Hi,

is there a way to identify which URL was requested in the Browser or which document was opened in Office or Adobe Reader when EMET triggers a mitigation?

This is an important information missing in the logs and there are probably technical reasons for it (which?) but maybe there is a way of (ideally automatically) getting/correlating this information from somewhere.

Thanks for any hints or thoughts. 

In EMET 5.0 a tooltip was shown in the taskbar notification area when you visted a site (in the internet zone) in the browser which uses Java and a event was written to the Windows Event Log which sometimes specified the web address. Below are two examples:

          EMET detected ASR mitigation in iexplore.exe

          ASR check failed:
            Application     : C:\Program Files\Internet Explorer\iexplore.exe
            User Name     : COMP\USERNAME
            Session ID     : 2
            PID         : 0x109C (4252)
            TID         : 0x16BC (5820)
            Module     : jp2iexp.dll

          EMET detected ASR mitigation in iexplore.exe

          ASR check failed:
            Application     : C:\Program Files\Internet Explorer\iexplore.exe
            User Name     : COMP\USERNAME
            Session ID     : 2
            PID         : 0x1710 (5904)
            TID         : 0xA20 (2592)
            Module     : jp2iexp.dll
            Web address     : http://java.server1.company.com/java/module/
            Url zone     : Trusted

With EMET 5.1 this doesn't seem to happen anymore and Internet Explorer just reports that the website uses Java which can be downloaded and installed.

When I open a Word document with Shockwave Flash Object I get this tooltip

and this event is written in the application event log.

          Log Name:      Application
          Source:        EMET
          Date:          26-11-2014 9:35:54
          Event ID:      1
          Task Category: None
          Level:         Warning
          Keywords:      Classic
          User:          N/A
          Computer:      xxxx
          Description:
          EMET detected ASR mitigation in WINWORD.EXE

          ASR check failed:
            Application     : C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            User Name     : Domain\User
            Session ID     : 3
            PID         : 0xEF4 (3828)
            TID         : 0x130C (4876)
            Module     : Flash32_15_0_0_239.ocx

The name of the document is not mentioned in this.

My suggestion is to fill in a feedback form (https://connect.microsoft.com/emet/feedback/LoadSubmitFeedbackForm) on the Microsoft Connect portal for the EMET 5.0 feedback program.

With EMET 5.1 this doesn't seem to happen anymore and Internet Explorer just reports that the website uses Java which can be downloaded and installed.

stefancpt clarified that the lack of the EMET notification occurs when the user doesn't have administrative rights. See also (t)his post!

I just installed EMET 5.2 and to my disappointment this issue has not been addressed yet. Only admin users will see EMET notifications and generate events in the application event log if Java is blocked. Standard users neither log events nor do they see an EMET notification if Java is blocked.

This also seems to happen with ASR vbscript when a website is part of the trusted websites and a vbscript is loaded from another website. The ASR notification doesn't report which vbscript is blocked and/or from which website the script is loaded.