Feb 23 2022 06:39 AM
What is the below event log message a result of? Should we be making any type of exclusion?
Process '\Device\HarddiskVolume4\Users\*****\AppData\Local\Microsoft\Teams\current\Teams.exe' (PID 21292) was blocked from making system calls to Win32k.sys.
Log Name: Microsoft-Windows-Security-Mitigations/Kernel Mode
Feb 28 2022 05:34 AM
Feb 28 2022 08:16 AM
May 08 2023 10:15 AM
I have the same problem with the search program 'Recoll'.
One reason that I replaced Microsoft Defender with something third-party was precisely to avoid this sort of nonsense whereby Defender mistakenly thinks that it knows best. What we see here - with Defender blocking harmless programs that one wants to run - is that one cannot entirely replace Defender, and that consequently one has problems using one's computer. That situation is pretty desperate (and gives me further reason to move entirely to Linux).
May 09 2023 06:03 AM
May 09 2023 06:21 AM
@jbmartin6: where? As I said, Defender is (so far as possible) disabled. (For it I substituted Eset's 'NOD32 Anti-Virus.)
May 09 2023 09:24 AM
May 09 2023 04:01 PM - edited May 09 2023 04:08 PM
Thank you. Please note though that I am not a system administrator but rather someone who uses Windows (though the 'pro' version of Windows 10) on a home PC. I see nothing in Windows Settings about 'asr' or 'attack surface reduction' and an Internet search seems to suggest that a home user will not even have such rules enabled. So how do I configure the relevant functionality, please?
EDIT: I found this PowerShell command:
Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_ActionsGet-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
The output is blank, aside from a header bar. So seemingly no rule is configured. And, yet, I see this within a log:
Event Time Event ID Level Channel Provider Description Opcode Task
Keywords Process ID Thread ID Computer User Log File
03/05/2023 13:42:30.083 10 Warning Microsoft-Windows-Security-Mitigations/KernelMode
Microsoft-Windows-Security-Mitigations Process '\Device\HarddiskVolume6\Program Files (x86)
\Recoll\QtWebEngineProcess.exe' (PID 15048) was blocked from making system calls to
Win32k.sys. 5 0x8000000000000000 15048 4412 [. . .]
May 10 2023 11:23 AM
May 10 2023 01:53 PM
The plot thickens! I thought I should offer you an apology in return, for, seemingly contrary to what I heard from Recoll's developer, the GUI setting to which you pointed me has an option to override the protection of 'win32k' system calls. Admittedly, the option is confusingly worded, but it seemed to me that what I needed to do was to set 'override system settings' to 'on'. So I did. The GUI advised me to restart the affected program - which is the program 'Recoll'. So I did - and when I relaunched Recoll . . it crashed:
May 12 2023 07:41 AM
May 12 2023 12:11 PM
Thanks.
'I assume you used override the system settings to set it to off?' Well, please bear with me. Here is what I did.
But, have I actually made any change? I am so boggled by the UI that I do not know. If I have indeed made no change, then I might experience the problem that I had originally. To wit: sometimes Recoll silently does not run when one tries to run it.