Windows 10: Does Windows Defender Exploit Protection log anywhere?


  1. Posts : 68
    Windows 9 (aka Windows 10)
       01 Nov 2017 #1

    Does Windows Defender Exploit Protection log anywhere?


    I've used EMET quite a bit in the past. I recently started using the Fall Creators Update "Exploit Protection" feature. I have the settings as aggressive as possible, and I'm not changing them. This post is not asking what Exploit Protection settings I should use. The settings in place are not a big problem, but they do require me to configure program exclusions as needed, because certain programs require certain exploit protection functions to be disabled in order to run.

    With EMET, every time a process was terminated due to running afoul of its protection settings, a log entry would be written, and it was possible to check Event Viewer and clearly see why EMET killed the process. But with Exploit Protection, I can't find any such log entry, even under Windows Defender's logs.

    Do such log entries get written at all? If so, where are they?
      My ComputerSystem Spec

  2.   My ComputerSystem Spec


  3. Posts : 68
    Windows 9 (aka Windows 10)
    Thread Starter
       03 Nov 2017 #3

    You would think so, but those logs don't seem to capture the Exploit Protection events I'm interested in. I just changed an EP setting to purposely make it crash an application, and there's no log entry of it anywhere that I can see. I have about a billion instances of "chrome.exe was blocked from making system calls to Win32k.sys" in Security-Mitigations, though.

    Thank you for the reply nonetheless. I will keep looking.
      My ComputerSystem Spec


  4. Posts : 10,773
    Windows 10 (Pro and Insider Pro)
       05 Nov 2017 #4

    meh said: View Post
    You would think so, but those logs don't seem to capture the Exploit Protection events I'm interested in. I just changed an EP setting to purposely make it crash an application, and there's no log entry of it anywhere that I can see. I have about a billion instances of "chrome.exe was blocked from making system calls to Win32k.sys" in Security-Mitigations, though.

    Thank you for the reply nonetheless. I will keep looking.
    One thing I've just noticed.. If you downloaded their xml files to make custom filters, file for exploit protection events is bogus.. it's a copy of network protection events.

    Create rule manually, like the code on the site: list-of-all-windows-defender-exploit-guard-events

    <QueryList>
    <Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
    <Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    <Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
    </Query>
    </QueryList>
      My ComputerSystem Spec


 

Related Threads
Starting with Windows 10 build 16232, you can now audit, configure, and manage Windows system and application exploit mitigation settings (EMET EOL) right from the Windows Defender Security Center. Exploit protection is built into Windows 10 to...
Starting with Windows 10 build 16232, you can now audit, configure, and manage Windows system and application exploit mitigation settings (EMET EOL) right from the Windows Defender Security Center. Exploit protection is built into Windows 10 to...
How to juggle several protection programs and use Windows Defender in AntiVirus, Firewalls and System Security
I have Malwarebytes, CCleaner, Adwcleaner, CryptoPrevent, and Windows Firewall active on my portable PC (with Windows 10, fully updated.) Recently had Free Avast, but it was using too much CPU, so I deleted it. I'd like to use Windows Defender as...
Source: Moving Beyond EMET II - Windows Defender Exploit Guard Defense
Windows Defender Advanced Threat Protection (ATP) - for consumers? in AntiVirus, Firewalls and System Security
Just wondering if there is any way that consumers like us can enroll in this service? WDATP - Windows Defender Advanced Threat Protection
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 09:23.
Find Us