Forum Discussion

Michael Platt's avatar
Michael Platt
Brass Contributor
Feb 23, 2022

Teams.exe - Was blocked from making system calls to Win32k.sys.

What is the below event log message a result of? Should we be making any type of exclusion?   Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 2129...
myTechUserName's avatar
myTechUserName
Copper Contributor
May 08, 2023

I have the same problem with the search program 'https://www.lesbonscomptes.com/recoll/pages/index-recoll.html'.

 

One reason that I replaced Microsoft Defender with something third-party was precisely to avoid this sort of nonsense whereby Defender mistakenly thinks that it knows best. What we see here - with Defender blocking harmless programs that one wants to run - is that one cannot entirely replace Defender, and that consequently one has problems using one's computer. That situation is pretty desperate (and gives me further reason to move entirely to Linux).

jbmartin6's avatar
jbmartin6
Iron Contributor
May 09, 2023
Why don't you just make an exclusion for it?
  • myTechUserName's avatar
    myTechUserName
    Copper Contributor
    May 09, 2023

    jbmartin6: where? As I said, Defender is (so far as possible) disabled. (For it I substituted Eset's 'NOD32 Anti-Virus.)

    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      May 09, 2023
      ASR rules are technically not part of Defender, it is an OS feature that can be enabled/disabled independently. If you are encountering issues with the feature, take a look and see if it is still configured.
      • myTechUserName's avatar
        myTechUserName
        Copper Contributor
        May 09, 2023

        jbmartin6

         

        Thank you. Please note though that I am not a system administrator but rather someone who uses Windows (though the 'pro' version of Windows 10) on a home PC. I see nothing in Windows Settings about 'asr' or 'attack surface reduction' and an Internet search seems to suggest that a home user will not even have such rules enabled. So how do I configure the relevant functionality, please?

         

        EDIT: I found this PowerShell command:

        Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_ActionsGet-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

        The output is blank, aside from a header bar. So seemingly no rule is configured. And, yet, I see this within a log:

         

        Event Time Event ID Level Channel Provider Description Opcode Task
Keywords Process ID Thread ID Computer User Log File
03/05/2023 13:42:30.083 10 Warning Microsoft-Windows-Security-Mitigations/KernelMode
Microsoft-Windows-Security-Mitigations Process '\Device\HarddiskVolume6\Program Files (x86)
\Recoll\QtWebEngineProcess.exe' (PID 15048) was blocked from making system calls to
Win32k.sys. 5 0x8000000000000000 15048 4412 [. . .]

         

Resources