ConfigureDefender utility for Windows 10/11

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
I keep getting this block now Andy, anything to worry about? I assume its because I'm using the Interactive setting? Thanks.

Event[0]:
Time Created : 2024-10-25 7:46:09 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-25T12:46:09.878Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\taskhostw.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: taskhostw.exe -RegisterDevice -SettingChange
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.704.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
FWIW, I also use Interactive mode and I've started getting these warnings today (5x so far) for no apparent reason. I don't recall ever seeing this warning before. W10, fully patched. I'm guessing it could be a bug on MS end.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
FWIW, I also use Interactive mode and I've started getting these warnings today (5x so far) for no apparent reason. I don't recall ever seeing this warning before. W10, fully patched. I'm guessing it could be a bug on MS end.
Did you install recently some new applications or Windows updates?
You have the same event (CmdLine: taskhostw.exe -RegisterDevice -SettingChange) as @Digmor Crusher, so either you shared the same malware or it is a false positive. :)
 
Last edited:

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Did you install recently some new applications or Windows updates?
You have the same event (CmdLine: taskhostw.exe -RegisterDevice -SettingChange) as @Digmor Crusher, so either you shared the same malware or it is a false positive. :)
The only thing I had installed recently was a digitally signed font (Newsreader) with SHA-256 of 8a08d13f8a6c0d51be379a60af84f945f65369a67e509ee3c3bdcc421254d7c1 and 796668611f80b64d5adf182fde3b6f29ed83b4e7cbec7b96937e84ac01364792 (both OK on Virus Total). I ran the offline Defender scan which reported nothing. I uninstalled the font anyway but am still getting this message: Event[0]: Time Created : 10/26/2024 1:08:22 PM ProviderName : Microsoft-Windows-Windows Defender Id : 1121 Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Detection time: 2024-10-26T20:08:22.542Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\svchost.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.419.722.0 Engine Version: 1.1.24080.9 Product Version: 4.18.24080.9
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
The only thing I had installed recently was a digitally signed font (Newsreader) with SHA-256 of 8a08d13f8a6c0d51be379a60af84f945f65369a67e509ee3c3bdcc421254d7c1 and 796668611f80b64d5adf182fde3b6f29ed83b4e7cbec7b96937e84ac01364792 (both OK on Virus Total). I ran the offline Defender scan which reported nothing. I uninstalled the font anyway but am still getting this message: Event[0]: Time Created : 10/26/2024 1:08:22 PM ProviderName : Microsoft-Windows-Windows Defender Id : 1121 Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Detection time: 2024-10-26T20:08:22.542Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\svchost.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.419.722.0 Engine Version: 1.1.24080.9 Product Version: 4.18.24080.9

This one is different, but there is no need to worry. Such events are common. The practical solution is to ignore them.
 

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Interestingly, I haven't noticed any more errors after uninstalling the font and restarting Windows. It might be a coincidence, or maybe the Windows font manager was doing something weird.

ETA: it just happened again, so the font probably wasn't the problem :confused:
This one is different, but there is no need to worry. Such events are common. The practical solution is to ignore them.
 
Last edited:

Can't Decide

Level 1
Dec 15, 2023
37
Event[0]:
Time Created : 10/26/2024 1:08:22 PM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-26T20:08:22.542Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\svchost.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.722.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time, is it also same for you? @South Park


@Andy Ful, is it still under the events are common and there is nothing to worry. The practical solution is to ignore them?
I did not install any new program.
 
  • Like
Reactions: Andy Ful

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,664
Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time,
Quite often these blocks will not impact app performance and can be ignored. OTOH, if the app isn't functioning then you may need to disable this rule, since exceptions are not allowed.
 

Can't Decide

Level 1
Dec 15, 2023
37
Thank you for clarify for me.

Quite often these blocks will not impact app performance and can be ignored. OTOH, if the app isn't functioning then you may need to disable this rule, since exceptions are not allowed.
Noted.

For now, I didn't know notice any impact since I don't know what service using svchost.exe that cause the blocks. Without knowing what service trigger it and few months ago didn't have any of these blocks is making me anxiety😰.

I know lots of services using svchost.exe but is there a way to check which service using svchost.exe that cause the blocks?
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,703
I know lots of services using svchost.exe but is there a way to check which service using svchost.exe that cause the blocks?
look for command line flag
 

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time, is it also same for you? @South Park


@Andy Ful, is it still under the events are common and there is nothing to worry. The practical solution is to ignore them?
I did not install any new program.
I also was receiving at least one notification at computer start-up, and often one when starting Firefox. I ended up setting the rule to block rather than to warn and haven't noticed any problems, though almost all of my software is open-source portable apps or a few select portable freeware apps.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
@Andy Ful Does Defender continue to receive updates solely through Windows Update, or can it now update on its own?

I did not notice that Microsoft Defender received updates solely through Windows Updates. :unsure:
Most frequent updates are received via MAPS independently of Windows Updates:

In addition to MAPS, Defender updates are also received via Windows Updates:
  • Security Intelligence Update (KB2267602)
  • Antivirus antimalware platform (KB4052623)
  • Malicious Software Removal Tool x64 (KB890830)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top