Forum Discussion

Michael Platt's avatar
Michael Platt
Brass Contributor
Feb 23, 2022

Teams.exe - Was blocked from making system calls to Win32k.sys.

What is the below event log message a result of? Should we be making any type of exclusion?   Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 2129...
jbmartin6's avatar
jbmartin6
Iron Contributor
May 09, 2023
ASR rules are technically not part of Defender, it is an OS feature that can be enabled/disabled independently. If you are encountering issues with the feature, take a look and see if it is still configured.
myTechUserName's avatar
myTechUserName
Copper Contributor
May 09, 2023

jbmartin6

 

Thank you. Please note though that I am not a system administrator but rather someone who uses Windows (though the 'pro' version of Windows 10) on a home PC. I see nothing in Windows Settings about 'asr' or 'attack surface reduction' and an Internet search seems to suggest that a home user will not even have such rules enabled. So how do I configure the relevant functionality, please?

 

EDIT: I found this PowerShell command:

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_ActionsGet-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

The output is blank, aside from a header bar. So seemingly no rule is configured. And, yet, I see this within a log:

 

Event Time Event ID Level Channel Provider Description Opcode Task
Keywords Process ID Thread ID Computer User Log File
03/05/2023 13:42:30.083 10 Warning Microsoft-Windows-Security-Mitigations/KernelMode
Microsoft-Windows-Security-Mitigations Process '\Device\HarddiskVolume6\Program Files (x86)
\Recoll\QtWebEngineProcess.exe' (PID 15048) was blocked from making system calls to
Win32k.sys. 5 0x8000000000000000 15048 4412 [. . .]

 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    May 10, 2023
    I have to apologize, I was wrong, this isn't related to ASR rules. I was confused. It is coming from another OS feature, Exploit Guard, aka Exploit protection. This one you should be able to access in the GUI (Windows Security/App &Browser Control/Exploit protection). Try configuring your process with overrides for 'Disable Win32k system calls'
    • myTechUserName's avatar
      myTechUserName
      Copper Contributor
      May 10, 2023

      jbmartin6 

       

      The plot thickens! I thought I should offer you an apology in return, for, seemingly contrary to what I heard from Recoll's developer, the GUI setting to which you pointed me has an option to override the protection of 'win32k' system calls. Admittedly, the option is confusingly worded, but it seemed to me that what I needed to do was to set 'override system settings' to 'on'. So I did. The GUI advised me to restart the affected program - which is the program 'Recoll'. So I did - and when I relaunched Recoll . . it crashed:

      • jbmartin6's avatar
        jbmartin6
        Iron Contributor
        May 12, 2023
        ugh. I assume you used override the system settings to set it to off? I'm out of ideas, outside of trying a full reboot and similar random things.

Resources