cancel
Showing results for 
Search instead for 
Did you mean: 
ckwebb
Level 7

"NTDLL.DLL" failing with HIPS enabled

Jump to solution

Good Morning,

I have a serious issue. Any Microsoft program that calls "NTDLL.DLL" to execute (which is almost all Microsoft programs" is crashing. HIPS does not show anything in the activity log (as far as anything red), but when I turn HBSS off everything works. What do I do?

Thanks,

Chris

0 Kudos
1 Solution

Accepted Solutions
gswanson
Level 8

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Thanks for the reply greatscott, I tried that yesterday to no avail. I was able to resolve the issue today. We recently installed EMET on all of our workstations, two of them lost Outlook and IE capability and the event logs were showing NTDLL.DLL was the faulting module. There were never any HIPs events generated. When I would turn off HIPs enforcement the problem immediately went away. It turns out the person who installed EMET on those two workstations chose the default configuration instead of the manual configuration option. Uninstalling EMET (and carving out all registry references to it) and then re-installing it with the manual configuration option fixed our problem. Not sure why the default configuration broke NTDLL.DLL when HIPS was enforced.

0 Kudos
9 Replies
exbrit
Level 21

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Moved to HIPs for better attention - Moderator

0 Kudos
fitchsoccer342
Level 13

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Chris.. send me a digitally signed email to brian.berger AT mda.mil - I can help you through this.

FYI.. the term HBSS is only used in the DoD; here on the forums most people are commercial, so they would have no idea what HBSS means.

0 Kudos
exbrit
Level 21

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Note from Moderator - no email addresses should be posted per forum rules, so  I  "munged" yours.   It's still readable but not clickable, which is better safety and security-wise.

gswanson
Level 8

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

I am having the exact same issue, does anyone have a solution to this please?

0 Kudos
exbrit
Level 21

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

You could do as the user has suggested in post #2

---

Peter

Moderator

0 Kudos
gswanson
Level 8

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Thanks, I did try that. Was hoping the solution was known by others and posted in hopes of getting the solution as quickly as possible.

0 Kudos
exbrit
Level 21

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Good, I think maybe it's not for publication here.  However I could be wrong.

0 Kudos
greatscott
Level 12

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

i would suggest to anyone having this issue:

1. go to the IPS Rules policy applied to the system(s)

2. locate the "Application Protection Rules" tab, click into it

3. put the dll in this list section

4. test

0 Kudos
gswanson
Level 8

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Thanks for the reply greatscott, I tried that yesterday to no avail. I was able to resolve the issue today. We recently installed EMET on all of our workstations, two of them lost Outlook and IE capability and the event logs were showing NTDLL.DLL was the faulting module. There were never any HIPs events generated. When I would turn off HIPs enforcement the problem immediately went away. It turns out the person who installed EMET on those two workstations chose the default configuration instead of the manual configuration option. Uninstalling EMET (and carving out all registry references to it) and then re-installing it with the manual configuration option fixed our problem. Not sure why the default configuration broke NTDLL.DLL when HIPS was enforced.

0 Kudos