www.winhelp.us

Content

Tip: keyboard shortcut Ctrl+F searches in the page contents

Microsoft EMET

Last modified: 2012-05-16 10:14:53 EEST

Sadly, bugs and security holes are common in programs, applications and plug-ins today. Each month hundreds of these are discovered and misused by cyber-criminals. Microsoft has added some pretty good protection techniques with each release of Windows, but not all those techniques are used while creating software. For example, many anti-virus programs do not make use of handy ASLR (Address Space Layout Randomization) capabilities. Did this sound too technical? Well, to describe ASLR somewhat easier - Windows Vista, 7 and 8 enable randomizing where a program is located in system memory so that attackers can not find and disable it easily. If a program is always in the same spot of system memory, it is an easy target for malware that tries to kill or exploit it.

To help protecting such applications, Microsoft has released a cool and easy-to-use tool named EMET - Enhanced Mitigation Experience Toolkit, a small program that enables modern protection techniques for all applications. EMET works in Windows XP (Service Pack 3 required), Windows Vista (Service Pack 1 required), Windows 7, Windows 8 and Windows Server 2003 (Service Pack 1 required), 2008 and 2008R2. This way EMET often enables protection even from still unpatched security bugs.

There are some differences for 64-bit and 32-bit operating systems, but let's not make this article too geeky, the only thing that really matters is that EMET will enhance security a lot. Those who are interested in all details can read the user manual that comes with EMET.

EMET version 3 notifies users when a mitigation event occurs and logs events to Application log of Event Viewer.

Downloading and installing Microsoft Enhanced Mitigation Experience Toolkit

Open EMET download page and click the Download button.

After downloading and launching the setup file, EMET Setup Wizard opens. Click Next.

By default, Start menu items are created just for you. If you want EMET to be accessible by all users on this computer, select Everyone. Then click Next.

Click to select I Agree and then click Next. Microsoft seems to have too many next-buttons in stock, apparently.

Now Microsoft ask whether you are really sure you want to install EMET. Dooh, of course - click the next Next button!

In case of an upgrade, you might see a list of open programs that must be closed. These programs are protected by an earlier version of EMET.
You can close the listed programs and click Try Again; or if you're happy to restart your computer, click Continue.

After copying files and adding registry settings is complete, click Close. EMET is now installed and it is time to configure it.

Configuring Microsoft EMET

To run EMET in Windows XP, open Start menu, click All Programs, Enhanced Mitigation Experience Toolkit and then click EMET <version number>.

Users of Windows Vista and 7 can type "emet" into Start menu Search Box and click EMET <version number>. This will pop up User Account Control window, click Continue in Windows Vista or Yes in Windows 7.

Note on using the Configure System button

The first clickable button is Configure System, but I strongly advise against using it. Leave EMET's system configuration at its defaults, because there are known problems with various older video (graphics) card drivers that do not understand ASLR and therefore crash your computer at boot. Yup, Windows will not start anymore! And surely there are many older programs that do not make sense of EMET's security techniques and this can cause problems such as programs crashing or hanging, not starting, etc.

If you are curious, the button will open a System Configuration window with two Profiles available. Please note that the default configuration is always named "Custom Settings".
Maximum Security Settings profile will enforce all security techniques for each and every application on your computer and this is the root of all possible crashes. Do not use it unless you are willing to face potential problems and you know how to troubleshoot Windows!

The safe profile is the Recommended Security Settings.

Changing the System Configuration requires restarting Windows for the changes to take effect.

Adding applications to EMET

You will see a list of currently running programs at the bottom of the window. This list also indicated whether a program is already using EMET. You can sort the list by any column by clicking on column head.
The list of running processes is automatically updated every 30 seconds, but you can refresh it yourself by clicking the green Refresh Process List button.
This is how EMET looks like in Windows XP - note that SEHOP and ASLR are unavailable for the good old operating system.

The window looks a tad different in Windows Vista and 7. ASLR is available (but SEHOP is disabled in Windows Vista) and process list includes the DEP column that shows whether the application has been built to use DEP.
OK, let's get started! Click the Configure Apps button in the bottom right.

To add extra protection to a program, you must add it in the Application Configuration window first. By default, this list is empty.
To enable EMET for a program, click the Add button.

Let's add Internet Explorer first. Click My Computer or Computer on the left and open the drive that has Windows installed on it - usually named "Local Disk" and ending with "(C:)". Navigate to Program Files folder and then open Internet Explorer folder. Click iexplore.exe and then click the Open button.

Now Internet Explorer is on the list of protected applications and it has all protections enabled. For most web browsers, it is strongly recommended to disable the Mandatory ASLR protection - otherwise the browsers might crash or not load at all.

Please note that on 64-bit Windows Vista, 7 and 8, the Program Files folder includes far less used 64-bit version of Internet Explorer. To also add the 32-bit version of Internet Explorer  (the version typically used) to EMET, navigate to Program Files (x86), Internet Explorer folder instead.

