Jump to content

EMET on up-to-date Windows XP


Dave-H

Recommended Posts

You should also consider installing EMET 4.1 for an extra layer of security: https://www.microsoft.com/en-us/download/details.aspx?id=41138

Newer EMET versions can be used, but these may cause some problems under Windows XP.

 

Just thought I'd report my experience today with EMET, something I wasn't at all familiar with before today.

 

I downloaded and installed version 4.1 (Update 1) as recommended, and it seemed to work fine although it was throwing five warnings into my event log that five "PinRules" were out of date, having expired on 01/08/15.

 

As I didn't want to just delete them, for obvious reasons, I looked into how to update them.

I found what I thought was an answer here.

 

I downloaded the "easy fix", which failed because I hadn't installed EMET in the default folder.

To be fair, the page does warn you of that, but it's still stupid when the EMET installer allows you to choose a different installation destination!

 

Anyway, I uninstalled EMET and reinstalled it in its default location, and the "easy fix" then completed successfully, but didn't fix the event log errors!

 

There were a couple of other issues as well, the system tray icon didn't work as it should, it popped up a message saying "administrator rights needed" if you tried to use it, which is nonsense as I am an administrator of course!

More seriously, pressing the "Trust" button at the top of the interface resulted in an exception error message coming up.

 

post-84253-0-23707600-1450369114_thumb.j

 

I therefore decided to try a later version, although this isn't recommended.

I installed version 5.1, which is not stated to be compatible with XP (although it is with Server 2003).

That installed fine, and the error messages about expired certificates in the Event Log went away, so good result there!

 

The only issues outstanding are that despite the fact that it appeared after the first install, the system tray icon now does not seem to appear at all, even when it's enabled, and the crash on using the Trust button still happens.

I'm not worried about the icon obviously, but the crash is a strange one. As I said, it was doing the same with version 4.1, which is supposed to be compatible with XP, so it's a bit of a mystery why it's happening.

 

Does this tie up with other people's experience with this?

I appreciate this is a bit off-topic, but it is relevant to the thread as EMET is one of the recommendations to use for maximum security.

Link to comment
Share on other sites


Thanks @hmuellers.

That's very interesting about the error message you're seeing, because I'm now seeing that exact same message whenever I run a shortcut to a PDF file!

If I dismiss it, Adobe Reader then opens and displays the file fine.

As the error message box is apparently from AcroRd32.exe, I was assuming it was a problem with Adobe Reader, as the version I'm using (11.0.13) no longer officially supports XP, although it does install fine.

I'm wondering if the message appeared after I installed EMET, I will have to uninstall it again to confirm that.

I've not seen it in any other context but the running of PDF shortcuts.

I will have to search for EMET 5.0 and try it if I can find a copy anywhere.

I suspect that if 4.1 and 5.1 are both throwing the error on pressing the "Trust" button that 5.0 will be the same, but you never know!

:)

 

EDIT: Apparently the msvcrt error with EMET 5.1 on XP is known. See here and here. I'll see if I can find 5.0!

Edited by Dave-H
Link to comment
Share on other sites

Just a note for anyone running Kaspersky antivirus 2016 and EMET 4.1.    I ran into an issue where none of my browsers would launch when both software were installed.  The work around is to make sure that "enable deep hooks" is not checked in the application settings section of EMET 4.1

Link to comment
Share on other sites

Thanks hmuellers!

 

I now have a copy of EMET 5.0 installed, and the error popups on running PDF shortcuts have gone away.

 

I saved the contents of 5.1's "Deployment" folder, as the files in there seem to unsurprisingly be newer than those in 5.0, so I substituted them, assuming the XML files are later certificate lists. That's certainly what they look like.

5.0 seems to work fine with them anyway. I might even try to use the ones from 5.2 as they will be even newer!

My Event Log seems to be completely clean now, with no entries from EMET at all unless I change a setting.

 

Internet Explorer 8 would not run at all with the default settings on EMET.

I had to disable the "EAF" and "StackPivot" options on iexplore.exe to restore it to working.

Don't know why that would be.

 

The EMET icon still isn't working, but you say that is a known problem and isn't an issue for me.

I'm still getting the crashes when I use the "Trust" button though, which I guess must be a .NET problem, as all versions of EMET fail there the same way.

 

I've attached the full error log, which is meaningless to me I'm afraid.

Can any .NET experts see what's happening there?

Cheers,

Dave.

:)

Error.txt

Link to comment
Share on other sites

The EMET Tray problem for EMET Version 5.0 in Windows XP is easy to solve in the corresponding entry in the registry (Standard Program Path). Insert the following code into a text file and save, change the extension from txt to inf, select the file, then right-click and install.

[version]
signature = "$CHICAGO$"
SetupClass = BASE

[DefaultInstall]
AddReg = AddRegSection

[AddRegSection]
HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run","EMET_Agent",,"""%16422%\EMET 5.0\EMET_Agent.exe"""

Fixed "Admin privileges are required" for EMET Version 4.1 in Windows XP (Standard Program Path). Insert the following code into a text file and save, change the extension from txt to inf, select the file, then right-click and install. 

[version]
signature = "$CHICAGO$"
SetupClass = BASE

[DefaultInstall]
AddReg = AddRegSection

[AddRegSection]
HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run","EMET 4.1 Update 1 Agent",,"""%16422%\EMET 4.1\EMET_agent.exe"" --NoRestart"

Thanks @Dave-H for the Info

 

@Dave-H

To your .NET Framework Problem Keyword Visual Studio. Is Visual Studio present?

Read first this post https://msdn.microsoft.com/en-us/library/5hs4b7a6.aspx through, maybe there with you a no longer required Registry entry.

Here is a concrete contribution http://stackoverflow.com/questions/2116821/net-4-0-culturenotfoundexception to your problem if Visual Studio is installed. 

 

:)

Edited by heinoganda
Link to comment
Share on other sites

Wow, thanks @heinoganda!

It never occurred to me that it would be something so simple!

:thumbup

Your script wouldn't have worked for me as it was as I don't have EMET installed in its default location, but I just added the entry in the registry manually, and the system tray icon now works. The option to turn it on and off in the GUI doesn't work, but that's not an issue of course.

I guess the installer missed adding the registry entry or something.

 

Does the tray icon do anything else other than give another means to launch the GUI, such as balloon notifications of events?

If it's only the former, I will probably disable it again anyway.

 

The crash seems to be something to do with language settings as far as I can see, but all the references I've found to it are for programmers who are creating .NET applications. My Windows is set to UK English. Maybe I will try setting it temporarily to US English and see if the error goes away.

I don't have Visual Studio installed. I will check out your links and report back.

Cheers, Dave.

:)

Edited by Dave-H
Link to comment
Share on other sites

@Dave-H: In your .NET Framework problem since the first link https://msdn.microsoft.com/en-us/library/5hs4b7a6.aspx would fit. Here is also described as Just-In-Time debugging is disabled or removed.

:)

Thanks again @heinoganda!

I checked out that link, and looked at the registry entries referenced, and they seem to be correct as they should be on my system.

 

I've now tried more versions of EMET, the only one I cannot find anywhere is version 3.0.

 

I even found a copy of version 2.0, but that looked very crude and basic, so I don't really want to use that although it did seem to work correctly.

 

Version 4.0 and 4.1 Update 1 are very similar.

The only difference is that the tray icon works properly on 4.0. whereas on version 4.1 it just throws up a message saying that "admin privileges are required" when it's double clicked, for some completely unknown reason! I am an admin of course.

 

Both 4.0 and 4.1 put errors in the Event Log on every boot saying that five "PinRules" have expired and need to be deleted or updated.

Try as I might I cannot find how to actually update them, and I can't even delete them because apparently you need to go into the "Trust" button dialogue, and that's what is crashing on every version when I try to use it (except 2.0 which doesn't have it!)

 

Version 5.1 (and presumably 5.2 would be the same) cause the error popup every time I try to use Acrobat Reader.

 

Version 5.0 seems to be the best, although the "Trust" button crash is still there, and I'd rather not use it as it isn't designed for the OS.

 

I would probably ideally like to use 4.0, but I don't want it filling my Event Log up with warnings all the time, so I need to get into that "Trust" dialogue, or (even better) find some way of updating these "PinRules".

 

As I said earlier my research seems to indicate that "culture" errors in .NET applications are related to language configuration errors.

I did try putting my machine into US English, but it made no difference.

:no:

 

EDIT: Fixed the icon problem!  :thumbup

 

Apparently it's a known problem with EMET 4.1. See here.

All you have to do is add a "--NoRestart" switch to the registry entry to run EMET_Agent.exe at startup.

 

So that's one thing fixed, and I'm happy with EMET 4.1 now apart form the Event Log entries and the crashes!

:lol:

Edited by dencorso
Link to comment
Share on other sites

@Dave-H

 

According to MS, the following entries should be deleted from the registry if it exists (secure before):

  1. In the Registry Editor window, locate and delete the follow registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger

Because you are not been able to find?

Become times in the VMware times install the .NET Framework 4 because we can compare times.

 

Then won the first settled here.

 

:)

Edited by heinoganda
Link to comment
Share on other sites

The second key does not exist on my system.

The first one does and points to the "Dr. Watson" debugger.

I tried deleting it, but it made no difference to the error in EMET.

 

Incidentally I had to disable the "EAF" option for iexplore.exe in EMET, or Internet Explorer 8 would not load.

That's a known issue IIRC, but most of the references I found were for fixing IE 11 on later systems with EMET.

I seemed to need the fix on mine too!

:)

Edited by Dave-H
Link to comment
Share on other sites

OK, I've managed to fix most of my problems with EMET 4.1!

:thumbup

Someone here had helpfully posted an export of their EMET 5.2 configuration, which seems to include up to date PinRules.

I modified the file to remove all the applications that I don't have installed, and after importing it, I now have presumably 5.2's PinRules, which are still up to date, and no more errors in the Event Log!

 

The only outstanding problem now is that I can't use the "Trust" button function because of the .NET exception error, which I will have to do more research on.

:)

 

EDIT: I've now fixed the crash when using the EMET Trust button!

Turns out it was due to a Nokia application that I have installed to backup my phone adding some custom cultures to the system, which EMET doesn't like for some reason. I disabled them by renaming the files in the windows\globalization folder, and EMET now works fully.

This does not seem to have affected the Nokia application either.

:thumbup

Edited by Dave-H
Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...

EMET 4.1  updated pinned rules

 

https://support.microsoft.com/en-us/kb/2961016#/en-us/kb/2961016

You can download MicrosoftEasyFix51012.msi, which is updated periodically; at 16.01.15 contains CertTrustUpd.xml updated to 15.09.02.

 

It even works in WinXP.

It requires Emet is in the default path, in WinXP is:

 "C:\Program Files\Emet 4.1\"

I installed in C:\Program Files\Emet\, just create a temporary copy to "C:\ProgramFiles\Emet 4.1\", the patch does not modify files but only Windows registry.

You can also start the program under Sandboxie, when it comes to the final screen close the program with sandboxie; in "%temp%\Fixit_51012\" are available both operational files: import.cmd and certTrustUpd.xml

 

Regards

 

----- Italian version, my english is basic

EMET aggionamenti periodici regole di convalida

 

https://support.microsoft.com/en-us/kb/2961016#/en-us/kb/2961016

Si può prelevare MicrosoftEasyFix51012.msi, che viene aggiornato periodicamente; al 160115 la versione prelevata contiene CertTrustUpd.xml al 150902.

 

Funziona anche in WinXP.

Richiede che Emet sia presente nel percorso di default, in WinXP è:

 "C:\Programmi\Emet 4.1\"

Io ho installato in C:\Programmi\Emet\, basta creare una copia temporanea in "C:\Programmi\Emet 4.1\", la patch non modifica i file ma solo i registri.

Conviene anche avviare il programma sotto Sandboxie, quando arriva alla schermata finale chiudere la procedura con sandboxie; in "%Temp%\Fixit_51012\" sono disponibili i due file operativi: import.cmd e certTrustUpd.xml

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...