Forum Discussion
Teams.exe - Was blocked from making system calls to Win32k.sys.
What is the below event log message a result of? Should we be making any type of exclusion?
Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 21292) was blocked from making system calls to Win32k.sys.
Log Name: Microsoft-Windows-Security-Mitigations/Kernel Mode
- s_sim1290Copper ContributorHi Michael,
I had similar alerts for OneDrive, Notepad and Teams when I enabled folder protection as part of the attack surface reduction rules. You are unable to specify which programs are trusted as Microsoft determines that. I ended up putting the rule into Audit mode. You can verify if it's being blocked by attack surface reduction rules by going to Security Centre and run the query below in Advanced Hunting.
DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
I hope that helps.
Si- Michael PlattBrass ContributorPrefer to have this in block mode. Any other options?
- myTechUserNameCopper Contributor
I have the same problem with the search program 'Recoll'.
One reason that I replaced Microsoft Defender with something third-party was precisely to avoid this sort of nonsense whereby Defender mistakenly thinks that it knows best. What we see here - with Defender blocking harmless programs that one wants to run - is that one cannot entirely replace Defender, and that consequently one has problems using one's computer. That situation is pretty desperate (and gives me further reason to move entirely to Linux).
- jbmartin6Iron ContributorWhy don't you just make an exclusion for it?
- myTechUserNameCopper Contributor
jbmartin6: where? As I said, Defender is (so far as possible) disabled. (For it I substituted Eset's 'NOD32 Anti-Virus.)