Sunday, January 27, 2019

Controlled Folder Access - Windows 10 1809

I've been a big fan of Windows' Controlled Folder Access. Some of my coworkers have been "surprised" when it was enabled without their knowledge but I haven't experienced that. In fact I turn it on immediately when I build a new Windows system.

Over a recent long weekend I got on a tear upgrading 4 systems, desktops and laptops, to Windows 10 1809. I still haven't experienced any problems.

I've been posting about several new features in Windows 10 1809 that I think haven't gotten much press here, here, and here.

After my mass upgrade I've run into another unannounced feature that is valuable in relation to Controlled Folder Access.

In Windows 10 if a program violates the Controlled Folder Access you have established you get an ambiguous notification without enough information to act.


I Googled this and found that there is an event in the Event Viewer that has more information (archive.is). Here's how to get to it:

  1. Right-click on the Start button and select Event Viewer.
  2. Navigate to Applications and Services > Microsoft > Windows > Windows Defender > Operational
  3. Filter for (or just look for): Event ID 1123

Or you could just upgrade to Windows 10 1809.

Here's what the Controlled Folder Access Settings screen shows after an exception in 1803:


Not much help.

In 1809 here's what you get:


When you click on "Recently blocked apps" you get:


Nice.




1 comment:

Anonymous said...

I also have an immense affinity for Controlled Folder Access. And I have tested it on VM's against all sorts of ransomware; the results have been interesting and VERY encouraging. Not once has a ransomware succeeded in encrypting a file, or causing permanent damage to a system, even with admin privileges. Of course, I am not motivated to see that happen. However, I also cannot overestimate the importance of UAC set with a password at the top setting...I also use a standard user account. One thing I've noted is that in some cases, it is advisable to change permissions on the "...run" registry keys. These should never be allowed to be changed without a password....the only real problem I had was with a ransomware that created a startup entry in a key that was owned by the standard user; this seems ludicrous. Anyway to fix the OS I went in to the command prompt in advanced options (recovery) and deleted the RW's executable and that was it; rather simple.

ANYWAY....my real concern here is one thing. MY CONTROLLED FOLDER ACCESS has stopped registering WHICH applications it has blocked. In most cases I can figure out which it has blocked, but in the case of my VM's I cannot.

I wonder if you might have ANY clue why these entries stop showing up, as they do for me on EVERY installation I've ever had...eventually.

I know/suspect strongly/ that it is NOT the event viewer, because the event ID 1123 NEVER appears any longer, and blocked apps are not being offered in the "Recently Blocked Apps" dialog, which remains completely blank now.

Any ideas?