Here is a list of common programs requiring protection, and their location on system disk (C:) in 32-bit Windows XP, Vista, 7 and 8:

• Adobe Flash Player - Flash Player runs inside a web browser. Just add Internet Explorer, Mozilla Firefox or other web browser as described below
• Adobe Reader - Program Files\Adobe\Reader <version number>\Reader\AcroRd32.exe
• Adobe Shockwave Player - Windows\System32\Adobe\Shockwave <version number>\Swinit.exe and SwHelper_<version number>.exe
• Apple QuickTime Player - Program Files\QuickTime\QuickTimePlayer.exe
• Apple Safari - Program Files\Safari\Safari.exe
  NB! Disable Mandatroy ASLR if using Trusteer Rapport.
• Foxit Reader - Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
• Google Chrome - on Windows XP: Documents and Settings\<your user name>\Application Data\Google\Chrome\Application\chrome.exe;
  on Windows Vista, 7 or 8: Users\<your user name>\AppData\Local\Google\Chrome\Application\chrome.exe
  NB! Disable Mandatroy ASLR if using Trusteer Rapport.
• Microsoft Access - Program Files\Microsoft Office\Office<version number>\MSACCESS.EXE
• Microsoft Excel - Program Files\Microsoft Office\Office<version number>\EXCEL.EXE
• Microsoft Internet Explorer - Program Files\Internet Explorer\iexplore.exe
  NB! Disable Mandatroy ASLR if using Trusteer Rapport.
• Microsoft Outlook - Program Files\Microsoft Office\Office<version number>\OUTLOOK.EXE
• Microsoft Outlook Express - Program Files\Outlook Express\msimn.exe
  
• Microsoft Powerpoint - Program Files\Microsoft Office\Office<version number>\POWERPNT.EXE
• Microsoft Word - Program Files\Microsoft Office\Office<version number>\WINWORD.EXE
• Mozilla Firefox - Program Files\Mozilla Firefox\firefox.exe and plugin-container.exe
  NB! Disable Mandatroy ASLR if using Trusteer Rapport.
  
• Opera - Program Files\Opera\opera.exe
  NB! Disable Mandatroy ASLR if using Trusteer Rapport.
• Oracle (Sun) Java - Program Files\Java\jre<version number>\bin\java.exe and jp2launcher.exe; Windows\System32\java.exe
  
• Skype - Program Files\Skype\Phone\Skype.exe and Program Files\Skype\Plugin Manager\skypePM.exe
  NB! Disable EAF (Export Address Table Access Filtering).
  
• WinAmp - Program Files\Winamp\winamp.exe
• Windows Live Mail - Program Files\Windows Live\Mail\wlmail.exe
• Windows Live Messenger - Program Files\Windows Live\Messenger\msnmsgr.exe
• Windows Media Player - Program Files\Windows Media Player\wmplayer.exe
• Windows Print Spooler - Windows\system32\spoolsv.exe
• Windows Local Security Authentication Server - Windows\System32\lsass.exe
• VLC Media Player - Program Files\VideoLAN\VLC\vlc.exe

For 64-bit Windows Vista, 7 or 8, replace Program Files with Program Files (x86) and System32 with SysWOW64.
NB! Print Spooler and Local Security Authentication Server are always in Windows\System32 folder, even in 64-bit Windows.

Several programs (for example, Java and Windows Media Player) might have both 32- and 64-bit versions installed, check both Program Files and Program Files (x86).

Those requiring extra security can also add the following important Windows files to the list.
Please note that this slows your computer and prevents secondary logons (Run As / Run as administrator command) from working correctly!

• Services and Controller app - Windows\system32\services.exe
• Windows Client/Server Runtime Server Subsystem - Windows\system32\csrss.exe
• Windows Logon Application - Windows\system32\winlogon.exe
• Windows Logon User Interface Host - Windows\system32\LogonUI.exe
• Windows Session Manager Subsystem - Windows\system32\smss.exe
• Windows Start-Up Application - Windows\system32\wininit.exe

The files above are often targeted by malware and protecting these from zero-day flaws can save your computer from trouble.

Click OK after adding applications to the list.

EMET usually displays an orange exclamation mark with text "The changes you have made may require restarting one or more applications". It is usually best to restart your computer after making first changes in EMET - this will ensure that Windows processes already running, such as Print Spooler and Local Security Authentication Server, are restarted with EMET protection enabled.

Close EMET. You will probably encounter an informational message that repeats the text above. Click OK.

Verifying that EMET protection is enabled

After restarting, you can then see the Running Processes list to check if protection techniques have taken effect. Each program that is protected by EMET has a green check mark in Running EMET column.

Troubleshooting if programs crash or do not start after adding to EMET

By default, all protection techniques are enabled. For some programs, such as Skype, Dropbox or Office 2003 programs (Word, Excel, PowerPoint, etc) it is recommended to turn EAF off in case they crash after launching. Office XP (and older) programs do not seem to run with EMET protections enabled.

EMET support forum lists all known compatibility issues and solutions.

You can also experiment turning other methods off and on for troubleshooting purposes. First, with troublesome application closed, launch EMET, click Configure Apps and turn off a method for the troublesome program. Then close EMET and try launching the application again. Repeat the process until your application works normally.

Please note that some versions of Trusteer Rapport are having trouble with Microsoft EMET - web browsers do not open at all or open a blank, unusable window. In such case, Windows XP users should disable EAF protection for web browsers, Windows Vista and 7 users should disable Mandatory ASLR protection for web browsers.

If you want to completely remove an application, click its name once and then click the Remove button.

 Comments? Suggestions? Ideas? Let me know! 

Your name (public):

Your e-mail (will not be displayed):

Title:

Notify me of new comments to this page:

Your comments/suggestions/ideas (no HTML code!)
winhelp.us owners reserve the right to remove or not publish comments that they find unacceptable because of strong language, inappropriate contents, advertising or spamming.
winhelp.us Privacy Policy