What is Werfault.exe?

Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for handling error reporting in Windows operating systems. WerFault.exe was first released on 11/08/2006 for Windows Vista and is still present in Windows 10 and 11. Such errors arise when loading WerFault fails, either during the start of the application or, in some cases, while the application is running.

Thus, when a program encounters an error, Werfault collects information about it. It includes the program causing the error, the nature of the error, and system information. Next, Werfault offers options for sending this information to Microsoft for analysis. This will help Microsoft improve the stability and reliability of Windows (probably). Werfault.exe typically runs in the background and should not usually require user interaction unless prompted by an error.

Fix Werfault.exe Application Error

Werfault.exe error usually means an issue with the Windows Error Reporting process or an application causing it to crash. However, it’s nothing to worry about if it only happens one or two times!

But if the WerFault.exe error occurs repeatedly and causes trouble, or if it takes a relatively high CPU power in Task Manager, you should take action to resolve it. Here are some steps that you can take to try and fix this issue:

Step 1. Update Windows

Windows constantly improves to enhance its stability and reduce program crashes. To achieve this goal, Microsoft provides regular security updates and bug fixes. You may encounter security issues and bugs if you don’t install these updates. A couple of particular Windows updates broke WerFault, which Microsoft addressed in further patches. To check for updates, press the Windows key + I and click “Windows Update”. If there are any updates available, download and install them.

Step 2. Run the Windows SFC Scan

The SFC tool repairs corrupt system files that can cause Werfault.exe errors. Press Windows key + R, type “cmd”, and hit Ctrl+Shift+Enter to open Command Prompt as administrator. Next, type or paste in the Command Prompt “sfc /scannow” and press enter.

After completing the scan, Windows will attempt to repair any corrupt files. Finally, restart your device and check if the error is corrected. If the scan finds corrupt files, but Windows is unable to repair them, try repairing corrupt system files using repair tools.

Important note! Avoid downloading and copying WerFault.exe to your Windows system directory from third-party sites. Microsoft typically does not release standalone Windows EXE files for download because they are already bundled together inside a software installer. This may cause system instability and stop your program or OS from functioning.

Step 3. Use Repair Mode

Please restart your PC using the pressed Shift button—this will turn the device into Automatic Repair. Select Advanced options to enter WinRe and choose your language. Next, select the Troubleshoot and Advanced options.

Select Command Prompt, log in with your account and run the below commands.

chkdsk X: /f
bootrec /fixmbr
bootrec /fixboot
bootrec /scanos
bootrec /rebuildbcd

Note: If you installed the system update before the system is abnormal, you can use “Uninstall Updates” to uninstall recent updates (which include Quality updates and Feature updates; try both).

Step 4. Try to Find Malware

While Werfault.exe is a legit executable file, its activity may be attributed to malicious software. Hackers use DLL sideloading technique by exploiting the WerFault.exe tool to deploy malware onto compromised systems. This method allows them to infect devices discreetly without triggering antivirus alarms. During this exploitation, you may see the said errors coming from WerFault.exe, as well as the process itself in the Task Manager.

Malware can sometimes exploit genuine processes in its activity. This can cause program crashes and, in some cases, trigger the werfault.exe error. I recommend GridinSoft Anti-Malware; it is best suited to detect and remove even sophisticated malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Werfault.exe Error appeared first on Gridinsoft Blog.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

• CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
• CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
• CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
• CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
• CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp reported that the patch can be completely bypassed and that the vulnerability can be used not only for local privileges, but also for remote execution of arbitrary code.

To do this, the Point and Print RESTRICTIONS policy should be active, and the “WHEN INSTALLING DRIVERS FOR A NEW CONNECTION” parameter must be set to “Do Not Show Warning On Elevation Prompt”.

Now Microsoft responded to these warnings and reported that the patch works correctly:

Microsoft engineers updated Printnightmare Problem Correction Guide and still encourage users to install patches as soon as possible. Now the manual looks like this:

In any case, apply the patch for CVE-2021-34527 (update will not change the existing registry settings);

• After applying the update, check the registry settings documented in the CVE-2021-34527 description;
• If the registry keys listed there do not exist, further actions are not required;
• If the registry keys exist, it is necessary to confirm that the following registry keys are set to 0 (zero) or they are missing:
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrintNoWarningNoElevationOnInstall = 0 (DWORD) or not set (by default) and UpdatePromptSettings = 0 (DWORD) or not set (by default).

However, in addition to the effectiveness of an unscheduled patch, other difficulties arose with it. The Bleeping Computer media reported that the KB5004945 update, designed to eliminate Printnightmare, violated work of some models of Zebra and Dymo printers.

After the release of the patch, users started massively complaining on Twitter and on Reddit that the work of Zebra printers has become impossible. According to the victims, the problem affected only printers directly connected to Windows devices via USB. Zebra printers connected to the print server have not been injured.

It was reported that the bug affected only certain Zebra models, including the most popular: LP 2844, ZT220, ZD410, ZD500, ZD620, ZT230, ZT410 and ZT420.

Zebra developers confirmed that they know about the problem. The company advised:

However, the situation was aggravated by the fact that it is a mandatory security update, which means, after some time, Windows will automatically set it again.

Interestingly, Microsoft reported that these failures are not associated with CVE-2021-34527 and CVE-2021-1675, but caused by changes in the preview version of the cumulative update for June 2021. Developers have released emergency patches for Windows 10 2004, Windows 10 20H2 and Windows 10 21H1 to eliminate bugs.

Fixes are deployed using Microsoft Known Issue Rollback (KIR), which distributes patches for known errors through Windows Update. That is, patches should get to most users in the next day.

The post Microsoft declares that Printnightmare patch works correctly appeared first on Gridinsoft Blog.

Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

• Windows 10 21H1 (KB5004945);
• Windows 10 20H1 (KB5004945);
• Windows 10 2004 (KB5004945);
• Windows 10 1909 (KB5004946);
• Windows 10 1809 и Windows Server 2019 (KB5004947);
• Windows 10 1507 (KB5004950);
• Windows 8.1 и Windows Server 2012 (KB5004954/KB5004958);
• Windows 7 SP1 и Windows Server 2008 R2 SP1 (KB5004953/KB5004951);
• Windows Server 2008 SP2 (KB5004955/KB5004959).

At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT/CC.

As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be easily bypassed, with exploitation of the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.

Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.

Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available).

Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and can be used instead of the official one. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, so 0patch can only be applied instead of the official one.

Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.