Forum Discussion

Michael Platt's avatar
Michael Platt
Brass Contributor
Feb 23, 2022

Teams.exe - Was blocked from making system calls to Win32k.sys.

What is the below event log message a result of? Should we be making any type of exclusion?   Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 2129...
jbmartin6's avatar
jbmartin6
Iron Contributor
May 09, 2023
Why don't you just make an exclusion for it?
myTechUserName's avatar
myTechUserName
Copper Contributor
May 09, 2023

jbmartin6: where? As I said, Defender is (so far as possible) disabled. (For it I substituted Eset's 'NOD32 Anti-Virus.)

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    May 09, 2023
    ASR rules are technically not part of Defender, it is an OS feature that can be enabled/disabled independently. If you are encountering issues with the feature, take a look and see if it is still configured.
    • myTechUserName's avatar
      myTechUserName
      Copper Contributor
      May 09, 2023

      jbmartin6

       

      Thank you. Please note though that I am not a system administrator but rather someone who uses Windows (though the 'pro' version of Windows 10) on a home PC. I see nothing in Windows Settings about 'asr' or 'attack surface reduction' and an Internet search seems to suggest that a home user will not even have such rules enabled. So how do I configure the relevant functionality, please?

       

      EDIT: I found this PowerShell command:

      Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_ActionsGet-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

      The output is blank, aside from a header bar. So seemingly no rule is configured. And, yet, I see this within a log:

       

      Event Time Event ID Level Channel Provider Description Opcode Task
Keywords Process ID Thread ID Computer User Log File
03/05/2023 13:42:30.083 10 Warning Microsoft-Windows-Security-Mitigations/KernelMode
Microsoft-Windows-Security-Mitigations Process '\Device\HarddiskVolume6\Program Files (x86)
\Recoll\QtWebEngineProcess.exe' (PID 15048) was blocked from making system calls to
Win32k.sys. 5 0x8000000000000000 15048 4412 [. . .]

       

      • jbmartin6's avatar
        jbmartin6
        Iron Contributor
        May 10, 2023
        I have to apologize, I was wrong, this isn't related to ASR rules. I was confused. It is coming from another OS feature, Exploit Guard, aka Exploit protection. This one you should be able to access in the GUI (Windows Security/App &Browser Control/Exploit protection). Try configuring your process with overrides for 'Disable Win32k system calls'

Resources