Controlled folder access and Process Monitor

Topic

New Reply

Controlled folder access and Process Monitor

This post transfered fron WS

I have windows 1803 and I am getting a %userprofile%\desktop access blocked message when I start PaleMoon, my browser of choice. Ok windows just doing what its supposed to be doing but I want to find what Palemoon wants to do to my desktop. I have tried using process monitor but have not caught anything! The help file for process monitor does not display. I just want a simple way to catch what is going on. I have tried to include image location and
Ok now I am getting a lot of results but obviously still do not know what I am doing. I get a lot of Registry changes but do not know what I should be looking for.

oh darn wait a minute, maybe I forgot to ‘apply’ !!
I will get back….

Ok now I am getting a lot of results but obviously still do not know what I am doing. I get a lot of Registry changes but do not know what I should be looking for.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Replies

First what other advice have you been given?

—-

If that does not work, have you tried:

1. Disabling an extension, keep a list of which one you disabled
2. Close the browser, wait
3. Run Palemoon again to see of the error reappears?
4. Repeat steps 1 to 3 until the error stops.
5. If the error stopped appearing, you found the cause.

1 user thanked author for this post.

wavy

Reply | Quote

Different anonymous, branching away from your question’s direction to ask about your Pale Moon.

Pale Moon recently offered a security and bugfix update to v28.4.1 (2019-03-27). Details are available on the release notes page.

Have you installed the update; did your trouble pre-date the update; would the update clear your trouble; did the update cause a new trouble? Have you pursued a solution through https://forum.palemoon.org/ ?

It is possible that a corruption could follow from one version to the next. You could try to uninstall, then also remove the folder structure, then reinstall the current version of the browser. This would eliminate all your addons and require customizing all over again.

I agree this does not answer your Windows 10 directed question. But I hope it would help repair the original trouble.

1 user thanked author for this post.

wavy

Reply | Quote

Sounds like “Controlled folder access” is turned on.  “Protect files, folders, and memory areas on your device from unauthorized changes by unfriendly applications”.

Use this link for more information on how to use this feature.  I have it enabled on a couple of my Windows 10 1809 installations.  It’s turned off on my daily driver desktop, from which I’m posting this.  I’ll probably turn it on soon and configure it, but I’ve been wrangling some other (self-inflicted) Windows 10 issues for the past couple of days.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

wavy

Reply | Quote

Thanks for all responses from a1 a2 and BBearren.

I ahve just yesterday updated PM with no change and i do have “Controlled folder access” on, seems like a good idea. There where some instructions around for doing a similar thing with permission settings IIRC.

What I am trying to find out is what PM wants to do on my desktop and how to use ProcessMonitor to do this. I am getting many reg changes come up, some with desktop mentioned but I still have no idea what action by PM caused the response.

 

 

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

You got “%userprofile%\desktop access blocked message when I start PaleMoon”.  Have you added PaleMoon as an allowed app for Controlled folder access?

This is being handled by a Windows Service, and I’m not sure how much info Process Monitor is going to show you.  Controlled folder access would surely involve registry changes to permit/deny access to Controlled folders by different apps.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Thanks BBearren

I have not added it as I am still trying to figure out just what it is touching there.

Maybe process monitor is not the tool I need, do you have a suggestion for another?

 

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I tried PM in safe mode and it does the same at the point where the dialog box pops up before PM loads. I will ask at the PM forum again.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I was checking out Controlled folder access and found it curious that

C:\Users\Username\AppData\Local\
C:\Users\Username\AppData\Roaming
C:\ProgramData\

are not the directories blocked.

I thought these were the favorite haunts of many bad beasties. I wonder why they are not protected locations?

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Windows itself and other programs use these locations to store some important data. Palemoon could allow for the change of where profiles are stored in another directory.

Use controlled folder access where needed, and keep a regular backup regime of your operating system installation precious document data just in case. Do you know how to backup your system?

Reply | Quote

Sorry I took so long to respond Yes I do backup.
And yes to PM being able to place its profile where one wants it.
My point was the folders:
C:\Users\Username\AppData\Local\
C:\Users\Username\AppData\Roaming
C:\ProgramData\

Are known running points for serious malware. Why would they not be included as protected and system programs that need access allowed? Perhaps windows has another strategy to prevent this now. I may run folder access in audit mode after blocking these folders after a backup of course.
I am still trying to find what PM is touching there. Event viewer just tells that access was attempted not WHAT. Any help in that regard would be appreciated.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I am still trying to find what PM is touching there.

• Palemoon should be closed.
• Start Process Monitor it should automatically begin logging events, if not Control+E will start logging events
• Press Control+L to open the Process Monitor Filter dialog
• Double click to on any present filters to remove them.
• Change drop down menus in that dialog to read as follows: ‘Event Class is File System then Include’, click Add, and then Apply, and finally OK.
• Wait a bit and start Palemoon, wait until it finishes loading to completion but do not close Palemoon.

You will see what looks like an ordered mess, but you may be able find out what Palemoon is doing with the Desktop access.

• Press Control+H to open the Process Monitor Highlighting dialog, it is like the Filter Dialog.
• Change that dialog to read ‘Process Name is Palemoon.exe then include’, click Add, and then Apply, and finally OK. (it could be a lowercase process name)
• If everything went according to instruction, you can press F4 to Find Highlight. (You can change the highlight colors in the Option menu.)

You can after a few minutes probably turn off event capturing with Control+E. Hopefully you can see what Palemoon attempting to do.

1 user thanked author for this post.

wavy

Reply | Quote

I tried SOMETHING like this with no more understanding, I will try it following with your directions.
AW seems very slow recently BTW.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

We are currently importing the WSL data – it will be slow for a while.

1 user thanked author for this post.

woody

Reply | Quote

wavy wrote:

I tried SOMETHING like this with no more understanding,

Process Monitor *does* have a bit of a learning curve. Perhaps have a look at these two Channel 9 videos?

Defrag Tools: #3 – Process Monitor

Defrag Tools: #4 – Process Monitor – Examples

and/or this How-To Geek article?

Using Process Monitor to Troubleshoot and Find Registry Hacks

They helped me get to grips with ProcMon.

A tip: Create a shortcut to the ProcMon executable and append a space then  /NoConnect to the target entry (e.g. C:\Support\Procmon.exe /NoConnect). This will start ProcMon but prevent it from automatically logging. It just gives you time to sort out what filters you want to use *before* you start logging.

Hope this helps…

 

2 users thanked author for this post.

wavy, woody

Reply | Quote

anonymous wrote:

• Palemoon should be closed.
• Start Process Monitor it should automatically begin logging events, if not Control+E will start logging events

I gave a quick try but need to spend more time on it Thanks.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote