Win10crippler
New Member
What is "Windows Setup EM" undocumented component introduced with version 22000.318?
I detected it and I deleted it.
I detected it and I deleted it.
What is "Windows Setup EM" component introduced with version 22000.318?
- Thread starter Win10crippler
- Start date
Win10crippler
New Member
Thank You very much.
Statement: CU22 and CU11 for Exchange 2016 and 2019 install the new Emergency Mitigation (EM) function. It is intended to implement immediate measures automatically when critical vulnerabilities occur. These can reduce the threat but can also deactivate Exchange features.
This means, they decide ad hoc, to maintain my machine, regardless what I decide.
NO WAY.
Statement: CU22 and CU11 for Exchange 2016 and 2019 install the new Emergency Mitigation (EM) function. It is intended to implement immediate measures automatically when critical vulnerabilities occur. These can reduce the threat but can also deactivate Exchange features.
This means, they decide ad hoc, to maintain my machine, regardless what I decide.
NO WAY.
You guys are way off base 
. It has nothing to do with Exchange Server.
MSFT stopped delivering W11 RTM images and now offers W11 v1 (Nov 2021) for download.
v1 Setup.exe is a different version -- which points to other probable fixes. There's no documented notes about Setup, but Nov 2021 CU was the first Patch Tuesday rollup after the two RTM emergency hotfixes in Oct '21.
. It has nothing to do with Exchange Server.MSFT stopped delivering W11 RTM images and now offers W11 v1 (Nov 2021) for download.
v1 Setup.exe is a different version -- which points to other probable fixes. There's no documented notes about Setup, but Nov 2021 CU was the first Patch Tuesday rollup after the two RTM emergency hotfixes in Oct '21.
Windows Setup EM is part of W11 Home & Pro editions, but not Enterprise. I decided to remove it from Pro and see what file(s) are missing.
--> Windows\System32\EM.exe
This file is included with November's CU, as predicted. But what does it do?
EM.exe does nothing on a live system, leaving no event logs or CBS.log activity. When I looked in Process Monitor, it referenced:
HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled
HKLM\SYSTEM\Setup\OOBEInProgress
Which means it's a Setup debugger, because Windows has always allowed kernel debugging over COM: ports.
This explains why it's 704 KB. No need for MS conspiracy theories...
--> Windows\System32\EM.exe
This file is included with November's CU, as predicted. But what does it do?
EM.exe does nothing on a live system, leaving no event logs or CBS.log activity. When I looked in Process Monitor, it referenced:
HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled
HKLM\SYSTEM\Setup\OOBEInProgress
Which means it's a Setup debugger, because Windows has always allowed kernel debugging over COM: ports.
This explains why it's 704 KB. No need for MS conspiracy theories...
Yeah, same like garlin, that wasn't enough for me to claim description, so I left it undocumented.
If anyone has more proof on what it exactly is, let us know.
It could be Emergency Mitigation for Windows. We might see eventually if future patch or Windows version decorates the EXE properly.
If anyone has more proof on what it exactly is, let us know.
It could be Emergency Mitigation for Windows. We might see eventually if future patch or Windows version decorates the EXE properly.
Decompiling EM with Ghidra, it's confirmed to be a mitigation tool targeting Retail versions of:
W10_RS5 (1809)
W10_19H1
W10_20H1
W11
EM apparently cares if your geo-location is German ("DE" or "DEU"). Based on those clues, I would expect it's a Windows privacy fix enforced during OOBE, before the user has any existence.
W10_RS5 (1809)
W10_19H1
W10_20H1
W11
EM apparently cares if your geo-location is German ("DE" or "DEU"). Based on those clues, I would expect it's a Windows privacy fix enforced during OOBE, before the user has any existence.
I figured out what EM does. EM updates the EULA for German users (de-de).
EM makes calls to Rtl/WNF (feature controls) and patches the EULA strings, but only in German. There's a hash value to verify the EULA text has been correctly updated. This app was pushed out for legal reasons, and it only impacts anyone with German locale.
Everyone else can ignore this tool. Maybe the "E" stands for EULA Mitigation.
EM makes calls to Rtl/WNF (feature controls) and patches the EULA strings, but only in German. There's a hash value to verify the EULA text has been correctly updated. This app was pushed out for legal reasons, and it only impacts anyone with German locale.
Everyone else can ignore this tool. Maybe the "E" stands for EULA Mitigation.