Microsoft Patch Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 11 Sep 2024 00:52:24 +0000 en-US hourly 1 https://wordpress.org/?v=71471 200474804 Werfault.exe Error https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/ https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/#respond Tue, 10 Sep 2024 16:28:15 +0000 https://gridinsoft.com/blogs/?p=20206 Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware. What is Werfault.exe? Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for… Continue reading Werfault.exe Error

The post Werfault.exe Error appeared first on Gridinsoft Blog.

]]>
Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware.

What is Werfault.exe?

Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for handling error reporting in Windows operating systems. WerFault.exe was first released on 11/08/2006 for Windows Vista and is still present in Windows 10 and 11. Such errors arise when loading WerFault fails, either during the start of the application or, in some cases, while the application is running.

Thus, when a program encounters an error, Werfault collects information about it. It includes the program causing the error, the nature of the error, and system information. Next, Werfault offers options for sending this information to Microsoft for analysis. This will help Microsoft improve the stability and reliability of Windows (probably). Werfault.exe typically runs in the background and should not usually require user interaction unless prompted by an error.

Fix Werfault.exe Application Error

Werfault.exe error usually means an issue with the Windows Error Reporting process or an application causing it to crash. However, it’s nothing to worry about if it only happens one or two times!

Werfault.exe Application Error
Werfault.exe Application Error itself

But if the WerFault.exe error occurs repeatedly and causes trouble, or if it takes a relatively high CPU power in Task Manager, you should take action to resolve it. Here are some steps that you can take to try and fix this issue:

Step 1. Update Windows

Windows constantly improves to enhance its stability and reduce program crashes. To achieve this goal, Microsoft provides regular security updates and bug fixes. You may encounter security issues and bugs if you don’t install these updates. A couple of particular Windows updates broke WerFault, which Microsoft addressed in further patches. To check for updates, press the Windows key + I and click “Windows Update”. If there are any updates available, download and install them.

Windows Update
If you can see this, you’ve done it right.

Step 2. Run the Windows SFC Scan

The SFC tool repairs corrupt system files that can cause Werfault.exe errors. Press Windows key + R, type “cmd”, and hit Ctrl+Shift+Enter to open Command Prompt as administrator. Next, type or paste in the Command Prompt “sfc /scannow” and press enter.

sfc command

After completing the scan, Windows will attempt to repair any corrupt files. Finally, restart your device and check if the error is corrected. If the scan finds corrupt files, but Windows is unable to repair them, try repairing corrupt system files using repair tools.

Important note! Avoid downloading and copying WerFault.exe to your Windows system directory from third-party sites. Microsoft typically does not release standalone Windows EXE files for download because they are already bundled together inside a software installer. This may cause system instability and stop your program or OS from functioning.

Step 3. Use Repair Mode

Please restart your PC using the pressed Shift button—this will turn the device into Automatic Repair. Select Advanced options to enter WinRe and choose your language. Next, select the Troubleshoot and Advanced options.

Command promt in the recovery mode

Select Command Prompt, log in with your account and run the below commands.

chkdsk X: /f
bootrec /fixmbr
bootrec /fixboot
bootrec /scanos
bootrec /rebuildbcd

📖 Note: If you installed the system update before the system is abnormal, you can use “Uninstall Updates” to uninstall recent updates (which include Quality updates and Feature updates; try both).

Step 4. Try to Find Malware

While Werfault.exe is a legit executable file, its activity may be attributed to malicious software. Hackers use DLL sideloading technique by exploiting the WerFault.exe tool to deploy malware onto compromised systems. This method allows them to infect devices discreetly without triggering antivirus alarms. During this exploitation, you may see the said errors coming from WerFault.exe, as well as the process itself in the Task Manager.

Malware can sometimes exploit genuine processes in its activity. This can cause program crashes and, in some cases, trigger the werfault.exe error. I recommend GridinSoft Anti-Malware; it is best suited to detect and remove even sophisticated malware.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Werfault.exe Error appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/feed/ 0 20206
Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/ https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/#respond Wed, 15 Dec 2021 21:13:40 +0000 https://gridinsoft.com/blogs/?p=6669 The latest of this year, December’s patch Tuesday brought fixes for six 0-day vulnerabilities in Microsoft products, including a bug in the Windows AppX Installer that uses Emotet malware to spread. Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft… Continue reading Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

]]>
The latest of this year, December’s patch Tuesday brought fixes for six 0-day vulnerabilities in Microsoft products, including a bug in the Windows AppX Installer that uses Emotet malware to spread.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

An attacker could create a malicious attachment for use in phishing campaigns. The attacker would then have to convince the user to open that attachment. Users whose accounts are configured with fewer rights in the system may be affected to a lesser extent than users who work with administrator rights.the company warns.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

  • CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
  • CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
  • CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
  • CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
  • CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/feed/ 0 6669
Microsoft declares that Printnightmare patch works correctly https://gridinsoft.com/blogs/microsoft-declares-that-printnightmare-patch-works-correctly/ https://gridinsoft.com/blogs/microsoft-declares-that-printnightmare-patch-works-correctly/#respond Mon, 12 Jul 2021 16:53:18 +0000 https://blog.gridinsoft.com/?p=5692 Previously, many IS researchers warned that Microsoft’s emergency patch for a dangerous Printnightmare vulnerability was ineffective and that it did not eliminate the problem completely. Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp… Continue reading Microsoft declares that Printnightmare patch works correctly

The post Microsoft declares that Printnightmare patch works correctly appeared first on Gridinsoft Blog.

]]>
Previously, many IS researchers warned that Microsoft’s emergency patch for a dangerous Printnightmare vulnerability was ineffective and that it did not eliminate the problem completely.

Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp reported that the patch can be completely bypassed and that the vulnerability can be used not only for local privileges, but also for remote execution of arbitrary code.

To do this, the Point and Print RESTRICTIONS policy should be active, and the “WHEN INSTALLING DRIVERS FOR A NEW CONNECTION” parameter must be set to “Do Not Show Warning On Elevation Prompt”.

Now Microsoft responded to these warnings and reported that the patch works correctly:

Our investigation has shown that unscheduled security update is working properly and effectively against famous exploits and other public reports that are combined as Printnightmare. All reports we studied were based on changing the default registry settings associated with the Point and Print function, on an unsafe configuration.the company said.

Microsoft engineers updated Printnightmare Problem Correction Guide and still encourage users to install patches as soon as possible. Now the manual looks like this:

In any case, apply the patch for CVE-2021-34527 (update will not change the existing registry settings);

  • After applying the update, check the registry settings documented in the CVE-2021-34527 description;
  • If the registry keys listed there do not exist, further actions are not required;
  • If the registry keys exist, it is necessary to confirm that the following registry keys are set to 0 (zero) or they are missing:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrintNoWarningNoElevationOnInstall = 0 (DWORD) or not set (by default) and UpdatePromptSettings = 0 (DWORD) or not set (by default).

However, in addition to the effectiveness of an unscheduled patch, other difficulties arose with it. The Bleeping Computer media reported that the KB5004945 update, designed to eliminate Printnightmare, violated work of some models of Zebra and Dymo printers.

After the release of the patch, users started massively complaining on Twitter and on Reddit that the work of Zebra printers has become impossible. According to the victims, the problem affected only printers directly connected to Windows devices via USB. Zebra printers connected to the print server have not been injured.

We have about 1,000 clients using Zebra printers, and they called us repetitively because they cannot print. Surely this update is responsible for it, because after its rollback [printer] again spits [labels].writes one of the users.

It was reported that the bug affected only certain Zebra models, including the most popular: LP 2844, ZT220, ZD410, ZD500, ZD620, ZT230, ZT410 and ZT420.

Zebra developers confirmed that they know about the problem. The company advised:

Immediate way to solve the problem is to delete the update KB5004945 for Windows or delete the appropriate printer driver and reuse it using the administrator credentials.

However, the situation was aggravated by the fact that it is a mandatory security update, which means, after some time, Windows will automatically set it again.

Interestingly, Microsoft reported that these failures are not associated with CVE-2021-34527 and CVE-2021-1675, but caused by changes in the preview version of the cumulative update for June 2021. Developers have released emergency patches for Windows 10 2004, Windows 10 20H2 and Windows 10 21H1 to eliminate bugs.

After installing the updates of KB5003690 or later (including additional updates to KB500476 and KB5004945), you could have problems with printing on certain printers. The most vulnerable devices are printers for printing checks and labels that are connected via USB.Microsoft wrote.

Fixes are deployed using Microsoft Known Issue Rollback (KIR), which distributes patches for known errors through Windows Update. That is, patches should get to most users in the next day.

The post Microsoft declares that Printnightmare patch works correctly appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-declares-that-printnightmare-patch-works-correctly/feed/ 0 5692
The official patch for the PrintNightmare vulnerability was ineffective https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/ https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/#respond Thu, 08 Jul 2021 19:05:22 +0000 https://blog.gridinsoft.com/?p=5687 Earlier this week, Microsoft released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe), but it was ineffective. Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify… Continue reading The official patch for the PrintNightmare vulnerability was ineffective

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

]]>
Earlier this week, Microsoft released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe), but it was ineffective.

Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT/CC.

As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be easily bypassed, with exploitation of the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.

Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.

Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available).

Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and can be used instead of the official one. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, so 0patch can only be applied instead of the official one.

Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/feed/ 0 5687