69803: Acronis DLP: various applications fail to start with 'The application was unable to start correctly (0xc0000142)' error

Last update: 23-11-2022

Symptoms

After deployment of protection plan with Device control enabled, various applications (such as CMD.exe, PowerShell.exe, chrome.exe, and others) fail to start with The application was unable to start correctly (0xc0000142)' error.

Example:

Cause

This is a known compatibility issue of the latest generation processors with Control-flow Enforcement Technology (CET) and Acronis DLP hooking function.

Control-flow Enforcement Technology is a hardware-assisted Intel technology used in Hardware-enforced Stack Protection, is available in Windows 10 1903 starting from the build 19041.622 (or 19042.622) and newer as well as in 11th Gen Intel Core Mobile processors and AMD Zen 3 Core (and newer).

The first processor supporting this technology is Tiger Lake, released in September 2020.

Solutions

You can use one of the two solutions below to solve issues with various applications that are built with CET technology.

  1. Add C:\Windows\system32\* folder and the processes of other applications that fail to start, into Exclusions list of Device control protection plan as per KB: https://kb.acronis.com/content/68519
  2. Find which processes are protected: open Windows Task Manager -> switch to the Details tab, add a new column Hardware-enforced Stack Protection, and disable Hardware-enforced Stack Protection for the protected process in one of these two ways:
    1. Open Windows Settings (Win + I) -> Update & Security -> Windows Security -> App & browser control -> Exploit protection settings -> Program settings -> + Add program to customize: select the way to add the process (either by name or by path), for example by the full path ->  select the desired .exe file -> in the settings window that opens, scroll down to the Hardware-enforced Stack Protection section check flag for the Override system settings option, and switch the slider to the Off position.

      After that, restart this application (process).

      For example, to solve the issue with CMD.exe, or black screen at Switch User or Sign Out, it is enough to add the following processes to the exceptions list:
      C:\Windows\system32\cmd.exe
      C:\Windows\system32\svchost.exe
      C:\Windows\system32\userinit.exe
      C:\Windows\system32\logonui.exe
      C:\Windows\system32\winlogon.exe
    2. Create a registry branch with a name that contains the required process name and with the following contents; below is an example for CMD.exe and Chrome.exe processes:
  • Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe]
    "MitigationOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,00, \
    00,00,00,00,00,00
    "MitigationAuditOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, \
    00,00,00,00,00,00,00,00
    "EAFModules" = ""

     

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Chrome.exe]
    "MitigationOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,00, \
    00,00,00,00,00,00
    "MitigationAuditOptions" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, \
    00,00,00,00,00,00,00,00
    "EAFModules" = ""

    Thus, you only need to specify the name of the excluded process in the branch name while its contents remain the same!

 

Tags: