Does Windows Defender Exploit Protection log anywhere?

meh · 01 Nov 2017

I've used EMET quite a bit in the past. I recently started using the Fall Creators Update "Exploit Protection" feature. I have the settings as aggressive as possible, and I'm not changing them. This post is not asking what Exploit Protection settings I should use. The settings in place are not a big problem, but they do require me to configure program exclusions as needed, because certain programs require certain exploit protection functions to be disabled in order to run.

With EMET, every time a process was terminated due to running afoul of its protection settings, a log entry would be written, and it was possible to check Event Viewer and clearly see why EMET killed the process. But with Exploit Protection, I can't find any such log entry, even under Windows Defender's logs.

Do such log entries get written at all? If so, where are they?

AndreTen · 03 Nov 2017

Does this document helps?

docs.microsoft.com | list-of-all-windows-defender-exploit-guard-events

and docs.microsoft.com | evaluate-exploit-protection

meh · 03 Nov 2017

You would think so, but those logs don't seem to capture the Exploit Protection events I'm interested in. I just changed an EP setting to purposely make it crash an application, and there's no log entry of it anywhere that I can see. I have about a billion instances of "chrome.exe was blocked from making system calls to Win32k.sys" in Security-Mitigations, though.

Thank you for the reply nonetheless. I will keep looking.

AndreTen · 05 Nov 2017

meh said:

You would think so, but those logs don't seem to capture the Exploit Protection events I'm interested in. I just changed an EP setting to purposely make it crash an application, and there's no log entry of it anywhere that I can see. I have about a billion instances of "chrome.exe was blocked from making system calls to Win32k.sys" in Security-Mitigations, though.

Thank you for the reply nonetheless. I will keep looking.

One thing I've just noticed.. If you downloaded their xml files to make custom filters, file for exploit protection events is bogus.. it's a copy of network protection events.

Create rule manually, like the code on the site: list-of-all-windows-defender-exploit-guard-events

<QueryList>
<Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
<Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
</Query>
</QueryList>