cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Teams.exe - Was blocked from making system calls to Win32k.sys.

Michael Platt
Brass Contributor

‎Feb 23 2022 06:39 AM

‎Feb 23 2022 06:39 AM

Teams.exe - Was blocked from making system calls to Win32k.sys.

What is the below event log message a result of? Should we be making any type of exclusion?

 

Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 21292) was blocked from making system calls to Win32k.sys.

 

Log Name: Microsoft-Windows-Security-Mitigations/Kernel Mode

8,914 Views
0 Likes
11 Replies
Reply
11 Replies
s_sim1290

‎Feb 28 2022 05:34 AM

‎Feb 28 2022 05:34 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

Hi Michael,
I had similar alerts for OneDrive, Notepad and Teams when I enabled folder protection as part of the attack surface reduction rules. You are unable to specify which programs are trusted as Microsoft determines that. I ended up putting the rule into Audit mode. You can verify if it's being blocked by attack surface reduction rules by going to Security Centre and run the query below in Advanced Hunting.

DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

I hope that helps.

Si
0 Likes
Reply
Michael Platt

‎Feb 28 2022 08:16 AM

‎Feb 28 2022 08:16 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

Prefer to have this in block mode. Any other options?
0 Likes
Reply
myTechUserName

‎May 08 2023 10:15 AM

‎May 08 2023 10:15 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

I have the same problem with the search program 'Recoll'.

 

One reason that I replaced Microsoft Defender with something third-party was precisely to avoid this sort of nonsense whereby Defender mistakenly thinks that it knows best. What we see here - with Defender blocking harmless programs that one wants to run - is that one cannot entirely replace Defender, and that consequently one has problems using one's computer. That situation is pretty desperate (and gives me further reason to move entirely to Linux).

0 Likes
Reply
jbmartin6

‎May 09 2023 06:03 AM

‎May 09 2023 06:03 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

Why don't you just make an exclusion for it?
0 Likes
Reply
myTechUserName

‎May 09 2023 06:21 AM

‎May 09 2023 06:21 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

@jbmartin6: where? As I said, Defender is (so far as possible) disabled. (For it I substituted Eset's 'NOD32 Anti-Virus.)

0 Likes
Reply
jbmartin6

‎May 09 2023 09:24 AM

‎May 09 2023 09:24 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

ASR rules are technically not part of Defender, it is an OS feature that can be enabled/disabled independently. If you are encountering issues with the feature, take a look and see if it is still configured.
0 Likes
Reply
myTechUserName

‎May 09 2023 04:01 PM - edited ‎May 09 2023 04:08 PM

‎May 09 2023 04:01 PM - edited ‎May 09 2023 04:08 PM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

@jbmartin6

 

Thank you. Please note though that I am not a system administrator but rather someone who uses Windows (though the 'pro' version of Windows 10) on a home PC. I see nothing in Windows Settings about 'asr' or 'attack surface reduction' and an Internet search seems to suggest that a home user will not even have such rules enabled. So how do I configure the relevant functionality, please?

 

EDIT: I found this PowerShell command:

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_ActionsGet-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

The output is blank, aside from a header bar. So seemingly no rule is configured. And, yet, I see this within a log:

 

Event Time Event ID Level Channel Provider Description Opcode Task
Keywords Process ID Thread ID Computer User Log File
03/05/2023 13:42:30.083 10 Warning Microsoft-Windows-Security-Mitigations/KernelMode
Microsoft-Windows-Security-Mitigations Process '\Device\HarddiskVolume6\Program Files (x86)
\Recoll\QtWebEngineProcess.exe' (PID 15048) was blocked from making system calls to
Win32k.sys. 5 0x8000000000000000 15048 4412 [. . .]

 

0 Likes
Reply
jbmartin6

‎May 10 2023 11:23 AM

‎May 10 2023 11:23 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

I have to apologize, I was wrong, this isn't related to ASR rules. I was confused. It is coming from another OS feature, Exploit Guard, aka Exploit protection. This one you should be able to access in the GUI (Windows Security/App &Browser Control/Exploit protection). Try configuring your process with overrides for 'Disable Win32k system calls'
0 Likes
Reply
myTechUserName

‎May 10 2023 01:53 PM

‎May 10 2023 01:53 PM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

@jbmartin6 

 

The plot thickens! I thought I should offer you an apology in return, for, seemingly contrary to what I heard from Recoll's developer, the GUI setting to which you pointed me has an option to override the protection of 'win32k' system calls. Admittedly, the option is confusingly worded, but it seemed to me that what I needed to do was to set 'override system settings' to 'on'. So I did. The GUI advised me to restart the affected program - which is the program 'Recoll'. So I did - and when I relaunched Recoll . . it crashed:

Preview file
9 KB
0 Likes
Reply
jbmartin6

‎May 12 2023 07:41 AM

‎May 12 2023 07:41 AM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

ugh. I assume you used override the system settings to set it to off? I'm out of ideas, outside of trying a full reboot and similar random things.
1 Like
Reply
myTechUserName

‎May 12 2023 12:11 PM

‎May 12 2023 12:11 PM

Re: Teams.exe - Was blocked from making system calls to Win32k.sys.

@jbmartin6 

 

Thanks.

 

'I assume you used override the system settings to set it to off?' Well, please bear with me. Here is what I did.

  • I found the section entitled 'Disable Win32k system calls' and, within that, I clicked 'Override system setting'.
  • I set the, er, slider entitled 'Off' to . . I forget what. But, just now, I left that slider at it its default of, er, 'Off'. (Or at least 'Off is the default after one has enabled the relevant instance of 'Override system setting.)
  • Then (without rebooting) I ran the 'Recoll' program - and, this time, it worked!

But, have I actually made any change? I am so boggled by the UI that I do not know. If I have indeed made no change, then I might experience the problem that I had originally. To wit: sometimes Recoll silently does not run when one tries to run it.

 

 

0 Likes
Reply