Forum Discussion

Michael Platt's avatar
Michael Platt
Brass Contributor
Feb 23, 2022

Teams.exe - Was blocked from making system calls to Win32k.sys.

What is the below event log message a result of? Should we be making any type of exclusion?

 

Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 21292) was blocked from making system calls to Win32k.sys.

 

Log Name: Microsoft-Windows-Security-Mitigations/Kernel Mode

  • s_sim1290's avatar
    s_sim1290
    Copper Contributor
    Hi Michael,
    I had similar alerts for OneDrive, Notepad and Teams when I enabled folder protection as part of the attack surface reduction rules. You are unable to specify which programs are trusted as Microsoft determines that. I ended up putting the rule into Audit mode. You can verify if it's being blocked by attack surface reduction rules by going to Security Centre and run the query below in Advanced Hunting.

    DeviceEvents
    | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

    I hope that helps.

    Si
  • myTechUserName's avatar
    myTechUserName
    Copper Contributor

    I have the same problem with the search program 'Recoll'.

     

    One reason that I replaced Microsoft Defender with something third-party was precisely to avoid this sort of nonsense whereby Defender mistakenly thinks that it knows best. What we see here - with Defender blocking harmless programs that one wants to run - is that one cannot entirely replace Defender, and that consequently one has problems using one's computer. That situation is pretty desperate (and gives me further reason to move entirely to Linux).

    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      Why don't you just make an exclusion for it?
      • myTechUserName's avatar
        myTechUserName
        Copper Contributor

        jbmartin6: where? As I said, Defender is (so far as possible) disabled. (For it I substituted Eset's 'NOD32 Anti-Virus.)

Resources