How do I find exploit mitigation audit logs

Question

I am currently trying to get a program to work with exploit mitigations enabled on Windows 11 home(version 22H2). I have attempted to use audit mode on all applicable mitigations(eg. CFG and ACG) and windows Event Viewer(under Security-Mitigations) to identify which mitigations are preventing me from running said program. However, when I run said program, there are no events showing up in Event Viewer. How should I identify which mitigations options are interfering?

Answer 1

Hello there,

The documentation says to review which apps would have been blocked, open Event Viewer and filter for the events in the Security-Mitigations log. But as you are not getting any events I would suggest you to check with other tools.

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. You can get the tool from here https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.You can get the tool from here https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Troubleshoot exploit protection mitigations https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations?view=o365-worldwide

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Double post