Is it possible to obtain a list of programs that Windows has denied access to a protected folder? I recently enabled Ransomware protection in Windows Defender and added certain folders to the Controlled Folder Access list. I’ve added the legitimate versions of git.exe and syncthing.exe located in C:/Program Files to the Allowed App list, but I continue to receive notifications that Windows has blocked attempts to access files in protected folders by C:/Users/…/git.exe and C:/Users/…/syncthing.exe. The ellipsis in the file path obscures most of the information, making it difficult to determine which copy of git.exe is trying to access the files.
The user interface for Ransomware protection does not allow for efficient adding of each file individually, and this could potentially be exploited by attackers using malicious files named git.exe to gain access. Is there a way to view the full file path of the blocked program, especially after the notification has disappeared from the screen?
I have checked the Windows event log and did not find anything relevant.
3 Answers
Introduction
Windows Defender is a built-in antivirus program that protects the Windows operating system from malware, viruses, and other threats. It also has a feature called Ransomware protection that prevents unauthorized applications from accessing protected folders. This feature is essential in preventing ransomware attacks where attackers encrypt files and demand a ransom to release them. However, the Ransomware protection feature can sometimes block legitimate applications from accessing files in protected folders, causing inconvenience to the user. In this blog post, we will explore whether it is possible to obtain a list of programs that Windows has denied access to a protected folder.
Understanding Controlled Folder Access
Controlled Folder Access is a feature in Windows Defender that protects folders from unauthorized access. It works by allowing only trusted applications to access files in protected folders. When an application attempts to access a file in a protected folder, Controlled Folder Access checks if the application is on the Allowed App list. If the application is not on the list, Controlled Folder Access blocks the application from accessing the file and generates a notification.
The Allowed App list contains applications that are trusted to access files in protected folders. By default, Windows Defender adds some applications to the Allowed App list, such as Windows processes and Microsoft Office applications. However, users can also add their own applications to the list, such as backup programs, synchronization tools, and development environments.
Viewing Blocked Programs
When Controlled Folder Access blocks an application from accessing a file in a protected folder, it generates a notification that appears on the screen. The notification contains the name of the blocked application and the path of the file it attempted to access. However, the path displayed in the notification is truncated, making it difficult to determine which copy of the application is trying to access the file.
To view the full path of the blocked application, you can use the Windows Event Viewer. The Event Viewer is a tool that displays detailed information about system events, including security events such as blocked applications. To view blocked applications in the Event Viewer, follow these steps:
1. Open the Start menu and search for Event Viewer.
2. In the Event Viewer window, navigate to Windows Logs > Security.
3. In the Security log, look for events with ID 4657. These events indicate that an application was blocked from accessing a file in a protected folder.
4. Double-click the event to view its details.
5. In the General tab, look for the Object Name field. This field contains the full path of the blocked file.
6. In the Message tab, look for the Process Information section. This section contains the name and process ID of the blocked application.
Using the Event Viewer, you can obtain the full path of the blocked application and the file it attempted to access. This information can help you determine whether the application is legitimate or malicious and whether it should be added to the Allowed App list.
Adding Programs to the Allowed App List
To add an application to the Allowed App list, follow these steps:
1. Open Windows Security by clicking the shield icon in the taskbar or searching for it in the Start menu.
2. Click Virus & threat protection.
3. Under Ransomware protection, click Manage ransomware protection.
4. Under Controlled folder access, click Allow an app through Controlled folder access.
5. Click Add an allowed app and select the application you want to add.
6. Click Open and then click Add.
After adding an application to the Allowed App list, it can access files in protected folders without being blocked by Controlled Folder Access.
Conclusion
In conclusion, Controlled Folder Access is a useful feature in Windows Defender that protects folders from unauthorized access. However, it can sometimes block legitimate applications from accessing files in protected folders, causing inconvenience to the user. By using the Windows Event Viewer, users can obtain the full path of the blocked application and the file it attempted to access. This information can help users determine whether the application is legitimate or malicious and whether it should be added to the Allowed App list. Adding applications to the Allowed App list is a simple process that ensures that trusted applications can access files in protected folders without being blocked by Controlled Folder Access.
Yes, it is possible to obtain a list of programs that Windows has denied access to a protected folder. To do this, you can use the Controlled Folder Access feature in Windows Defender to view a list of blocked apps.
To view the list of blocked apps:
- Open Windows Defender Security Center.
- Click on the “Virus & threat protection” option.
- Under “Ransomware protection,” click on the “Manage ransomware protection” option.
- Click on the “Protected folders” option.
- Under the “Blocked apps” section, you will see a list of apps that have been blocked from accessing the protected folders.
If you want to see the full file path of a blocked app, you can right-click on the app and select “Properties.” This will open the Properties window for the app, which will show the full file path.
If you are unable to find the app in the list of blocked apps, you can try searching for it in the Windows event log. To do this:
- Press the Windows key + R to open the Run dialog.
- Type “eventvwr.msc” and press Enter.
- In the Event Viewer window, expand the “Windows Logs” folder on the left side of the window.
- Click on the “Security” log.
- In the “Filter Current Log” window, enter the name of the app (e.g. “git.exe”) in the “Event sources” field and click “OK.”
This should show any events related to the app in the Security log. If you find an event related to the app being blocked, you can double-click on the event to view more details, including the full file path of the app.
To view the list of recently blocked apps in Windows Defender:
- Go to Windows Defender settings.
- Click on the “Add an allowed app” button.
- Click on the “Recently blocked apps” option.
Alternately, To view the list of recently blocked apps in Windows Defender using a Command Prompt, you can use the following command:
C:\> wmic /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName
This will show you a list of all antivirus products installed on your system, including Windows Defender.
To view the list of allowed and blocked apps in Windows Defender, you can use the following command:
C:\> wmic /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName,securityProviderUpdates
This will show you the list of allowed and blocked apps for each antivirus product installed on your system.
Keep in mind that these commands require administrative privileges to run.