simplewall.exe - Bad image

[cghub-io]

Thanks for the latest update.

Before v3.1 everything was fine, but now since the update to 3.1 I am getting randomly the dialog box across many different applications. So far the dialog box comes when I start my computer freshly and have following programs running in the background:

• OldNewExplorer v1.1.9
• Oracle VM VirtualBox v6.1.0 r135406
• teamviewer

I am worried now that simpleWall will start generating these popus on other 'dll' files of other programs.

simplewall.exe - Bad Image C:\Windows\sysetm32\VBoxMRXNP.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system admin of the software vendor for support. Error status 0x0000428

[valefrox]

Already signalled: https://github.com/henrypp/simplewall/issues/605

[cghub-io]

oh. i see. I thought i was going crazy :) cheers

[JoeBarouneD]

I have the same with Oldnewexplorer.dll

[mssign]

Те же, только в профиль. JKL.dll вылетает от https://github.com/BladeMight/Mahou/releases

[RawSlugs]

same with bonjour\mdnsNSP.dll

[Serebriakov]

Same error with Bandicam:

[henrypp]

EN: Yes. This is Windows 10 feature named Mitigation and this option means modules without M$ signatures cannot be loaded into SW address space. Here is the solution to do not display Bad Image message:

RU: Да. В Windows 10 появилась такая опция которая защищает адресное пространство приложения от подгрузки в него посторонних (non-M$) модулей. Решение по отключению этого сообщения ниже.

Open PowerShell (as admin) and enter this code:

set-ProcessMitigation -Name simplewall.exe -Enable BottomUp,HighEntropy,DisableExtensionPoints,MicrosoftSignedOnly,BlockRemoteImageLoads,BlockLowLabelImageLoads

[ltguillaume]

Can you please tell us why simplewall would even load these modules when they don't even have to have any network access?

I saw this message relating to a DLL from PISMO File Mount, a suite that never makes any network connection.

[JoeBarouneD]

I wonder why it only began with the lastest release and not before.

Mitigation is not a new feature, so you have changed something related to it in the lastest version of SW.

Edit : Your PowerShell script doesn't prevent the "Bad image" popup.

[rudolphos]

powershell command didn't had any effect.

---

simplewall.exe - Bad Image

C:\PROGRA~1\MacType\MacType64.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000428.

Edit: now I removed the mactype program and simplewall isn't even starting and doesn't show up in the taskbar, reinstalled already.

[ltguillaume]

@henrypp Could you explain why you're loading all these modules into sw address space? Are you using any hooks? What changed between 3.1 en 3.0.9?

Is this because of https://github.com/henrypp/simplewall/commit/61b15df4dcbf4746c6895611835b809414efd3c0 ?

[Iruberiam]

Since the recent update, Simplewall started showing "Bad image" to many already installed applications. Now I can't get the application window to show even after uninstallling and reinstalling. It's apparently installed but I can't configure it, Process Hacker shows it running as a suspended task.

[cghub-io]

Yea. Such a great program but the developer seems quiet about the bug. Hmmm. @henrypp You might loose potential users if you don’t make any comments on such serious bugs. Definitely people are starting to loose trust if you can’t explain in simple words why this is happening.... only since v3.09+

[JoeBarouneD]

I switched to Netstalker, as the dev is not answering anymore ...

[Iruberiam]

Downgraded to 3.09, the popup still appears though, so I temporarily uninstalled the offending program to prevent the bad image message. Simplewall seemed to fill a necessary hole in Windows security but now the cons are starting to outweigh the pros. 3.1 appears to be a disaster and the lack of dev feedback is encouraging me to find alternatives.

[henrypp]

to all @Iruberiam @JoeBarouneD @cghub-io @badwhing @ltGuillaume @rudolphos

Edit : Your PowerShell script doesn't prevent the "Bad image" popup.

powershell command didn't had any effect.

Restart SW to apply changes. And PS script fixed, SW crashed because of StrictHandleCheck.

set-ProcessMitigation -Name simplewall.exe -Enable BottomUp,HighEntropy,DisableExtensionPoints,MicrosoftSignedOnly,BlockRemoteImageLoads,BlockLowLabelImageLoads

Could you explain why you're loading all these modules into sw address space? Are you using any hooks? What changed between 3.1 en 3.0.9?

SW does not load anything not listed in his export, all this BadImages because of 3rd party apps who force injecting his DLL's into SW address space and SW resist. It's not good!

[Iruberiam]

Thanks for the response however the PS script does not solve the issue. This is with SW 3.09

[henrypp]

@Iruberiam

Thanks for the response however the PS script does not solve the issue. This is with SW 3.09

For 3.0.9 reset Mitigation policy set by script above:

set-ProcessMitigation -Name simplewall.exe -Disable MicrosoftSignedOnly

[Iruberiam]

Thank you. Yes, that works for 3.09. The previous recommended script does not work for 3.1 here.

[JoeBarouneD]

Couldn't you just revert the memory protection changes, instead of giving powershell commands that doesn't work (as for 3.1) ?

[ltguillaume]

SW does not load anything not listed in his export

Could you please explain what you mean by this? 😃 I'd like to learn what's going on here. What is listed in which "export"?

all this BadImages because of 3rd party apps who force injecting his DLL's into SW address space and SW resist

So, PISMO File Mount, MacType, Bandicam, Oldnewexplorer, VirtualBox etc. all try to inject their DLL into simplewall's address space? It seems like at least some of these have to do with Explorer shell extensions, right? Why would they want to inject into simplewall address space?

[henrypp]

@ltGuillaume

Could you please explain what you mean by this? 😃 I'd like to learn what's going on here. What is listed in which "export"?

Here is simple answer.

ps: not "export", but "import", although it doesn’t matter.

It seems like at least some of these have to do with Explorer shell extensions, right? Why would they want to inject into simplewall address space?

This question is not under my knowledge. Ask them, "why".

[Lexua1967]

I have the same with ELshellkhook64.dll (EveryLang v5)

[Iruberiam]

Thanks for the update to 3.1.1, sadly the issue with 'bad image' is still present. I've also tried the 1st PS script and restarted simplewall.

[henrypp]

@Iruberiam run this:

set-ProcessMitigation -Name simplewall.exe -Disable MicrosoftSignedOnly

[Iruberiam]

That did it, thank you.