HAWKI

What's this about ?

Recommended Posts

My System Restore stopped working so I was checking services to make certain my Volume Shadow Copy Service was running, which it was.

 

error code is (0X81000203)

 

In the course of checking running services by searching for "services" I also did a run/services. When I did that I got an error message referencing EMIS 12.

 

"C\Program Files\Emsisoft Internet Security\a2hooks64.dll is either not designed to run on Windows or contains an error...Error Status Oxc0000428."

 

I uninstalled and reinstalled EMIS 12 but got the same error alert.

 

Also, anyone have a suggestion on how to restore my System Restore?

 

Win 1067 64X OS

Share this post


Link to post
Share on other sites

One of our moderators sent this link to me:

https://www.wilderssecurity.com/threads/how-to-restore-system-restore-in-win-10-au.389775/#post-2629795

In theory it should help, however since it involves deleting registry keys I recommend making a backup of your registry before doing this. There are general instructions at this link for doing so, however do not save the backups as .reg files as the permissions will be lost. Export your registry backups as registry hives, and they will contain all of the registry entires and registry permissions.

Share this post


Link to post
Share on other sites

One of our moderators sent this link to me:

https://www.wilderssecurity.com/threads/how-to-restore-system-restore-in-win-10-au.389775/#post-2629795

In theory it should help, however since it involves deleting registry keys I recommend making a backup of your registry before doing this. There are general instructions at this link for doing so, however do not save the backups as .reg files as the permissions will be lost. Export your registry backups as registry hives, and they will contain all of the registry entires and registry permissions.

Thanks :-)

 

Tried it but it didn't work for me.

 

What about the EMIS 12 error: "C\Program Files\Emsisoft Internet Security\a2hooks64.dll is either not designed to run on Windows or contains an error...Error Status Oxc0000428." ???

Share this post


Link to post
Share on other sites

What about the EMIS 12 error: "C\Program Files\Emsisoft Internet Security\a2hooks64.dll is either not designed to run on Windows or contains an error...Error Status Oxc0000428." ???

You mean "Windows cannot verify the digital signature of this file"? As I understand it, there are times when a2hooks64.dll will be injected in to other processes that have higher level code signing requirements than our files do, and thus you'll see errors about the digital signature of a2hooks64.dll in the Event Viewer. The only time you need to be concerned is when the Behavior Blocker isn't working.

Share this post


Link to post
Share on other sites

You mean "Windows cannot verify the digital signature of this file"? As I understand it, there are times when a2hooks64.dll will be injected in to other processes that have higher level code signing requirements than our files do, and thus you'll see errors about the digital signature of a2hooks64.dll in the Event Viewer. The only time you need to be concerned is when the Behavior Blocker isn't working.

 

Thank You GT, BUT that is not reassuring.

 

"Emsisoft Internet Security\a2hooks64.dll is either not designed to run on Windows or contains an error. Try installimg the program again using the original installation media or contact your system administrator or the software vendor for support. Error Status Oxc0000428."

 

 

Why can't Emsisoft meet the Microsoft Guidlines on signatures and approval/authority, or have as high a level as any other program??

 

"The only time you need to be concerned is when the Behavior Blocker isn't working."  Oh, is that all ?!?! How does a user determine that? After he/she has an infected PC??

 

This is a peresistent error on my PC. Maybe it's just my system/configuration. Perhaps there is a conflict with HitmanPro Alert that also hooks. But if that's the case, why doesn't EMIS have as high a level of authority as HMPA? HMPA was installed on my PC long after EMIS.

 

Test it. "Run/services" on your WIN 10 AU PC and see.

 

Will cyber-criminals exploit this potential failure on EMIS 12 user's PC's in targeted attacks ?

 

I was hoping for a more reassuring response. My license expires this week and I was waiting for a more postive response before renewing for a third year.

 

I am deeply disappointed by this explanation.

 

Hopefully I have not fully understood the explanation provided, but as of this time, I have lost my former high level of confidence in Emsisoft IS.  I feel like I have lost a trusted friend.

 

It has been painful for me to have had to write this post.

 

Respectfully,

 

HAWKI

  • Upvote 1

Share this post


Link to post
Share on other sites

Google suggests that error code Oxc0000428 corresponds to a problem verifying a digital signature.  What I don't understand, reading this ticket, is where the message that HawkI reports, about the hooks dll, comes from.  It doesn't seem to me to have anything to do with signatures. 

Share this post


Link to post
Share on other sites

Google suggests that error code Oxc0000428 corresponds to a problem verifying a digital signature.  What I don't understand, reading this ticket, is where the message that HawkI reports, about the hooks dll, comes from.  It doesn't seem to me to have anything to do with signatures. 

 

Yes Jeremy:

 

This is weird.

 

The proper Error Code for "xxxx.dll is either not designed to run on Windows or contains an error. Try installimg the program again using the original installation media or contact your system administrator or the software vendor for support." is Error status 0xc000012f.

 

I should add that I have done  Win System File Check and I have no corrupted Windows files.

 

I really would like a better explanation/reassurance before I have to jump ship to a lesser security suite

Share this post


Link to post
Share on other sites

Why can't Emsisoft meet the Microsoft Guidlines on signatures and approval/authority, or have as high a level as any other program??

We do. The problem comes when a2hooks64.dll is injected into another process that has higher code signing requirements than our software does (such as certain Windows System Files). This causes an error message to appear in the Event Logs, but it does not cause any actual problems or impair the functionality of our software in any way.

"The only time you need to be concerned is when the Behavior Blocker isn't working."  Oh, is that all ?!?! How does a user determine that? After he/she has an infected PC??

If you haven't seen an alert from the Behavior Blocker or Surf Protection recently, then the easiest way to check is to create a rule to block a program and then try to run it (if it is blocked from running then the Behavior Blocker is working). Or if you are familiar with batch files, create a simple one that uses BatchGotAdmin to prompt for admin rights and then follows it up with something benign such as echoing "hello world" in the Command Prompt (this will pretty much always generate a Behavior Blocker alert, so long as no rule gets created to allow the batch file).

Google suggests that error code Oxc0000428 corresponds to a problem verifying a digital signature.  What I don't understand, reading this ticket, is where the message that HawkI reports, about the hooks dll, comes from.  It doesn't seem to me to have anything to do with signatures.

Yes Jeremy:

 

This is weird.

 

The proper Error Code for "xxxx.dll is either not designed to run on Windows or contains an error. Try installimg the program again using the original installation media or contact your system administrator or the software vendor for support." is Error status 0xc000012f.

 

I should add that I have done  Win System File Check and I have no corrupted Windows files.

 

I really would like a better explanation/reassurance before I have to jump ship to a lesser security suite

I have to agree as well. The error message does not seem to match the error code.

Have you tried uninstalling, rebooting, running Emsiclean, rebooting again, making sure the EIS folder was removed (usually C:\Program Files\Emsisoft Internet Security), and then reinstalling? Something may be interfering with the removal of an old or damaged copy of the a2hooks64.dll file.

Share this post


Link to post
Share on other sites

We do. The problem comes when a2hooks64.dll is injected into another process that has higher code signing requirements than our software does (such as certain Windows System Files). This causes an error message to appear in the Event Logs, but it does not cause any actual problems or impair the functionality of our software in any way.

If you haven't seen an alert from the Behavior Blocker or Surf Protection recently, then the easiest way to check is to create a rule to block a program and then try to run it (if it is blocked from running then the Behavior Blocker is working). Or if you are familiar with batch files, create a simple one that uses BatchGotAdmin to prompt for admin rights and then follows it up with something benign such as echoing "hello world" in the Command Prompt (this will pretty much always generate a Behavior Blocker alert, so long as no rule gets created to allow the batch file).

I have to agree as well. The error message does not seem to match the error code.

Have you tried uninstalling, rebooting, running Emsiclean, rebooting again, making sure the EIS folder was removed (usually C:\Program Files\Emsisoft Internet Security), and then reinstalling? Something may be interfering with the removal of an old or damaged copy of the a2hooks64.dll file.

 

Thanks GT :-)

 

I have done a clean reinstall with Emsiclean, but will try again.

 

I have never seen the error message triggered during normal PC activity. It only appears when I run/services, which I was doing trying to figure out why my system restore got borked. Checking to see if vss was working (the correct way is to search "services"), but I  wanted to cover all the bases. If I had not done that I never would have suspected there may be an issue.

 

Please try to replicate it on a Win 1067 64X system: right click the Windows Start Button>select Run>enter "serevices." That will tell us if it's an EMIS problem or a problem specific to my PC config. I would appreciate it if someone else would try it.

 

I consider all other security suites inferior to EMIS, particulalrly cuz of it's behavior blocker, firewall, and consistent 100% detection rates in AV Comparatives RW Tests. Recently, I have seen the EMIS 12 behavior blocker block the latest Locky ransomeware variant - Odin ransomeware a few days after it's release into the wild. Most others fail on that. But this error on my system has me seriously spooked. ATM, as a placeholder, I'm using a trial of BD IS 2017 , which surprisingly sucks in blocking ransomeware, though it does protect certain files from encryption by some ransomeware. (I do not get any error warming when I run/services with BD on my PC. ) The Norton Security Forum is loaded with users asking for help in removing ransomeware and PUPs-mostly browser adware hijackers, and NS's removal, rather than quarantine,of what it perceives as a bad file w/o asking the user. KIS is excellent, but has a nasty habit of causing critical, deal-breaking issues on many user's PCs, including mine. McAfee is just OK on detction and has a tissue paper firewall. The latest Vipre IS Pro is excellent at detection, but it too sux on ransomeware and also suffers from a seriously deficient firewall.

 

I am lost in the wilderness of crap security suites atm cuz I will not use EMIS until I am satisfied that my error is not affecting the effectiveness of EMIS 12 on my system. I will try all your suggestions.

 

Thanks again for your info and suggestions,

 

HAWKI

Share this post


Link to post
Share on other sites
 

 

Please try to replicate it on a Win 1067 64X system: right click the Windows Start Button>select Run>enter "serevices." That will tell us if it's an EMIS problem or a problem specific to my PC config. I would appreciate it if someone else would try it.

 

 

 

I can replicate what you see.

 

I shall post logs in beta area for devs to see if it is an expected thing or not.

Share this post


Link to post
Share on other sites

I can replicate what you see.

 

I shall post logs in beta area for devs to see if it is an expected thing or not.

Thanks stapp :-)

 

Dunno if that's good or bad news :-(

 

HAWKI

Share this post


Link to post
Share on other sites

I get the same misleading message on my 64bit W8.1 system.

 

Jeremy :-)

 

The message is not misleading -- it's obcure. It is indicating a possible problem, but what the stated error is, is confused because the explanation of the error does not match the error code. Thus, it is possible that the message is a FP caused by a line of Schizophrenic code in Windows and not EMIS.

 

Whatever it is, I don't feel comfy with it and it merits investigation.

Share this post


Link to post
Share on other sites

Thanks stapp :-)

 

Read it.

 

Shall I assume then that running "services" is actually or similar to running "services.exe" ? Or is there actually no such valid function as running "services" which might explain the garbled error message and error code?

 

If so, I would feel good about EMIS again :-)

Share this post


Link to post
Share on other sites

When you ask the system to run a command where you don't give it the whole name (ie extension too) of the command to be run, the OS searches various places where such a program file may be (the directories defined in environment variable PATH), and looks for a candidate with one of a whole set of possible extension (defined in environment variable PATHEXT).   On my system PATHEXT contains 

 

  PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.REX;.REXH;.REXP

 

so you can see that .com and .exe  files are high-priority candidates, followed by .bat and .cmd (batch and script files), and so on.   The stuff towards the righthand end of that list are as I set them here on my system, but I expect it's normal for .msc  to be quite a long way into the list, so that does mean that services.com (if it exists), services.exe etc would be executed instead of services.msc. 

Share this post


Link to post
Share on other sites

When you ask the system to run a command where you don't give it the whole name (ie extension too) of the command to be run, the OS searches various places where such a program file may be (the directories defined in environment variable PATH), and looks for a candidate with one of a whole set of possible extension (defined in environment variable PATHEXT).   On my system PATHEXT contains 

 

  PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.REX;.REXH;.REXP

 

so you can see that .com and .exe  files are high-priority candidates, followed by .bat and .cmd (batch and script files), and so on.   The stuff towards the righthand end of that list are as I set them here on my system, but I expect it's normal for .msc  to be quite a long way into the list, so that does mean that services.com (if it exists), services.exe etc would be executed instead of services.msc. 

 

Thank You Jeremy :-)

 

I guess that and stapp's post explains it all.

 

Damn I hate uninstalling Bitdefender Products with their removal tool. It takes forever cuz you can not select which product to uninstall, so you have to sit and wait while the tool loads and goes through the uninstall routine for every Bit Defender Product, and there are a lot. :(

 

Looking forward to having EMIS back protecting my PC. :-)

Share this post


Link to post
Share on other sites

I'm glad to see that Frank, stapp, and Jeremy were able to shed some light on what was going on. Thanks for your input everyone. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.