Geeks in Phoenix

Geek Blog


Harden / Mitigate the security of your Windows programs with Microsoft EMET

Updated January 31, 2021. Microsoft's Enhanced Mitigation Experience Toolkit reached the end of its life on July 31, 2018, and is no longer available for download.

Enhanced Mitigation Experience Toolkit 5.5

Let's face it, some of the software we use on a daily basis has become subject to security vulnerabilities and exploits. Software manufacturers do their best to develop and test fixes / patches as fast as possible, but this can take time. A lot of users just cannot keep up with all of the updates and hotfixes. A few years ago Microsoft released the Enhanced Mitigation Experience Toolkit (EMET) to deal with just this issue.

View of the main screen inside EMET 5.5
View of the main screen inside EMET 5.5

So what is EMET? EMET monitors selected programs (Internet Explorer, Microsoft Office, etc.) for known attack actions and techniques. When one of the several pseudo mitigation technologies is triggered, EMET will either block the programs' access to the resource it is trying to reach or just terminate it. EMET expands on the technologies that Microsoft implemented with Data Execution Prevention (DEP), which has been included in the Windows operating system since Windows XP SP2. It will also validate digitally signed SSL certificates inside of Internet Explorer.

View of the application configuration screen inside EMET 5.5
View of the application configuration screen inside EMET 5.5

So how does EMET work? EMET acts as a shim between the program being monitored and the operating system. The monitored program thinks it's talking directly to the operating system, but it's actually talking to it through EMET. EMET comes with predefined profiles for some of the more common programs like Microsoft Office, Internet Explorer, Adobe Acrobat and Java. You can also add to the predefined profiles or create your own. I recommend that you monitor any program that can open files on or from the Internet.

What security exploits are currently covered

Here's is the current list of mitigations EMET 5.5 currently looks for.

  • Attack Surface Reduction (ASR) Mitigation
  • Export Address Table Filtering (EAF+) Security Mitigation
  • Data Execution Prevention (DEP) Security Mitigation
  • Structured Execution Handling Overwrite Protection (SEHOP) Security Mitigation
  • NullPage Security Mitigation
  • Heapspray Allocation Security Mitigation
  • Export Address Table Filtering (EAF) Security Mitigation
  • Mandatory Address Space Layout Randomization (ASLR) Security Mitigation
  • Load Library Check - Return Oriented Programming (ROP) Security Mitigation
  • Memory Protection Check - Return Oriented Programming (ROP) Security Mitigation
  • Caller Checks - Return Oriented Programming (ROP) Security Mitigation
  • Simulate Execution Flow - Return Oriented Programming (ROP) Security Mitigation
  • Stack Pivot - Return Oriented Programming (ROP) Security Mitigation
  • Windows 10 untrusted fonts

What programs should you harden / mitigate

You only want to harden / mitigate certain programs that are targeted on a regular basis. Web browsers like Chrome, Firefox and Internet Explorer, production / office programs like Microsoft Word, Excel and PowerPoint, e-mail clients like Outlook and Windows Live Mail are some of the few. I recommend that you harden any program that can open files on or from the Internet.

What programs should you not harden / mitigate

You should never configure EMET to monitor anti-virus, anti-malware, intrusion prevention / detection software, debuggers, software that handles Digital Rights Management (DRM) technologies or software that uses anti-debugging, obfuscation, or hooking technologies.

Installation notes

New installation: Just download EMET and install

Upgrade install: Since the registry keys for EMET changed with this version, you can either export your existing EMET settings using the method in the 'What's new' section below, download the converter or reconfigure all of the program settings. With the drastic change with the EMET data format inside of the registry, I think that it would be just easier to reconfigure EMET then try the export / import method. Either way, remember to uninstall any older version of EMET and restart your computer before you install this version.

What's new in EMET 5.5?

  • Full-featured GPO management, compatible with reporting and compliance requirements
  • Command line: new syntax and options
  • Implementation of certificate pinning now based on root CA thumbprints. Exceptions logic removed.
  • Export and Import now memorize path
  • EMET registry has been refactored. To convert settings from previous versions of EMET (including EMET 5.5 Beta), registry values must be saved in a file then imported back with the use of the converter PowerShell script after EMET 5.5 is installed. Here are the steps to follow:
  1. Export settings. With elevated PowerShell, run the following command:
    .\Migrate-EmetSettings.ps1 -RegFile .\NewEmetSettings.reg -MissingCertCsv .\MissingCerts.csv PowerShell script Migrate-EmetSettings.ps1 is provided with EMET 5.5 RTM. It includes documentation about its usage.
  2. Uninstall former version of EMET.
  3. Install EMET 5.5 RTM. When asked to choose between Use recommended settings and Configure manually later, chose option Configure manually later.
  4. Import settings. With elevated PowerShell, run the following command:
    reg.exe import .\NewEmetSettings.reg

Supported Operating Systems

Windows 10 , Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, Windows Vista

  • EMET 5.5 requires .NET Framework 4.5.
  • For Internet Explorer 10 on Windows 8 you need to install KB2790907 - a mandatory Application Compatibility update that has been released on March 12th, 2013 or any other Application Compatibility updates for Windows 8 after that

Upgrading to Windows 7 from Windows XP

Windows XP is currently the most popular operating system, with Windows 7 quickly catching up. As more and more people are moving from Windows XP to Windows 7, I thought I would spotlight a series of articles that I wrote a little while back. My move from Windows XP to Windows 7 was a 'side-by-side' migration, with two separate systems.

