Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Sydney, NSW, Australia
    Posts
    19
    Thanks
    8
    Thanked 0 Times in 0 Posts

    Outlook 2010 crashes opening Rules Wizard with EMET violation

    Windows 7 SP1, Office Pro 2010.
    Just upgraded to Acronis True Image 2016 (ATI) and went into Outlook Rules and Alerts to update the rules for ATI notifications. As soon as the Rules Wizard opens, Outlook crashes and a message appears indicating that EMET has detected an error and wants to know whether to send a dump to EMET support.

    It is not just the ATI rule that is causing this. Any time I open the Rules Wizard by any route or for any rule (even creating a new rule), the crash occurs. It is some time since I last added or updated a rule, so I don't know how long the problem has existed. So not sure if this is related to the ATI upgrade or not. Also not sure if EMET caused the crash or it simply detected that the crash resulted from some EMET violation. Possibly some recent Outlook patch is the culprit?

    System is up-to-date with Important patches (but not with Optional patches to avoid any attempts to force a Win 10 upgrade).

    I googled this but got nothing. Any ideas much appreciated.

    Cheers.

  2. #2
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,594
    Thanks
    5
    Thanked 1,059 Times in 928 Posts
    Try disabling an EMET temporarily.

    Do you have the most current version of EMET?
    Joe

  3. The Following User Says Thank You to JoeP517 For This Useful Post:

    pegleg pete (2016-06-12)

  4. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Sydney, NSW, Australia
    Posts
    19
    Thanks
    8
    Thanked 0 Times in 0 Posts
    Joe,
    Thank you for your response.
    Yes, I do have the current version of EMET (5.5). I even downloaded a fresh copy and confirmed the version and even the build number were the same.

    In further testing, I noted a Sys Tray notification from EMET when Outlook crashed. The message said: "EMET detected EAF mitigation and will close the application: Outlook".

    It has been quite a while since I installed EMET, and I don't remember all the things that it checks. It is going to take a while for me to set aside time to read through the user manual to bring myself back up to date.

    In short, I am not sure what EAF mitigation is at present. As per your suggestion, I tried to disable EMET temporarily, but couldn't determine how to do this. However, I did stop the "Microsoft EMET Service" (via WinPatrol). Doing this stopped the above EMET message appearing in the notification area, but didn't stop Outlook from crashing when opening the Rules Wizard.

    On the EMET main window/control panel, this is a list of "Running Processes". The list is fairly long. The list has a column "Running EMET". For all running processes (notably excepting OUTLOOK), this field is blank. For OUTLOOK, the field has a green circle with a white tick/check mark. Right-clicking the OUTLOOK.EXE row and clicking on "Configure Process..." firstly displays an error dialog: ' "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" conflicts with existing entry for "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" '. Huhn?? Anyway, clicking OK (only button) opens a window "Application Configuration". This window contains a table of check boxes with program names (in bold) in the leftmost column. The remaining columns have check boxes for DEP, SEHOP, NullPage, HeapSpray, EAF, etc. In the case of EAF, it was checked for all applications in the list. So I unchecked it for OUTLOOK.EXE and pressed OK. Closed Outlook and started all over again. Still crashed in Rules Wizard.

    Going back into the Application Configuration window to check that EAF was still unchecked (it was), I noticed at the bottom row of the list was a SECOND entry for OUTLOOK.EXE and its EAF box was still checked. Also, the name OUTLOOK.EXE was not in bold (every other application was in bold, including the original OUTLOOK.EXE entry that I had unchecked). Not sure why there are two entries for OUTLOOK.EXE or why the second one is not in bold, but I unchecked EAF in the second one (so now both entries have EAF unchecked). OK'd the window again, closed and restarted Outlook and re-opened the Rules Wizard. This time it didn't crash!

    So I am not sure what is going on here. Why two entries for OUTLOOK.EXE and why is one not in bold, unlike all the other entries? Is it safe to leave EAF unchecked (ie, what safety feature have I turned off)? There is a big red cross button at the top of the Application Configuration window labelled "Remove Selected", so I suppose that I could remove one of the OUTLOOK.EXE entries (probably the unbolded entry at the bottom of the list). There is also an "Add Application" button at the top of this window, so it appears that the user can add other applications. Maybe the second OUTLOOK.EXE was added (whereas the bold entries were included automatically). However, I do not recall ever seeing the Application Configuration Configuration window before, so I am sure that I did not add a second OUTLOOK.EXE manually (and I am the only user of this PC).

    So in summary, the problem appears to be resolved - but I am not sure how the problem occurred, nor what the problem really was. I will have to bone up on the features of EMET to get a better insight. If anyone has any suggestions, please feel free to comment here.

    Cheers.

  5. #4
    3 Star Lounger
    Join Date
    Sep 2010
    Location
    Yarra Glen, Victoria, Australia
    Posts
    213
    Thanks
    0
    Thanked 39 Times in 25 Posts
    Why not remove both entries for outlook, stop EMET and restart it to confirm that they are gone, then use "Add application" to add it back in, and remembering to uncheck the EAF column? When I first used EMET I added all my major applications, and for some of them I then commenced to receive those mitigation messages. As each message was received, I went into EMET and unchecked the mitigation being complained of, until it became stable. Even with one (or more) mitigations being disabled, others are still effective, and I conclude that this is still better than not having EMET at all for that application. EMET is fairly wide ranging in what it does, and not all applications can run with all mitigations turned on. That's my take, anyway.

  6. The Following User Says Thank You to Bundaburra For This Useful Post:

    pegleg pete (2016-06-13)

  7. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Sydney, NSW, Australia
    Posts
    19
    Thanks
    8
    Thanked 0 Times in 0 Posts
    Bundaburra,
    Thanks for the suggestion. I am surprised that EMET would allow duplicate entries for the same program. It must be confusing. At present, everything seems to be working OK. However, I think I will remove the second OUTLOOK.EXE entry (the non-bold one at the bottom of the list) and see how that goes.

    I am still trying to understand why this has suddenly happened, apparently out of the blue. But here is what I am wondering: I first installed EMET (2.0) in January 2011 and upgraded through several versions to 5.0 in September 2014. My PC at the time died in December that year; it was replaced, but EMET was not immediately installed (it was overlooked). Eventually I discovered the omission and installed version 5.5 in February this year. I don't remember the last time that I went into the Outlook Rules Wizard, but it is possible that last week was the first time since version 5.5 was installed. Perhaps the previous versions (up to 5.0) that were installed on the old machine did not have this conflict with Rules Wizard, and I didn't discover the change with the new version until I actually had to review one of the Outlook rules.

    Anyway, as long as it works OK with EAF unchecked for Outlook (and the duplicate entry deleted), I am satisfied.

    Thanks again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •