NOTE:  This EMET issue was moved here from this original post:  http://answers.microsoft.com/en-us/windowslive/forum/gallery-wlsettings/photo-gallery-crash-emet-reporter-deletes-file/e5a510c8-e0fb-4d33-8179-8ee7a18d11e5?rtAction=1377879230389

Discovered a bug in EMET 4.0 running on Windows 8 (desktop).
Steps to reproduce:

1. open a .jpg graphic... opens in Photo Gallery.
2. hit the "Edit, Organize, or Share" button, top left menu bar.
3. Program crashes and opens a "Photo Gallery has stopped working"/Close program prompt.
4. EMET opens up a "Do you want to send more information about this issue?" prompt.
5. When you click Yes/Send with the EMET prompt it DELETES YOUR FILE - no recycle bin, no warning.

It appears to be a problem with EMET.  I closed the Photo Gallery prompt and the program closed, file deletion did not occur until the EMET prompt was sent/closed.

UPDATE:  Discovered a new unwanted behavior... it will delete the file when you hit the DONT report button as well.  I guess the only way is to close the prompt window and not to choose the REPORT or DON'T REPORT buttons.

UPDATE #2:  I just wanted to give another update to this problem... it seems that even if you close the reporter prompt with the window close button (top right) it still deletes your file.  So to clarify, when the EMET 4 reporter initiates all means of exiting the window, sending or not sending or closing window, will delete data.

To turn off reporting in EMET 4?  From the main EMET window you just need to uncheck Early Warning:

NOTE:  The below entry describes a problem with the default EMET 4 configuration for Windows Photo Gallery which led to the discovery of this bug.  It is taken from (duplicated from) this post...   http://answers.microsoft.com/en-us/windowslive/forum/gallery-wlsettings/photo-gallery-crash-emet-reporter-deletes-file/e5a510c8-e0fb-4d33-8179-8ee7a18d11e5

---------------------------->>

I did not reinstall Photo Gallery here (not needed)... I think the problem is with EMET.  

With the previous entry, where I was asked to disable EMET and test Photo Gallery, I may not have disabled it fully via the task manager... so I got the expected crash.  I just tested with EMET running but with all the mitigation checkboxes unchecked for WLXPhotoGallery.exe, and I was able to use the "Edit, Organize, or Share" button in Photo Gallery properly with no crash. 

I will have to experiment with which EMET mitigation check is causing the crash when using the "Edit, Organize, or Share" button.  The default EMET installation list had all mitigation checkboxes checked for this program.  If someone happens to know the proper checkbox configuration for WLXPhotoGallery.exe please post.

• Edited by ENEN1 Saturday, August 31, 2013 2:34 AM correction

The proper EMET 4 mitigation configuration for Photo Gallery WLXPhotoGallery.exe:

As mentioned above, the default EMET 4 mitigation configuration for WLXPhotoGallery.exe was all on.  I just went through the checkboxes and found the crash problem is if the "Caller" mitigation is checked for WLXPhotoGallery.exe in Apps Configuration.  For proper non-crash functioning of "Edit, Organize, or Share" button in Photo Gallery the "Caller" should be unchecked (at least on my system).

*Caller (Tooltip: ROP mitigation that checks if critical function was called and not returned into).

• Edited by ENEN1 Saturday, August 31, 2013 2:30 AM amended

Hi, Thank you for posting this.

I created a PDF file yesterday and opened it, closed it, and then opened it again and EMET 4.0 (Win 7 Pro SP1 64-bit) came up and said that it had prevented an exploit (or something like that). I figured it was a false positive so I clicked to Send Feedback... I continued working with the PDF file until the end of the day... Today when I unlocked my computer, the PDF file was gone....

I thought I was going crazy or my computer was corrupted, but then I remembered that EMET popped up so I thought it might be an issue with that. I'm glad that it was EMET and not something else (more difficult to determine).

Is Microsoft going to release an update to fix this problem?

Hello,

we opened an investigation for this issue and we'll follow up with a bugfix in next major/minor release soon.

Thanks for reporting this feedback.

EMET Support

Yes, the same on Win 8.1 RTM.

Had a false positive (PDF file, file was OK as it has been created by myself) reported by EMET. I clicked on 'Don't send' and it deletes my PDF :( !

Please fix this asap! Thank you!

It looks like Microsoft has responded and changed the protection profile and group policy settings for those three programs (among others) in EMET 4.1 which was released on November 12:

Acrobat: *\Adobe\Acrobat*\Acrobat\Acrobat.exe -MemProt
AcrobatReader: *\Adobe\Reader*\Reader\AcroRd32.exe -MemProt
PhotoGallery: *\Windows Live\Photo Gallery\WLXPhotoGallery.exe -Caller

Do you still have the issues after installing 4.1 and using the new Protection Profiles (or using group policy created with the new EMET.adm* files)?

The EMET 4.1 documentation on page 41 ("Table 7: Common Software Compatibility Matrix") lists "Simulate execution flow" instead of "Memory protection checks" as incompatible for Adobe Acrobat and Adobe Acrobat Reader.

Dear EMET support.

Please give an update!

Has this issue been resolved in EMET 4.1 ?

Ping!  Microsoft this one is yours.

Do you ever fix bugs or just argue about them until people stop asking?