I, believe it or not, never used Windows Vista on any of my production systems. I ran Windows XP up until Windows 7 was released. I did run Windows 7 Release Candidates on a test system for several months before its release and was very happy with it. I even wrote a series of articles about it too. Here they all are.

Upgrading to Windows 7 from Windows XP

Upgrading from Windows XP to Windows 7 (Part 1)

Upgrading from Windows XP to Windows 7 (Part 2 - Drive Imaging)

Upgrading from Windows XP to Windows 7 (Part 3 - Hardware / Software Inventory)

Upgrading from Windows XP to Windows 7 (Part 4 - Windows 7 Installation)

Upgrading from Windows XP to Windows 7 (Part 5 - Applications and Settings)

Upgrading from Windows XP to Windows 7 (Part 6 - Epilogue)

Beta testing Windows 7

Beta testing Windows 7 - Part 1

Beta testing Windows 7 - Part 2

Beta testing Windows 7 - Part 3

Beta testing Windows 7 - Part 4 (Antec cases)

Beta testing Windows 7 - Part 5 (BIOS and installation)

Beta testing Windows 7 - Part 6 (software overview) (Video)

Beta testing Windows 7 - Part 7 (Photoshop Benchmark)

Resetting your network adapter in Windows 7

Network shell (Netsh) is a tool an administrator can use to configure and monitor network devices on Windows based computers at a command prompt. A common use of Netsh, is to reset the TCP/IP stack back to default settings.

But not only will Netsh reset the TCP/IP stack, but it can also completely reset your network adapter(s). It will reset the Windows Firewall in Windows 7 too.

Using Netsh in Windows 7

To use Netsh, you will need to open a Command Prompt as an administrator. There are two ways to do this:

  • Click the Start button, then All Programs, then Accessories, then right-click Command Prompt, and then click Run as administrator. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • or

  • Click the Start button. In the search box, type Command Prompt, and then, in the list of results, right-click Command Prompt, and then click Run as administrator. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

Netsh commands in Windows 7

The following is a list of the Netsh commands you can use to reset your Windows 7 network adapter:

Restores the Windows Firewall with Advanced Security policy to the default policy. The current active policy can be optionally exported to a specified file. This command returns all settings to not configured and deletes all connection security and firewall rules in a Group Policy object.netsh advfirewall reset

Resets the BranchCache service. Flushes the local cache. Every configuration parameter of BranchCache will be reset to its default value.netsh branchcache reset

Resets TCP/IP and related components to a clean state.netsh int ip reset c:\resetlog.txt

Resets IPv6 configuration state.netsh int ipv6 reset

Resets Winsock Catalog to a clean state. All Winsock Layered Service Providers which were previously installed must be reinstalled. This command does not affect Winsock Name Space Provider entries.netsh winsock reset

Managing Virtual Memory / Pagefile in Windows 7

Updated October 15, 2020

Your computer has two types of memory, Random Access Memory (RAM) and Virtual Memory. All programs use RAM, but when there isn't enough RAM for the program you're trying to run, Windows temporarily moves information that would usually be stored in RAM to a file on your hard disk called a Paging File. The amount of data temporarily stored in a paging file is also referred to as virtual memory. Using virtual memory, in other words, moving information to and from the paging file, frees up enough RAM for programs to run correctly.

The more RAM your computer has, the faster your programs will generally run. If a lack of RAM is slowing your computer, you might be tempted to increase virtual memory to compensate. However, your computer can read data from RAM much more quickly than from a hard disk, so adding RAM is a better solution.

If you receive error messages that warn of low virtual memory, you need to either add more RAM or increase your paging file size so that you can run the programs on your computer. Windows usually manages this automatically, but you can manually change the virtual memory size if the default size isn't large enough for your needs.

Change the size of virtual memory

If you receive warnings that your virtual memory is low, you'll need to increase your paging file's minimum size. By default, Windows creates a paging file that can be smaller than the amount of random access memory (RAM) installed on your computer. The recommended minimum page file size should be 1.5X the current amount of RAM, and the maximum size should be 3X the minimum (see custom size below). If you see warnings at these recommended levels, then increase the minimum and maximum sizes.

To open the System Properties, press Windows logo key + Pause

Windows 7 Pagefile Settings 1

In the left pane, click Advanced system settings. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

Windows 7 Pagefile Settings 2

On the Advanced tab, under Performance, click Settings.

