Saturday, March 18, 2017

Enhanced Mitigation Experience Toolkit (EMET) 5.5/5.52 Uninstall Error 2738

I’ve been taking the layered “defense in depth” approach on my home systems for some time.

Including using (concurrently)…

Last night something started to go wrong with the process and the wheels came off the wagon.

Here’s how I got them back on.

I am running the Premium (lifetime subscription) version of Malwarebytes. Some time ago they came out with a new 3.0 version release.  I’ve been reading the reviews throughout the rollout and have waited to do the upgrade. Once nice feature is it now includes the full version of their awesome Anti-Exploit program at no cost to Premium subscribers; something I was using the limited/free version for but couldn’t protect my Chromium-based Vivaldi browser sessions with as the free version didn’t allow setting of custom protections.

As I said, all the bits had been running fine together although – to be fair – Malwarebytes does warn users of EMET during installation that it has compatibility issues and recommends removal of EMET.  If disregarded, the installation will continue fine.

Thursday night, my Malwarebytes 2.0 version final got auto-triggered to offer me the eligible upgrade to the 3.0 version.

I said OK and let it install.  Installation seemed to go fine. No errors.

However last night, I went to launch Microsoft Excel and EMET went crazy and blocked it from running due to a perceived exploit. That hasn’t ever happened before and I was very confident my system hadn’t been actually exploited. I tried both Excel 2007 and 2010 versions that I have and both got the same reaction by EMET. I then tried Word and it also caused EMET alerts and binary blockage. Hmm.

Well, maybe something in the new Malwarebytes 3.0 was causing a compatibility issue with EMET finally.

So I went to uninstall EMET.  Only I had two versions.

Programs and Features_2017-03-18_15-13-08

Not sure how that happened. EMET 5.52 was supposed to allow for in-place upgrade of EMET over a prior version. Didn’t recall getting an error before.

So I went to uninstall EMET 5.5 and got this:

EMET 5.5_2017-03-18_15-13-43

Same result trying to uninstall EMET 5.52

I tried repairs, changes, etc. to both EMET applications. I still had the original MSI installers for them both but even re-downloaded them from Microsoft. None seemed successful.  Note the dates in the “Installed On” column were yesterday’s so something in the processes I did worked, but it wouldn’t let me uninstall them; continuing to present that same “error code is 2738” message.

Since using Excel/Word were critical last night, I worked around the problem up removing all the EMET setting protections for the Microsoft Office suite application binaries. That let me run them without being blocked.

I figured that would be enough, but this afternoon I went to open a PDF with Adobe Reader – and EMET blocked it too from launching due to some kind of perceived exploit.

EMET had to finally go and I had to punch through that error code.

I ended up in a Microsoft forum where others with previous versions of EMET had encountered the same error but it seemed on installations – not uninstall activity.

Technet forums – Security (EMET forum search for “2738”)

Looking through them many seemed to share a common thread with a previous anti-virus product taking over, corrupting, or locking down a VBScript dll process.

Well, perhaps my Malwarebytes and/or CrytoPrevent protections were keeping the vbscript.dll service from being accessed or running?

So I removed my CryptoPrevent protections and disabled my MalwareBytes application.

Nope. Same error.

I did some more digging on a wider net and the more I read about other non-security applications having a
“2738” error on installation, I became convinced it was all related.

So after reading multiple posts I was confident to do the deeper work needed to try to fix this issue.

Using Registry Finder (under an elevated Administrator session) I searched my registry for the string {B54F3741-5B07-11cf-A4B0-00AA004A55E8}.

It came up 12 times, all in the expected locations, except I did have a single odd-string out under the HKEY_CURRENT_USER location. I was pretty sure that was my problem.

[HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}]

All the rest were under HKEY_CLASSES_ROOT, HKEY_LOCAL_MACHINE, or HKEY_USERS.

I exported the registry key first (just in case) then I deleted it.

I then opened up CMD (under an elevated Administrator session) and ran the following commands (note my system is a Windows 7 Home x64 OS):

  • cd %windir%\syswow64<enter>
  • regsvr32 vbscript.dll <enter>

cjj1w2zq.gps

I then went back and attempted to remove EMET 5.5 and it uninstalled with no more error 2738 codes.

I then followed by removing EMET 5.52 and it came off just fine as well with no errors.

I wrapped things up by re-applying my default CryptoPrevent and MalwareBytes protections states again.

Done.

Again, the trick was to remove the Registry entry just under the HKCU location where it was found present, then re-register the vbscript.dll component properly.

