Share via

CONTROLLED FOLDER ACCESS BLOCKS EVERYTHING!

Anonymous
2021-09-06T19:55:24+00:00

From the past couple of days I've been getting notifications telling that controlled folder access has blocked unauthorized

changes from making changes.(attached a screenshot of some of the blocked ones).The problem is most of these blocked ones are system processors(everything located in windows/system32 or windows/temp). Is this happens because of any virus or malware or something like that? Can I give access to these things through CFA? What should I do to fix this issue?

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Anonymous
    2021-09-06T21:02:23+00:00

    Hi Ayanga,

    I'm Paul and I'm here to help you with your concern.

    Yes, I think it's okay to allow access to these apps/processes through the Controlled Folder Access since they are legit Windows System components.

    Anyway, it’s very unlikely but it’s possible that malware has replaced/renamed the real Windows component with an executable of its own so If you still want to be certain I suggest that you check these files(runtimebroker.exe, svchost.exe) in Task Manager. Right-click the process and choose the “Open File Location” option. If the file is stored in your Windows\System32 folder then we can be sure that it's the legit file.

    I hope this helps. Feel free to ask back any questions and keep me posted.

    3 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rob Koch 25,875 Reputation points Volunteer Moderator
    2021-09-07T14:37:18+00:00

    In general there's no good reason to ever allow something CFA has blocked access, that is unless it's either causing an obvious problem with the operation of an app (e.g. error message or program failure) or more likely, the blocking action by CFA continues repeatedly and won't stop until the action is allowed.

    The reason for this is that CFA entries are telling you about something that's already been blocked, so allowing won't do any good unless the operation is attempted again.

    Looking at the CFA log entries you've listed, most likely occurred during either a Windows or application update process, which are the most common items CFA blocks and also why they often won't occur again, at least until the next update cycle tries the same action if the developer involved hasn't "fixed" their usually improper access to a protected folder.

    CFA is badly understood, since it's really nothing more than a "dumb" blocker, stopping anything trying to write to critical folders that should never be written to under most circumstances. The reason for this is that most of these folders have ended up being abused by ransomware or other malware, since they are writable by default, but Microsoft has been trying to get developers to stop using them for years so they can simply block the ability for anything to write to them other than by the operating system itself.

    I've never allowed any of the CFA warnings I've gotten and never had a true problem as a result.

    Rob

    3 people found this answer helpful.
    0 comments