Windows 7 Pagefile Settings 3

Click the Advanced tab, and then, under Virtual memory, click Change.

Windows 7 Pagefile Settings 4

Clear the Automatically manage paging file size for all drives check box.

Under Drive [Volume Label], click the drive that contains the paging file you want to change.

Click Custom size, type a new size in megabytes in the Initial size (MB) or Maximum size (MB) box, click Set, and then click OK. There is a formula for calculating the correct pagefile size. Minimum pagefile size is one and a half (1.5) x amount of memory. Maximum pagefile size is three (3) x minimum pagefile size. Say you have 4 Gb (4,096 Mb) of memory. 1.5 x 4,096 = 6,144 Mb would be the min. pagefile size and 3 x 6,144 = 18,432 Mb would be the max. pagefile size.

Note:
Size increases usually don't require a restart for the changes to take effect, but you'll need to restart your computer if you decrease the size. It is recommended that you don't disable or delete the paging file.

My five favorite tips for maintaining your Windows computer

Updated April 21, 2023

One of the questions I often get asked is, "What can I do to maintain my computer". So in this article, I am going to share my five favorite tips for maintaining your Windows-based computer.

Regularly check your drive(s) for errors

This is one of the first things I do when I get a system in the shop. An error on the disk can cause all sorts of issues, so occasionally running a quick standard disk check is recommended. It is always best to try fixing any errors before they become huge problems.

For more information on how to perform a checkdisk, select your operating system below.

How to check your drive(s) for errors in Windows 11

How to check your drive(s) for errors in Windows 10

How to check your drive(s) for errors in Windows 8.1

How to check your drive(s) for errors in Windows 7 / Windows Vista

How to check your drive(s) for errors in Windows XP

Manually defragment and optimize your drive(s)

Even though Windows runs Defrag as part of the routine maintenance (usually weekly), you can always occasionally run it, as it is probably the best single thing you can do to speed up your computer. Imagine a filing cabinet where all of the folders were out of order and files were misplaced throughout the cabinet. How could you find anything? Same thing with your computer's drive. Disk Defragmenter takes care of that for you. And you can run it as a scheduled task too.

Select your operating system below for more information on how to use Disk Defragmenter.

How to defragment and optimize your drive in Windows 11

How to defragment and optimize your drive in Windows 10

How to defragment and optimize your drive in Windows 8.1

How to defragment and optimize your drive in Windows 7

How to defragment and optimize your drive in Windows Vista

How to defragment and optimize your drive in Windows XP

Clean up your drive(s) regularly

Now, Windows does include programs to clean up the miscellaneous files that build up over time, but by default, it is not set up to run automatically. You can set up Windows to perform these routine tasks, which include deleting temporary files and emptying the Recycle Bin.

For more information on how to use Disk Cleanup and Storage Sense, select your operating system below.

How to clean up your drive in Windows 11

How to clean up your drive in Windows 10

How to clean up your drive in Windows 8.1

How to clean up your drive in Windows 7 / Windows Vista

Install Windows updates when they become available

Once a month, Microsoft releases security patches called Cumulative Updates. They fix known security issues and should be applied as soon as possible. Microsoft has been using the same schedule for
releasing them for decades now. The second Tuesday of every month is known in the IT world as 'Patch Tuesday', so mark your calendar. And if, for some reason, Windows Update does not work correctly, click on the link below.

Troubleshooting problems with Windows Update

Backup of your computer on a regular schedule

Nothing can beat a complete backup when it comes to getting a computer back running after a drive failure. Sure, a drive failure is an extreme example, but it could be an update that did not install correctly or a corrupt driver that is preventing your system from booting correctly. And the software is already built-in; all you need is an external drive for the backup and a USB flash drive for a repair drive.

How to backup your Windows 11 computer

How to backup your Windows 10 computer

How to backup your Windows 8.1 computer

How to backup your Windows 7 / Windows Vista computer

How to backup your Windows XP computer

Free computer diagnostics

Repairing a PC can sometimes be expensive, and that is why we offer free basic in-shop diagnostics. Give one of our professional and experienced technicians a call at (602) 795-1111, and let's see what we can do for you.

Check out our reviews

Geeks In Phoenix LLC, BBB Business Review

Customer service is #1

Here at Geeks in Phoenix, we take pride in providing excellent customer service. We aim to give the highest quality of service  from computer repair, virus removal, and data recovery.

Bring your computer to us and save

Repairing a computer can be time-consuming. That is why we base our in-shop service on the time we work on your computer, not the time it takes for your computer to work! From running memory checking software to scanning for viruses, these are processes that can take some time.

Contact us

If you have any questions, please feel free to give us a call at (602) 795-1111  and talk with one of our Geeks. Or you can send us a message from our contact page contact page , and one of our Geeks will get back to you as soon as possible. Or you can stop by and see us. Here are our hours and location.

Like Geeks in Phoenix on Facebook

Follow Geeks in Phoenix on Twitter

Watch Geeks in Phoenix on YouTube