into the registry or use command lines. I also ran into an even more confusing situation where I have DEP system wide set to Opt Out so it should be applied for every app by default, right, unless I opt them out specifically? That's the whole fundamental idea behind Opt Out. Oddly enough...EMET was crashing a program due to DEP that normally was compatible with my system wide DEP. I unchecked DEP in Configure Apps, and the program worked. This got me excited that maybe they finally implemented it the way I always wanted it to be in the latest EMET 3.0, but nope, that was just an oddity. I tried removing some entries from my Control Panel / System DEP exception list and unchecked them instead in EMET and they again did not work. Are you confused reading all that? My point exactly. It's confusing! Why can't we just have ONE list of mitigations? I say we shall, or it is not truly a fully enhanced mitigation experience! Especially since I've learned all this in practice and none of it is documented nor do they warn you about this in mouse-overs or any tool-tips or such! How I wish EMET worked: System Mitigations - Always On/Always Off no exceptions. That's obvious. Opt In - Programs are not forced unless you check the corresponding system mitigations in Configure Apps. Opt Out - Programs are forced by default unless you uncheck the corresponding system mitigation in Configure Apps. **When EMET is installed, by default, controlled with a registry value, EMET will gray out your DEP controls in Control Panel and add a note at the bottom of the dialogue saying "Please configure these using Enhanced Mitigation Experience Toolkit GUI". What is the point of having DEP and SEHOP present as tickboxes in the Configure Apps if they just "force or do not force." That's useless. It is useless to have to set it there and then make sure you also set it some place else. Especially since SEHOP and ASLR don't have a "someplace else." Note that I do understand that ASLR is different since by default Opt Out is not an option. You can only opt programs in. I also understand for the other mitigations that are not system wide ones, and are just application only, obviously, those checkboxes will either force or not force. That makes sense. But for the system wide ones, why can't it be "force or not force" if you set it to Opt In, but actually work correctly as an Opt Out if you set your system mitigations in such a way? So in other words, I'm trying not to make this more confusing than it is... For system migitations you set to Opt In, having the Configure Apps be a check the box for "force", and uncheck the box for "do not force" makes sense. For system mitigations you ste to Opt Out, however, checking the boxes in Configure Apps should be "keep it forced" and unchecking it should be "opt it out". I don't know...it just remains weird and a bit frustrating to me to have to maintain two lists.