Controlled Folder Access issue

Topic

New Reply

Recently, everytime I start either my desktop or laptop, I get a notification that Controlled folder Access has blocked access to \Device\CdRom0. This just started a couple of weeks ago. I have searched to try to figure out what it is but haven’t found anything. I rarely ever use the CD/DVD drive, and haven’t in a long while. Wondering if anyone could shed some light on it.

Reply | Quote

Replies

You should be able to discover which app or process tried to access the CD/DVD drive by going to Settings, Update & Security, Windows Security, Virus & threat protection, Manage ransomware protection (on bottom line), Block history, Protected folder access blocked (for the appropriate date/time) and then Yes to the UAC prompt to view the app.

Reply | Quote

It is svchost.exe that is blocked. Don’t understand why all of the sudden it is happening. I’ve run full scans with Defender and nothing bad has been found.

Reply | Quote

I have also had to add svchost.exe to the allowed folders for Controlled Folder Access along with the Volume Shadow Copy Service and Searchindexer.exe. All of these have been added since late October. There’s another thread dealing with this subject as well, titled “App blocked by Windows“.

Given that probably several folks are having similar issues with normal everyday apps suddenly being blocked by Controlled Folder Access, I believe that we may be experiencing a change in the definitions for Microsoft Defender (formerly known as Windows defender) that have been promulgated by Microsoft. It would be nice to get such confirmation from MS, but I somehow doubt we will. 

Like others, upon first noticing the behavior, I ran a full scan with Defender followed by its offline scan to check for rootkits. Both came back clean. I also ran a couple of scans with Malwarebytes, both the default Threat scan and a custom scan of the entire C: drive to check for nasties. Both of those came back clean.

I also ran a scan using MS’s offline downloadable scanner called MSERT, which took just over an hour on an NVMe SSD with 50 gigs of folders/files/data on it. That also came up clean. When I ran the scan with it, the tool had just been updated within a few hours, so its definitions were fairly current.

Reply | Quote

My peers that use that feature report the same behavior.  I’ll see if I can get some better info.  You might also want to use the tool process explorer (sysinternals tool) as that may give better info as well.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Bob99

Reply | Quote

[Bob99]

Appreciate the background, at least we’re not alone.

I’m kind of surprised there haven’t been more reports of the behavior on AskWoody besides what’s in this thread and the other one I mentioned above.

Given that Controlled Folder Access is at the root of the ransomware protection for Defender, a change in its detection of certain core Windows processes/executables would’ve been nice to know about to avoid having anyone getting excessively worried about the new alert(s) being received.

I’d forgotten about the Sysinternals suite’s tools that can be rather handy for this type of exploration, so thanks for the reminder!

• This reply was modified 3 years, 5 months ago by Bob99.

Reply | Quote

I appreciate the responses, glad to see I’m not alone. This issues happens every time I startup either the laptop or desktop. After it boots up, I get the notification that Controlled Folder Access has blocked svchost.exe from accessing \Device\CdRom0.

Hopefully Susan or others can get to the bottom of it. I will look into using process explorer. I DON’T think it is anything to be worried about, but it would nice to be SURE it wasn’t.

Reply | Quote