New
#31
Exactly. That's why we have to bother MS to include log access from notification center.
You can add Custom view:
Code:<QueryList> <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"> <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select> <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select> </Query> </QueryList>
This would be an absolute pain to me. First, by default, only a few 'standard' folders are protected. So to protect more from being accessed by program or programs unknown, I'd need to add a whole lot of folders/disks? - probably not possible. And then second, as above, I'd need to add a whole load of programs.
I infinitely prefer a white-listing solution - I use SecureAplus. That acts on a simple one-time prompt to allow or not, couple with options to upload a file for virus checking by multiple engines. (There's more too as regards AV protection alongside a tradition AV solution).
This is comparatively non-intrusive- i.e. it prompts when you'd expect, and not too often.
Setting it up is easy- if happy with your system when installing it, simply have it trust everything installed at that time.
Thus EVERYTHING is protected.
I recall Zonealarm's firewall, many years ago, used a white list approach.
For anybody who's too lazy to open Event viewer every time, and select custom view, or...,
here is tiny ps script to show events (newest at the top) regarding Controlled folder access. Just copy paste in Notepad, and save file as filename.ps1.
Run it with right click / run with powershell
Output:Code:Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.ID -eq "1123" -or $_.ID -eq "1124"} Pause
Thanks for bringing out that 1127.. This event (blocking memory) isn't listed in Controlled folder access events, yet it occurs from time to time. And I don't notice any side effects of it...
It is triggered (on my system) by hwinfo, powercfg, UUP2ISO, nothing to do with Controlled folders, but memory.
Yes, it's an odd one - I've not seen it stop anything working either. And after a restart the same actions don't usually trigger it.
It is described as...
in the MS document you linked to in post #33 here...
Controlled folder access Windows Defender (Operational) 1127 Blocked Controlled folder access sector write block event
Add Protected Folders to Controlled Folder Access in Windows 10 - Page 4 - | Windows 10 Tutorials