Emet 2.1 Follow-Up

Posted on

I’ve had great response with the EMET post and had a couple of issues to follow up on.

How did you get SEHOPS  to be Always on?

The system I was running when taking the screen shots was Vista 64-bit and apparently this is a Vista only option. On windows 7, by default, you have only “Application Opt in and Application Opt Out”.  I did some testing on this and used process monitor to determine what registry key was being changed on the systems.

HKLM\System\CurrentControlSet\Control\SESSION MANAGER\kernel\DisableExceptionChainValidation
disabled is 1  and  always on is 0

This is the same key on both Windows 7 and Vista, so this must be controlled at a deeper level then we can directly interact with.

Lsass and Spooler Crashing  on Boot.

Rationallyparanoid has several great posts about EMET. They mentioned adding LSASS.exe and Spooler.exe to the protected applications. This worked on older versions of Emet, but I’m having crash issues on Vista 64-bit SP2 with 2.1. I have  removed the BottomUPRand and EAF and it appears to fix the instability issues on these applications.  Windows 7 64-bit does not seem to be experiencing this issue.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s