ASR – unexpected items in event viewer

Topic

New Reply

[PKCano]

I have enabled ASR and used the GUI tool to turn on the checks as per a recent newsletter. I can confirm that all would appear to be working well as I have had some prompts about programs that are blocked and do not run. I am happy with that, and I know how to add entries to enable these programs to work as expected and that is all OK too.

I am still seeing entries in the event log like:

”
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator

Path : C:\Windows\System32\taskhostw.exe
ProcessName : C:\Windows\System32\lsass.exe
TargetCommandline : taskhostw.exe -RegisterDevice -Periodic
”

I post the above as it is an MS process and I wonder why it is being flagged. I have also had items for the Macrium backup program that say the same thing, but nothing seems to be going wrong with the backups, so why the entry?

I now have a little PowerShell script to process these event log entries so I can decide what to do.  Adding entries to allow something to happen is a trivial addition but I wanted to understand a bit more first.

The rule they fall foul of is:

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

So what credentials are they trying to access, and should they be accessing lsass.exe?

• This topic was modified 2 years, 8 months ago by PKCano.

Reply | Quote

Replies

This is a Win 11 only issue (not showing up in Win 10). The Macrium issue has been fixed and will be released in an update (I beta tested it for them). I’m still on Win 11 22000.795, could be fixed in this month’s updates? I need to do a feedback hub report for this (I am excited about earth slow down so I can get extra nano seconds to do MS bug reporting ;^)).

Reply | Quote

The Macrium issue fix caused my system to crash – I am beta testing that fix today.

After this month’s updates I see only dropbox events. but its early days at the moment.

Reply | Quote

I have now completed a beta version of a PowerShell script that will allow anyone to interrogate their system to see what ASR or Controlled Folder events have been generated in the event log. The output is (I think) a little more legible.

The user can then decide to add or remove ASR exclusions or Controlled Folder Allowed Applications based on the event log items found.

The user can also add or remove ASR Rules and Controlled Folders.

There are (where applicable) methods to select items of interest and the date of items extracted from the event log.

The script runs as a non-administrative user BUT will need administrative access to add and remove items from Microsoft’s defender configuration. The user can display the script that will be run the defender configuration commands before asking for the Admin username/password

Anyone interested?

Reply | Quote