Later while preparing for this post I did find this EMET-related forum post that basically walks one through the same steps for an earlier version of EMET on a x32 bit based version of Windows 7. If you try to follow that and have an x64 bit version of Windows, you will need to adjust accordingly.

EMET 3.0.0 Installation fails on Win7 Pro 32Bit - Error Code 2738 – Microsoft TechNet

Additional resources and guides for addressing the Error Code 2738 problem:

The key to understanding why this works (and where the problem lies is explained nicely in Heath’s above post:

As some people have found, re-registering the runtime libraries vbscript.dll and jscript.dll will fix the errors, but that isn’t always the solution.

As a security measure, Windows Installer will not load script engines registered in HKEY_CURRENT_USER. As a user-writable store, a normal user could get an elevated install to run their library masking as a script engine if the custom action was not explicitly attributed with msidbCustomActionTypeNoImpersonate (0x0800). This is an elevation of privileges attack; thus, Windows Installer returns error message 2738 or 2739 for custom actions type 6 and type 5, respectively, and returns Windows error 1603, ERROR_INSTALL_FAILURE.

Because – somehow – vbscript.dll did get itself registered under my HKEY_CURRENT_USER location, the EMET MSI uninstaller script could not execute. Only by pulling it out, then re-registering it in the correct location automatically, would the removal process complete.

Final thoughts.

I only removed EMET from this particular system as it exhibited the crazy mitigation interceptions for Microsoft Office immediately after upgrading to MalwareBytes 3.0 Premium.

On my other Windows 7 Ultimate system, I am still running EMET (5.52 only) along with the protections noted in the top of this post. The only difference is that I’m using the free version of Malwarebytes 2.0 on it (without real-time protections). So until an issue appears, I’m keeping EMET on that system.

Lavie still is running Windows 8.1 on her laptop with a similar configuration. Lesson learned is that I will first remove EMET before upgrading her MBAM Premium version from 2.0 to 3.0.

Cheers!

--Claus Valca

Friday, September 30, 2016

Fix EasyWorship 2009 issues with new SongSelect site

We continue to use an older version (EasyWorship 2009) of EasyWorship for our church service projection screen management.

We’ve tried the newer EasyWorship 6 release – and it does have a lot of very attractive features – however the process and projection flow just doesn’t fit us as well as the older EasyWorship 2009 layout.

Anyway…EasyWorship has a plug-in like feature that allows you to sign into the SongSelect service with your associated account and easily import song lyrics directly into your EasyWorship song database.

Recently SongSelect updated their website design and it created several problems within the EasyWorship 2009 program.

First, the SongSelect webpage was “broken” in rendering within EasyWorship 2009

EWorship 2009 SongSelect Window - Pre-Fix

It may be hard to see but that banner area is all whacked out and the Sign In link didn’t work well at all.

Secondly, one could go to the SongSelect Classic page using the offered URL in that broken banner area and log in,

EWorship 2009 SongSelect Window - Pre-Fix - SS Classic

However while you could then log in normally, when we went to try to import song lyrics the “Import” button remained grayed out while using this “classic” login method. 

Our workaround was to download the lyric as a text file, then copy/paste it into a new song record in the database. This was less than ideal as you missed out a lot of the “meta-data” for the song item and had to manually put all that in as well.

I did some searching and found this helpful fix in the EasyWorship support forums.

SongSelect Webpage Fix for EasyWorship 2009 : EasyWorship Legacy  (URL change updated 2017-01-12)

Basically, you download an IE Fix patch from them for your Windows OS version and run it. It unpacks the EXE file to a temporary location, executes a batch file, and then applies a REG key fix to your Windows Registry to fix the issue.

In case you are curious, the fix just applies one of these registry tweaks depending on your OS (32 or 64 bit).

For x32 bit Windows OS:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"easyworship.exe"=dword:00000000

For x64 bit Windows OS:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"easyworship.exe"=dword:00000000

Once that was done, EasyWorship 2009 then displayed the new SongSelect website page correctly (compare to before as seen above):

EWorship 2009 SongSelect Window - Post-Fix 1

And the sign-in page displayed properly.

EWorship 2009 SongSelect Window - Post-Fix 2

After logging in this way and selecting a song’s lyrics we found that the EasyWorship application’s “Import” button worked again for full and normal song lyric importation.

Bonus Easy Worship 2009 notes:

While working this issue, I found that our installed version of EasyWorship 2009 is at 1.4 but there is a later version 1.9 that is available to fix some issues.

The upgrade process is very easy.

Upgrade 2009 1.4 to 1.9 Procedure? - EasyWorship Community

  1. Download the full EasyWorship 2009 v1.9 setup installer file
  2. Be sure EasyWorship is closed out on your system.
  3. Run the setup file you downloaded; resulting in an installation over your existing version.
  4. Done. (no license or registration information is requested or needs to be re-entered)

More information about the version 1.9 build change notes here in case you are curious: EasyWorship Community • View topic - EasyWorship 2009 Build 1.9 Now Available!

If you have to reinstall EasyWorship 2009, there is some information you want to capture first from your currently registered/working software:

Reinstalling EasyWorship 2007 and 2009 - EasyWorship Legacy (URL change updated 2017-01-12)

Locate Your Registration Information

If you do not have your registration info, you can get this info from the old computer.
Your Registration Information consists of the following:

  1. Name
  2. Phone Number
  3. Serial Number

To locate this information on the old computer open EasyWorship. Go to the main menu and select Help>About EasyWorship. The church name and serial number will be shown at the bottom.

To locate the phone number, select Register on the left side of the About window.

See also: Backup and Transfer Your Database (EW 2009) - EasyWorship Legacy (URL change updated 2017-01-12)

I hope anyone still using this older verison of EasyWorship 2009 like us finds this information helpful.

Cheers!

Claus Valca

Prepping a USB stick to play music files in a Camry

A while back little bro adopted a new Toyota Camry.

One of the features it comes with is the ability to play music off a USB stick..

So he grabbed a very nice Lexar brand USB 3.0 64 GB USB stick while at a local office-supply store and copied his music files to it.

Unfortunately it didn’t play. His old USB 2.0 1 GB stick worked fine in the vehicle.

He thought it might be a bad stick (or that the sound system didn’t support USB 3.0) and was getting ready to return it to the store but I asked him a few questions.

First he confirmed it was NTFS formatted. That’s pretty common on many newer USB 3.0 sticks I’ve seen lately. I suggested he might want to try formatting at FAT32.

Note: Per the 2017 Toyota Camry Owners Manual (page 272) this requirement was later confirmed: file system format needed to be FAT 16/32. Other important points are that the USB device can only have 8 levels of folder heirachy, a maximum of 3000 folders, a maximum of 9999 files, and a maximum of 255 files per folder.  Files must be in MP3, WMA, or AAC format.

The next problem was that his Windows 10 system would only offer to format the device in exFAT.

So I had him go CMDo and run DISKPART.

  • DISKPART>list disk
  • DISKPART>select disk # <—picked # that represented USB stick on his system
  • DISKPART>clean
  • DISKPART>create partition primary
  • DISKPART>active
  • DISKPART>assign letter = E
  • DISKPART>format fs=fat32
  • DISKPART>exit

Only that netted him an error during the formatting process that the volume was too big.

Then I remembered a GUI utility from Ridgecrop Consultants Ltd that I used a long time ago.

It is free and can format FAT32 volumes beyond the normal 32 GB size limit that is sometimes encountered. It never let me down in the past.

He downloaded the tool, ran it as an admin, selected his USB drive, kept the defaut allocation unit size, and did a quick format on the 64 GB USB device. Done.

He tested and the USB stick (and media files) were now recognized with no issues by the sound system.

Mischief managed.

This seems to be a common issue many Toyota owners run into with newer/larger USB sticks so I thought I would drop a post for posterity.

Cheers!

Claus Valca

Monday, September 05, 2016

Valca Windows KeyFinder Utilities

Last night I was culling my collection of Windows key-finding utilities.  There were some that had gone “404” and others that didn’t seem stable (or effectively work at all) on newer Windows 7/10 systems.

Many were collected back in the days of Windows XP so I decided to pick through them and dump the oldest ones and add some new ones.

This morning I saw that the TinyApps.org bloggist was hard at work on his own list!

Possibly we are being confronted with similar troublehsooting and service issues?

Here is my list and there are some similarities (as presented in semi-alphabetical order).

Some of these recover more than just the Windows OS key.

Some have not been updated in a while and may not work effectively on Win 7/8/8.1/10.

Then there is there is the manual method using CMD or PowerShell for most Win 10 / 8 / 8.1 systems.

I tend to prefer ProduKey, ShowKeyPlus, and Windows OEM Product Key Tool as my primary tools.

Cheers,

Claus Valca

Lenovo Y50 Hard Drive Replacement and Windows 10

About a month ago I was asked by a family at the church-house if I could give them some advice about their son’s two-year-old Lenovo Y50 laptop.

Apparently the hard-drive had failed and time was short before he headed off to college out of state.

They had purchased a new 1 TB Western Digital laptop drive similar to the one in it but despite good effort had been unable to get Windows 10 reloaded on the device. They suspected more was wrong with the system and wanted to confirm before picking up a new laptop before he shipped out.  Basically, they said the BIOS detected the HDD but they could not get Windows 10 reloaded on the laptop.

I asked them to let me look at the system along with the bits and pieces and then I would let them know.

So, armed with my various troubleshooting tool kits and USB sticks I sat down in our sound-booth with it and ran a quick assessment.

I’m more of a Dell-guy and hadn’t had much experience with the Lenovo line. As such, getting into the BIOS took a bit of research.

The trick was something called the “NOVO” button.

I booted into the BIOS (on the Y50 using the NOVO button to the immediate left of the power button) and checked a few things.

I was able to confirm the BIOS was picking up the new HDD. 

I look under the boot tab options and saw that it was set to EUFI.

I changed it temporarily to “Legacy” and saved. I needed it that way for the next step to work more smoothly in my troubleshooting assessment. 

I attached one of my custom USB sticks that I can use to boot a system and load/run an OS (Windows/Linux/Whatever) directly from the USB stick and not off the local HDD. 

I then hit the NOVO button again and selected to boot from my USB stick. That allowed me to load a WinPE build and run some commands to…

  1. confirm that I could see the new HDD,
  2. confirm that it was a 1 TB drive,
  3. rebuild the drive partition configuration (MBR type) and make it bootable, and then
  4. formatted it as NTFS using DiskPart from a command prompt window.

        1. Diskpart
        2. > select disk 0
        3. > clean
        4. > create partition primary
        5. > active
        6. > assign letter = C
        7. > exit

Followed up by a final

format C: /fs:ntfs /q /y

It worked perfectly. That confirmed the laptop recognized the drive while running under a Windows OS and it was working as expected. Now I needed to get the Win 10 OS loaded on the hard drive.

I shut it down and rebooted it again with the NOVO button. I went back in to the boot options tab and set it back to UEFI, saved the changes and rebooted. 

This time I had swapped USB sticks and now used a Windows 10 Installation Media USB that I had previously built when I was working on my own laptops a while back.

The Win 10 lnstaller loaded and the setup wizard started.

Only I had forgotten that the HDD was still configured as MBR with my pre-testing. 

Win 10 and UEFI BIOS support enabled didn’t like each other and the wizard refused to continue with the installation. So at that point in the installation options I had to just delete the MBR partition I had made so Win 10 could automagically create the partition again as a GPT type which it required. 

It did and then the rest was just watching Win 10 install, reboot a few times, creating a local user account, and dumping on the OS updates. 

Because it had Win 10 on before, it automatically loaded the license key from BIOS storage and activated Win 10 once fully installed and after I connected it to the Internet. 

Done. The Y50 was a sharp looking (and running) laptop and I was impressed during my short service time with it.

Note: I had planned on looking at the failed hard-drive to see if any data could be recovered and ported back over onto the new drive, but they said that wasn’t needed and would just go with a fresh-start. I left it to them to follow up with any remaining software application reinstalls as well.

I didn’t kick off the new Win 10 "Anniversary Edition" build update release since this was to be just a short “assessment” service but told them that it should eventually auto update in a week or so. I also let them know they could force it on early by heading over to this Microsoft site page and following the instructions. 

And I advised them to keep these link handy as well. 

                The family didn’t have to shell out for a new laptop and all was well.

                Cheers.

                Claus Valca

                 

                Additional reference notes:

                Saturday, June 25, 2016

                A Perfect Father’s Day – 2016 edition

                This past Father’s Day, dear little Alvis and her husband invited me over to their place for some hang-out time.

                We watched some great Copa América soccer matches.

                We wrestled with their “schnoodle” (schnauzer poodle mix) Molly.

                We ate spicy chicken and I wolfed down red-beans and rice.

                We laughed and then hunkered down when a ferocious storm blew through dumping rain by the bucketfuls, tossing lighting, drumming up thunder. And killing the power for about 30 minutes.

                It was perfect!

                Along the way I couldn’t help but be a dad and do some fixing of Alvis’s laptop.

                See about a week or two prior, her husband had been using it when suddenly it died right in the middle of some work.

                Alvis tried some pretty good troubleshooting but couldn’t make headway. It seemed to sort-of boot but would just display a black screen and power off.

                To make matters more challenging, the kids reported that Microsoft had foisted a stealty/scammy Windows 10 upgrade on them. It was running Windows 7 just fine, but did a Windows 10 upgrade they didn’t ask for or want anyway. Classy.

                However, they were good sports and adjusted. It seemed the Windows 10 upgrade went ok and the laptop survived the experience intact.

                Was it a Windows 10 upgrade black-screen problem related to the upgrade? Was it a bad system board or power-source issue? Bad display? That snoodle can get rough at times though I didn’t see any teeth-marks on the lid.

                In the worst case scenario, I was prepared to do a data-recovery and then port Alvis’s files onto her external USB drive so she could still work with her data on another laptop if her’s was dead.

                I made sure the device was on the AC power cord and tried to boot it with a bootable USB stick first. Nothing.

                I removed the stick and tried a power cycle again.

                Miraculously, it sprang to life this time – for a moment. Enough to partially display a Windows 10 boot loading routine and for me to see an exasperated and amazed look on Alvis’s face that it was working for me – before the screen went black again and nothing.

                Hmmm.

                I pulled the battery out of the laptop and removed the AC cord plug.

                I pulled a Leatherman Micra multitool out of my pocket and removed the bottom laptop access cover.

                Alvis said she had started to do that earlier but stopped since she was afraid she would loose the tiny screws.

                I was proud she had considered that (exploring under the access cover) and explained that the lid screws were “captive” and probably wouldn’t come out – though I did keep my eye closely on the schnoodle.

                I pulled out the single DIMM of RAM, then firmly reseated it and clipped it back in.

                The access cover was snapped back in place and screwed down, the battery returned to the bay, and the A/C power connected.

                It booted right up normally and ran like nothing had happened. Fixed just like that.

                After offering to roll her laptop back to Windows 7 (declined by Alvis) she did say that the thing that frustrated them them most was the “new” Start button and menu.

                I downloaded and installed Classic Shell and after a bit of tweaking had the Windows 10 start menu tamed into a format Alvis was familiar with again.

                Mischief managed – for now!

                A right-perfect Father’s Day and I was still able to be handy and useful.

                Thank you Alvis!

                You are the best daugher a father could ever hope to have. I’m so proud of you.

                Dad

                Time for a larger laptop hard-drive?

                I’ve got two laptops that are near and dear to me; Tatiana and Alister.

                Tatiana is my main personal laptop – it’s a Dell Studio 15 (1558) notebook running an i7 core, a 500 GB drive, and 8 GB of system RAM.

                Alister is my hot-rod racer – it’s a hand-me-down Dell XPS L702X laptop also running an i7 core, one 250 GB SSD drive (system/boot) and a 2nd 500 GB HDD in the 2nd bay. It has 16 GB of system RAM.

                So here is my quandary.

                I really, really love the boot speed and performance of the Samsung SSD 840 EVO 250 GB SSD drive. Once you go SSD it’s very difficult to consider a traditional spinning platter HHD.

                However the prices for larger storage capacity on a SSD are still pretty high.

                I’ve almost filled up the 250 GB SSD in Alister. Luckily I’ve been able to migrate more files and apps to the 2nd HDD drive and am fine for now.

                For Tatiana, all those music and video files, utilities and applicaiton installs are taking their toll and the 500 GB drive in it is almost filled up too. And unfortunately, I don’t have a 2nd drive bay space on that laptop.

                My gut tells me I will do better in the long run if I pick up some nice 1TB traditional HDD’s for both laptops.

                If I go with a speedy 7200 RPM drive with a big and fast cache I would still come out ok. I could easily pick up 2-3 of those drives for less than the price of a single 500GB SSD drive (when I honestly want a 1TB SSD size).  Though I could probably find a budget SSD drive, I’m spoiled with the Samsung EVO line right now and it would be hard to walk away from.

                Thoughts?

                Any recommendations for a solid, fast, and dependable 1TB or larger 2.5 inch internal HDD for a laptop?

                If I rolled Alister back to a 1 TB HDD for the system drive, I’d likely pass the SSD drive in it now over to Lavie and upgrade her older Dell laptop with it. She doesn’t need near the storage space and the faster boots would make her happy. It would be an easy-peasy performance upgrade for her system.

                More SSD links to ponder…

                Cheers,

                --Claus Valca