[TUTORIAL] EMET - Change DEP settings on Home edtions of Windows

Discussion in 'other software & services' started by amarildojr, Apr 3, 2016.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    If you're familiar with my tutorials, you might know they're usually long. This is yet another case. This is a very simple tutorial for a (somewhat) complicated problem with EMET, and a very long explanation of the problem. It's boring, so skip to the "A Light at the end of the Tunnel" part if you're just looking for the answer .

    ------------------------------------------------------------------------------------------------------------------------------------------

    Before the release of the (problematic) EMET 5.5, we had EMET 5.2. It worked as it's supposed to, no complaints in regards to it's deployment. Then, Microsoft decided to release a new version of EMET that was compatible with Windows 10, and that changed the game for a lot of people.

    You see, making a good software compatible with Windows 10 is not a problem, but you might know that Microsoft, in it's recent years, is pushing things into everybody's throat (cough cough, Windows 10). You might think that, since EMET is mostly used in corporate environments, Microsoft wouldn't push it's products through it.... and you'd probably be wrong.

    Since the release of EMET 5.5, some users won't be able to easily change the System-Wide DEP setting to anywhere other than "Application Opt Out", because apparently Microsoft thinks everybody uses BitLocker for drive encryption. Either that, or they want people to use it, which is a little suspicious to say the least.
    If you try to change that setting, EMET will say that BitLocker needs to be suspended, then you click OK, then it says BitLocker couldn't be suspended, then it will output an error. You can see this in action here (link).

    This is an odd behavior because EMET should detect if the user has BitLocker deployed or not.

    Originally I thought this was caused because my Windows 10 and 7 are Home versions (which are NOT able to use BitLocker), but that is not it. I tried doing the same procedure in Windows 7 Ultimate, and here's what I found out:

    • It works fine on VirtualBox, probably because it emulates TPM modules;
    • It doesn't work on my real hardware, because I don't have a TPM module;
    • If I disable the TPM requirement for BitLocker on gpedit, it still won't work;
    • However, if I start encrypting my drive with BitLocker, EMET will be able to detect that BitLocker is running, then it will suspend it for a few seconds, and then I'm able to change the DEP setting within EMET;
    I can only think of two possible scenarios: Either Microsoft dumbed-down more than usual, or they're saying we must be using BitLocker or we must have a TPM module in order to enable DEP via EMET.I think this because it's not possible to find a solution that works via EMET.

    Why should I need a TPM module or encrypt my drive with BitLocker in order to use DEP?

    I tried using the command "--system --force dep=ApplicationOptOut", which is supposed to FORCE EMET into enabling DEP system-wide, but that didn't work, I let the command running for 2 hours and nothing happened (usually the result is instant).

    I also tried editing the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\EnableUnsafeSettings" registry KEY, with no avail.

    I simply couldn't find anything helpful on the internet.



    A light at the end of the Tunnel

    Talking with Microsoft tech-helpers via chat, I noticed most couldn't even begin to understand what the problem is. Only two people were helpful: A lady that said the problem was in my BIOS (which isn't completely false, though the lack of details would initially suggest she was just trying to get rid of me), and a guy who wrote the following command:

    bcdedit.exe /set {current} nx AlwaysOn

    I did try the command, but since we were talking live on chat I couldn't just reboot because it would be hard to resume support with him after rebooting, the only guy who stayed with me for hours straight and even did a remote connection to try to help me. So initially I though the command didn't do anything.... until I rebooted the machine.

    Surprisingly, the command worked the way I wanted. Obviously it's not the same as enabling the rule via EMET, but that is least of my concerns. If EMET can read what I set up, that's what I want... and that's what I got.

    So how does it work?

    First, open CMD as Administrator.

    If you want EMET to recognize DEP as AlwasyOn, the command is this:
    Code:
    bcdedit.exe /set {current} nx AlwaysOn
    If you want EMET to recognize DEP as ApplicationOptOut, the command is this:
    Code:
    bcdedit.exe /set {current} nx OptOut
    PS: Some programs/games will require you to disable DEP via Advanced System Settings -> Performance -> Data Execution Prevention, just like older versions of EMET.

    Two examples are GTA Vice City and GTA III.

    Done! :) A simple fix for a stupid change on EMET.

    Happy mitigating.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hmm ... I will test, see what gives.
    Mrk
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    No problem.

    Were you experiencing the same problems as I?
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Nope. Just tested, and I see no issues. Seamless behavior that is identical to the 5.X family.
    Mrk
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Can you tell which edition of Windows you're running?
    And if your MOBO has a TPM module?
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I had that issue with Windows 7 and had to revert to Emet 5.2 but 5.5 worked without issues in Windows 10 on the same machine. No Bitlocker used at all in either system. There is a TPM but I'm not using it either. I will have to look at the BCD entries for each system but they should be the same. I use a utility called Bootice for BCD editing and I would have just used the same default settings for each entry with the only difference being the disk and partition of each system.

    The Windows 10 installation is an upgrade from Windows 7 and the upgrade kept Emet 5.2 which was working with no obvious issues until I upgraded it to 5.5
     
  7. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    40
    Folks, I am considering EMET 5.5 for my Windows 8.1 Pro system with BitLocker enabled throughout, no TPM. I am just running common programs. I have never run any version of EMET before. Will the default configuration work for me? Or will I have to do a lot of tedious tweaking? If it does not work out for me, will EMET 5.5 uninstall cleanly? Thanks!
     
    Last edited: Apr 14, 2016
  8. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Holy Molly, they've fixed the issue with version 5.51.

    Good job Microsoft, good job.
     
Loading...