Loading...

Knowledge Center


Whitelisted file is denied from execution if Hibernate Once/Resume Many (HORM) is enabled
Technical Articles ID:   KB81511
Last Modified:  1/11/2017

Environment

McAfee Application Control (MAC) 6.1
McAfee Embedded Control
McAfee Embedded Security 

Microsoft Windows Embedded with Enhanced Write Filter (EWF) and Hibernate Once/Resume Many (HORM)

Problem

If EWF and HORM are enabled, a solidified file is denied from executing on a non-system drive.

HORM is a feature for Windows 7 Embedded, which is supported with EWF.

If HORM is enabled, a MAC call to open a file fails. This prevents MAC from checking the file for execution permission against the whitelist.

Solution

Technical Support is investigating this issue. As a temporary measure, implement the following workaround.

Workaround

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. Disable EWF (Enhanced Write Filter).
    NOTE: Disabling EWF is required, otherwise it will restore the registry changes over restart.
     
  2. Navigate to: 

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\swin\Parameters]
     
  3. Create a DWORD reg value named Kmodfops.
  4. Set the data for kmodfops as 2.
  5. Restart the system.
  6. Enable EWF and HORM.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.