1.    2 Weeks Ago #1
    Join Date : Aug 2015
    Posts : 59
    Windows 9 (aka Windows 10)

    Does Windows Defender Exploit Protection log anywhere?


    I've used EMET quite a bit in the past. I recently started using the Fall Creators Update "Exploit Protection" feature. I have the settings as aggressive as possible, and I'm not changing them. This post is not asking what Exploit Protection settings I should use. The settings in place are not a big problem, but they do require me to configure program exclusions as needed, because certain programs require certain exploit protection functions to be disabled in order to run.

    With EMET, every time a process was terminated due to running afoul of its protection settings, a log entry would be written, and it was possible to check Event Viewer and clearly see why EMET killed the process. But with Exploit Protection, I can't find any such log entry, even under Windows Defender's logs.

    Do such log entries get written at all? If so, where are they?
      My ComputerSystem Spec
  2.    2 Weeks Ago #2
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,939
    Windows 10 (Pro and Insider Pro)
      My ComputerSystem Spec
  3.    2 Weeks Ago #3
    Join Date : Aug 2015
    Posts : 59
    Windows 9 (aka Windows 10)
    Thread Starter

    You would think so, but those logs don't seem to capture the Exploit Protection events I'm interested in. I just changed an EP setting to purposely make it crash an application, and there's no log entry of it anywhere that I can see. I have about a billion instances of "chrome.exe was blocked from making system calls to Win32k.sys" in Security-Mitigations, though.

    Thank you for the reply nonetheless. I will keep looking.
      My ComputerSystem Spec
  4.    2 Weeks Ago #4
    Join Date : Feb 2016
    Maribor, Slovenia
    Posts : 8,939
    Windows 10 (Pro and Insider Pro)

    Quote Originally Posted by meh View Post
    You would think so, but those logs don't seem to capture the Exploit Protection events I'm interested in. I just changed an EP setting to purposely make it crash an application, and there's no log entry of it anywhere that I can see. I have about a billion instances of "chrome.exe was blocked from making system calls to Win32k.sys" in Security-Mitigations, though.

    Thank you for the reply nonetheless. I will keep looking.
    One thing I've just noticed.. If you downloaded their xml files to make custom filters, file for exploit protection events is bogus.. it's a copy of network protection events.

    Create rule manually, like the code on the site: list-of-all-windows-defender-exploit-guard-events

    <QueryList>
    <Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
    <Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    </Query>
    </QueryList>
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Security System Export and Import Exploit Protection Settings in Windows 10
How to Export and Import Windows Defender Exploit Protection Settings in Windows 10 Starting with Windows 10 build 16232, you can now audit, configure, and manage Windows system and application exploit mitigation settings (EMET EOL) right from...
Tutorials
How to juggle several protection programs and use Windows Defender
I have Malwarebytes, CCleaner, Adwcleaner, CryptoPrevent, and Windows Firewall active on my portable PC (with Windows 10, fully updated.) Recently had Free Avast, but it was using too much CPU, so I deleted it. I'd like to use Windows Defender as...
AntiVirus, Firewalls and System Security
Moving Beyond EMET II Windows Defender Exploit Guard
Source: Moving Beyond EMET II - Windows Defender Exploit Guard Defense
Windows 10 News
Security System Change Windows Defender Exploit Protection Settings in Windows 10
How to Change Windows Defender Exploit Protection Settings in Windows 10 Starting with Windows 10 build 16232, you can now audit, configure, and manage Windows system and application exploit mitigation settings (EMET EOL) right from the Windows...
Tutorials
Windows Defender Advanced Threat Protection (ATP) - for consumers?
Just wondering if there is any way that consumers like us can enroll in this service? WDATP - Windows Defender Advanced Threat Protection
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 06:08.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums