Windows 10 Controlled Folder Access user override?

witefoda · 15 Feb 2021

I love that Controlled Folder Access has blocked some apps doing stuff to my folders or files that I don't care for them to, but it also blocks me from just saving a file from Paint or Firefox to any of those folders (at least... it seems to work inconsistently or bizarrely). Example of blocked list:

Windows 10 Controlled Folder Access user override?-controlled-folder-access-allow-app.png

The DDVDataCollecter being blocked I'm OK with - it's Dell's pre-installed DellDataVault program on my laptop, which I don't use anyway - but it also blocks Firefox, Chrome, MS Paint, etc from just saving files... and there's no pop-up prompt to let me click Yes to actually save, like Windows' UAC/Admin/firewall pop-ups. It's super-frustrating, and I typically have to save to a different place than the blocked folders (the Save As box won't even let me create a folder in the blocked folders), then move the file over to where it needs to go and create any folders it needs to go into.

While I've seen the option to just wholesale select apps to override the blocks, I don't want them doing things when I'm not aware; I haven't seen any settings to say "When I, myself, with my own mouse/keyboard, is trying to save a file or create a folder in a protected folder, give me a prompt to override your blocking, you nincompoop".

On top of that, the blocking seems to behave inconsistently. Sometimes it'll let me save in Documents/Pictures/etc, sometimes it won't. I can't tell what's a bug/intended; sub-folders are the same way. I can't tell what it's actual rules are or if it's following them. Windows should be able to tell when I the user through the mouse/keyboard is doing the action, and let me override the block like it does with other things. Maybe I'm wrong?!

Try3 · 16 Feb 2021

witefoda said:

Windows should be able to tell when I the user through the mouse/keyboard is doing the action ... Maybe I'm wrong?!

Yes, you are wrong.

Windows cannot tell the difference. It just responds to what it is told to do by code [whether that code is generated by your mouse/keyboard or by something else].

- Just by way of example, I could give you a script for you to run that turns on/off your NumLock key.
- Windows would not know the difference between you pressing that key and a script emulating that action.
- So if you had the setting to turn off the display after a certain time period of inaction, repeated automatic running of that script would stop the display ever turning off.

Your only recourse is to use the recognised procedure to allow certain applications to write in your CFA folders. You referred to the procedure in your initial post, the tutorial is at
Add or Remove Allowed Apps through Controlled Folder Access - TenForumsTutorials
- If you then experience abnormal behaviour, you could post a question asking for help in that tutorial thread.

Denis

Bobby Phoenix · 16 Feb 2021

This is the main reason I can't use Controlled Folders. I really want to, but it seems like every other file gets denied. I've added so many exceptions, and yet I still see it happen, so I just turned it off. I guess I do understand it from a security standpoint, but for the average user who will just get frustrated because their game can't save, or they can't save a simple download from Firefox, they will never use it.

witefoda · 14 Mar 2021

I guess I see it as a Windows design flaw that it can't tell whether a file action originated from a mouse/keyboard action or a running program/service... maybe there's some sort of physical/technical impossibility or difficulty that makes it non-feasible for it to tell, but... I'm not seeing it.

That ability and implementation would probably have prevented an uncountable number of security problems.

Now the issue is deciding which apps I trust enough to molest my personal files, and even if I want to trust them, I may not know them well enough.

zebal · 14 Mar 2021

witefoda said:

I guess I see it as a Windows design flaw that it can't tell whether a file action originated from a mouse/keyboard action or a running program/service... maybe there's some sort of physical/technical impossibility or difficulty that makes it non-feasible for it to tell, but... I'm not seeing it.

Actually it's not that hard to block yourself accessing certain folders, the protected folder access is security feature to prevent ransomware (a type of malware) doing things you don't want.

There is no design issue here because a user (that is you) is not considered a malware, malware are harmful programs.
But IF you want to have folders that you won't be able to access then deny your user account from accessing them in folder security options.

However for this to make sense you need another Windows account (ex. Administrator) that will have unlimited access, you can then either use some 3rd party file explorer that you would run as Admin or switch to another account to access those folders you denied yourself.

witefoda · 16 Mar 2021

> a user (that is you) is not considered a malware

Right... we all know that.... and that's not an issue of contention... the issue based on what you're saying is that Windows can't even tell the difference between a mouse click and a program affecting a folder... which should be a way to tell the difference from a human and malware... and I thought this had something to do with why you had to click the screen to log in... because malware from a network or something could be distinguished from a mouse click... do you see what I'm saying here?

Does anyone else think that it's strange that Windows can't tell the difference between a user mouse click and a program generating an action on a folder? I mean, they're two different sources right? They're processed through the operating system... one comes from a piece of hardware, another from a piece of software. Maybe I'm a complete dope and need some extremely obvious fact explained as to why Windows can't tell this difference. PS I've been working with Windows software and hardware to the guts level for over 20 years (but just a little bit of DOS, Windows bat file coding, and deep config/troubleshooting)... so I could understand any technical explanation you could give me for why this isn't some failure on Microsoft's part to distinguish these two things easily.

zebal · 16 Mar 2021

witefoda said:

because malware from a network or something could be distinguished from a mouse click... do you see what I'm saying here?

Actually you're wrong, a malware can take control of your mouse or keyboard or imitate mouse clicks.
A hacker may take control of your mouse or KB as well as if it is you.
All of which can happen while you are away from computer.

Unfortunately that's not how anti virus works, because antivirus does not process actions, instead is processes signatures.
What you are referring to is behavioral analysis which may become true some 300 years in the future once AI advances.

it's strange that Windows can't tell the difference between a user mouse click and a program generating an action on a folder? I mean, they're two different sources right?

No they're not, they're both generated by mouse, Windows can't tell whether mouse was clicked by human or not.
And even if it could, Windows can't tell who is that person, but in the future this may be possible.

Try3 · 16 Mar 2021

witefoda said:

Windows can't even tell the difference between a mouse click and a program

Correct.
The CPU / Windows just receive & process electronic signals.
Whether those signals have been generated locally by attached hardware or locally/remotely by software does not bother the CPU or Windows.

I exploit this all the time. Many of my own scripts include a subroutine that emulates a keyboard key being pressed so that the monitor is woken up & I am shown a message telling me that the script has completed.

Denis