• ASR – unexpected items in event viewer

    Home » Forums » AskWoody support » Windows » Windows 10 » Windows 10 version 21H2 – November 2021 Update » ASR – unexpected items in event viewer

    • This topic has 3 replies, 2 voices, and was last updated 1 month ago.
    Author
    Topic
    #2468498

    I have enabled ASR and used the GUI tool to turn on the checks as per a recent newsletter. I can confirm that all would appear to be working well as I have had some prompts about programs that are blocked and do not run. I am happy with that, and I know how to add entries to enable these programs to work as expected and that is all OK too.

    I am still seeing entries in the event log like:


    Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator

    Path : C:\Windows\System32\taskhostw.exe
    ProcessName : C:\Windows\System32\lsass.exe
    TargetCommandline : taskhostw.exe -RegisterDevice -Periodic

    I post the above as it is an MS process and I wonder why it is being flagged. I have also had items for the Macrium backup program that say the same thing, but nothing seems to be going wrong with the backups, so why the entry?

    I now have a little PowerShell script to process these event log entries so I can decide what to do.  Adding entries to allow something to happen is a trivial addition but I wanted to understand a bit more first.

    The rule they fall foul of is:

    Block credential stealing from the Windows local security authority subsystem (lsass.exe)

    So what credentials are they trying to access, and should they be accessing lsass.exe?

    • This topic was modified 1 month, 3 weeks ago by PKCano.
    Viewing 2 reply threads
    Author
    Replies
    • #2469549

      This is a Win 11 only issue (not showing up in Win 10). The Macrium issue has been fixed and will be released in an update (I beta tested it for them). I’m still on Win 11 22000.795, could be fixed in this month’s updates? I need to do a feedback hub report for this (I am excited about earth slow down so I can get extra nano seconds to do MS bug reporting ;^)).

    • #2470344

      The Macrium issue fix caused my system to crash – I am beta testing that fix today.

      After this month’s updates I see only dropbox events. but its early days at the moment.

    • #2473954

      I have now completed a beta version of a PowerShell script that will allow anyone to interrogate their system to see what ASR or Controlled Folder events have been generated in the event log. The output is (I think) a little more legible.

      The user can then decide to add or remove ASR exclusions or Controlled Folder Allowed Applications based on the event log items found.

      The user can also add or remove ASR Rules and Controlled Folders.

      There are (where applicable) methods to select items of interest and the date of items extracted from the event log.

      The script runs as a non-administrative user BUT will need administrative access to add and remove items from Microsoft’s defender configuration. The user can display the script that will be run the defender configuration commands before asking for the Admin username/password

      Anyone interested?

    Viewing 2 reply threads
    Reply To: ASR – unexpected items in event viewer

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: