Is anyone using Windows Defender Controlled folder access?

AndreTen said:

Only with placing shortcuts on Desktop. I've had no other problems with it.

Posted a feedback about accessing logs in a simpler way (no way to find exact program to allow it access to restricted folder other than check the Event viewer), but no response..

I think you will only find the exact file path name in Event Viewer, I asked the same thing. Action center doesn't always show the full file path.

Kol12 said:

I think you will only find the exact file path name in Event Viewer, I asked the same thing. Action center doesn't always show the full file path.

Exactly. That's why we have to bother MS to include log access from notification center.

You can add Custom view:

Code:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
    <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
    <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
  </Query>
</QueryList>

This would be an absolute pain to me. First, by default, only a few 'standard' folders are protected. So to protect more from being accessed by program or programs unknown, I'd need to add a whole lot of folders/disks? - probably not possible. And then second, as above, I'd need to add a whole load of programs.

I infinitely prefer a white-listing solution - I use SecureAplus. That acts on a simple one-time prompt to allow or not, couple with options to upload a file for virus checking by multiple engines. (There's more too as regards AV protection alongside a tradition AV solution).

This is comparatively non-intrusive- i.e. it prompts when you'd expect, and not too often.

Setting it up is easy- if happy with your system when installing it, simply have it trust everything installed at that time.

Thus EVERYTHING is protected.

I recall Zonealarm's firewall, many years ago, used a white list approach.

For anybody who's too lazy to open Event viewer every time, and select custom view, or...,
here is tiny ps script to show events (newest at the top) regarding Controlled folder access. Just copy paste in Notepad, and save file as filename.ps1.

Run it with right click / run with powershell

Code:

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.ID -eq "1123" -or $_.ID -eq "1124"}
Pause

Output:

AndreTen said:

Output:

You could usefully add event ID 1127 to that list...

Bree said:

You could usefully add event ID 1127 to that list...

Thanks for bringing out that 1127.. This event (blocking memory) isn't listed in Controlled folder access events, yet it occurs from time to time. And I don't notice any side effects of it...

It is triggered (on my system) by hwinfo, powercfg, UUP2ISO, nothing to do with Controlled folders, but memory.

AndreTen said:

This event (blocking memory) isn't listed in Controlled folder access events, yet it occurs from time to time. And I don't notice any side effects of it...

Yes, it's an odd one - I've not seen it stop anything working either. And after a restart the same actions don't usually trigger it.

It is described as...

Controlled folder access

Windows Defender (Operational)

1127

Blocked Controlled folder access sector write block event

in the MS document you linked to in post #33 here...
Add Protected Folders to Controlled Folder Access in Windows 10 - Page 4 - | Windows 10 Tutorials

Bree said:

Yes, it's an odd one - I've not seen it stop anything working either. And after a restart the same actions don't usually trigger it.

It is described as...


in the MS document you linked to in post #33 here...
Add Protected Folders to Controlled Folder Access in Windows 10 - Page 4 - | Windows 10 Tutorials

Thanks for the link, couldn't find it with quick search

About script... it's there, feel free to use it as you like Finding correct name of Defender log was hardest part.

Event ID 1123 is the only one, that I'm interested in for now.

AndreTen said:

Thanks for the link, couldn't find it with quick search ....

I didn't find it with a search either. I stumbled across it by chance after following the link Cliff S gave in post #25 of this thread, then just read on a bit...