69576: Acronis DeviceLock DLP: various applications fail to start with 'The application was unable to start correctly (0xc0000142)' error

use Google Translate

Applies to: 

Last update: 16-12-2021

Symptoms

After Acronis DeviceLock DLP is installed on protected computers, various applications (such as CMD.exe, PowerShell.exe, chrome.exe, and others) fail to start with The application was unable to start correctly (0xc0000142)' error.

Example:

Cause

This is a known compatibility issue of the latest generation processors with Control-flow Enforcement Technology (CET) and DeviceLock hooking function.

Control-flow Enforcement Technology is a hardware-assisted Intel technology used in Hardware-enforced Stack Protection, is available in Windows 10 1903 starting from the build 19041.622 (or 19042.622) and newer as well as in 11th Gen Intel Core Mobile processors and AMD Zen 3 Core (and newer).

The first processor supporting this technology is Tiger Lake, released in September 2020.

Solution

You can use one of the two solutions below to solve issues with various applications that are built with CET technology.

  1. Add C:\Windows\system32\* folder and the processes of other applications that fail to start, into DeviceLock Application Hooker White List exception. This is an undocumented functionality, for using it please contact Acronis DeviceLock DLP support.
    For applications added to DeviceLock Application Hooker White List there will be no control/auditing/shadowing/content-aware check at the following levels: Printer, Clipboard (both local and TS devices), MTP, WinMobile, Palm, iPhone, Blackberry. Access to these devices for the excluded processes will be controlled at interface (e.g. USB port) level only.
  2. Find which processes are protected: open Windows Task Manager -> switch to the Details tab, add a new column Hardware-enforced Stack Protection, and disable Hardware-enforced Stack Protection for the protected process in one of these two ways:
    1. open Windows Settings (Win + I) -> Update & Security -> Windows Security -> App & browser control -> Exploit protection settings -> Program settings -> + Add program to customize: select the way to add the process (either by name or by path), for example by the full path ->  select the desired .exe file -> in the settings window that opens, scroll down to the Hardware-enforced Stack Protection section check flag for the Override system settings option, and switch the slider to the Off position.

      After that, restart this application (process).

      For example, to solve the issue with CMD.exe, or black screen at Switch User or Sign Out, it is enough to add the following processes to the exceptions list:
      C:\Windows\system32\cmd.exe
      C:\Windows\system32\svchost.exe
      C:\Windows\system32\userinit.exe
      C:\Windows\system32\logonui.exe
      C:\Windows\system32\winlogon.exe
    2. Create a registry branch with a name that contains the required process name and with the following contents; below is an example for CMD.exe and Chrome.exe processes:
  • Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe]
    "MitigationOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,00, \
    00,00,00,00,00,00
    "MitigationAuditOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, \
    00,00,00,00,00,00,00,00
    "EAFModules" = ""

     

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Chrome.exe]
    "MitigationOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,00, \
    00,00,00,00,00,00
    "MitigationAuditOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, \
    00,00,00,00,00,00,00,00
    "EAFModules" = ""

    Thus, you only need to specify the name of the excluded process in the branch name while its contents remain the same!

 

Tags: