ConfigureDefender utility for Windows 10/11

South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Digmor Crusher said:
I keep getting this block now Andy, anything to worry about? I assume its because I'm using the Interactive setting? Thanks.

Event[0]:
Time Created : 2024-10-25 7:46:09 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-25T12:46:09.878Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\taskhostw.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: taskhostw.exe -RegisterDevice -SettingChange
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.704.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
Click to expand...
FWIW, I also use Interactive mode and I've started getting these warnings today (5x so far) for no apparent reason. I don't recall ever seeing this warning before. W10, fully patched. I'm guessing it could be a bug on MS end.
 
  • Hundred Points
  • Like
Reactions: simmerskool and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
South Park said:
FWIW, I also use Interactive mode and I've started getting these warnings today (5x so far) for no apparent reason. I don't recall ever seeing this warning before. W10, fully patched. I'm guessing it could be a bug on MS end.
Click to expand...
Did you install recently some new applications or Windows updates?
You have the same event (CmdLine: taskhostw.exe -RegisterDevice -SettingChange) as @Digmor Crusher, so either you shared the same malware or it is a false positive. :)
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, South Park and oldschool
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Andy Ful said:
Did you install recently some new applications or Windows updates?
You have the same event (CmdLine: taskhostw.exe -RegisterDevice -SettingChange) as @Digmor Crusher, so either you shared the same malware or it is a false positive. :)
Click to expand...
The only thing I had installed recently was a digitally signed font (Newsreader) with SHA-256 of 8a08d13f8a6c0d51be379a60af84f945f65369a67e509ee3c3bdcc421254d7c1 and 796668611f80b64d5adf182fde3b6f29ed83b4e7cbec7b96937e84ac01364792 (both OK on Virus Total). I ran the offline Defender scan which reported nothing. I uninstalled the font anyway but am still getting this message: Event[0]: Time Created : 10/26/2024 1:08:22 PM ProviderName : Microsoft-Windows-Windows Defender Id : 1121 Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Detection time: 2024-10-26T20:08:22.542Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\svchost.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.419.722.0 Engine Version: 1.1.24080.9 Product Version: 4.18.24080.9
 
  • Like
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
South Park said:
The only thing I had installed recently was a digitally signed font (Newsreader) with SHA-256 of 8a08d13f8a6c0d51be379a60af84f945f65369a67e509ee3c3bdcc421254d7c1 and 796668611f80b64d5adf182fde3b6f29ed83b4e7cbec7b96937e84ac01364792 (both OK on Virus Total). I ran the offline Defender scan which reported nothing. I uninstalled the font anyway but am still getting this message: Event[0]: Time Created : 10/26/2024 1:08:22 PM ProviderName : Microsoft-Windows-Windows Defender Id : 1121 Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Detection time: 2024-10-26T20:08:22.542Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\svchost.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.419.722.0 Engine Version: 1.1.24080.9 Product Version: 4.18.24080.9
Click to expand...

This one is different, but there is no need to worry. Such events are common. The practical solution is to ignore them.
 
  • Like
  • +Reputation
Reactions: simmerskool, Digmor Crusher, South Park and 1 other person
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Interestingly, I haven't noticed any more errors after uninstalling the font and restarting Windows. It might be a coincidence, or maybe the Windows font manager was doing something weird.

ETA: it just happened again, so the font probably wasn't the problem :confused:
Andy Ful said:
This one is different, but there is no need to worry. Such events are common. The practical solution is to ignore them.
Click to expand...
 
Last edited:
  • Like
Reactions: Andy Ful, oldschool and simmerskool
C

Can't Decide

Level 1
Dec 15, 2023
37
South Park said:
Event[0]:
Time Created : 10/26/2024 1:08:22 PM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-26T20:08:22.542Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\svchost.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.722.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
Click to expand...
Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time, is it also same for you? @South Park


@Andy Ful, is it still under the events are common and there is nothing to worry. The practical solution is to ignore them?
I did not install any new program.
 
  • Like
Reactions: Andy Ful
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
Can't Decide said:
Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time,
Click to expand...
Quite often these blocks will not impact app performance and can be ignored. OTOH, if the app isn't functioning then you may need to disable this rule, since exceptions are not allowed.
 
  • Like
  • +Reputation
Reactions: Can't Decide, Andy Ful, simmerskool and 1 other person
C

Can't Decide

Level 1
Dec 15, 2023
37
Andy Ful said:
Yes. (y)
Click to expand...
Thank you for clarify for me.

oldschool said:
Quite often these blocks will not impact app performance and can be ignored. OTOH, if the app isn't functioning then you may need to disable this rule, since exceptions are not allowed.
Click to expand...
Noted.

For now, I didn't know notice any impact since I don't know what service using svchost.exe that cause the blocks. Without knowing what service trigger it and few months ago didn't have any of these blocks is making me anxiety😰.

I know lots of services using svchost.exe but is there a way to check which service using svchost.exe that cause the blocks?
 
  • Like
Reactions: simmerskool and Andy Ful
simmerskool

simmerskool

Level 36
Verified
Top Poster
Well-known
Apr 16, 2017
2,575
Can't Decide said:
I know lots of services using svchost.exe but is there a way to check which service using svchost.exe that cause the blocks?
Click to expand...
look for command line flag
helpdeskgeek.com

View the List of Services Hosted by the svchost.exe Process in Windows

Svchost.exe is a process that hosts other Windows services that perform various system functions. There can be multiple instances of svchost.exe running on your computer, with each instance containing a different service. We published a post a while back on what you can do if svchost.exe is...
helpdeskgeek.com helpdeskgeek.com
 
  • Like
Reactions: lokamoka820 and Andy Ful
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Can't Decide said:
Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time, is it also same for you? @South Park


@Andy Ful, is it still under the events are common and there is nothing to worry. The practical solution is to ignore them?
I did not install any new program.
Click to expand...
I also was receiving at least one notification at computer start-up, and often one when starting Firefox. I ended up setting the rule to block rather than to warn and haven't noticed any problems, though almost all of my software is open-source portable apps or a few select portable freeware apps.
 
  • Like
Reactions: Andy Ful, simmerskool and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,476
rashmi said:
@Andy Ful Does Defender continue to receive updates solely through Windows Update, or can it now update on its own?
Click to expand...

I did not notice that Microsoft Defender received updates solely through Windows Updates. :unsure:
Most frequent updates are received via MAPS independently of Windows Updates:
learn.microsoft.com

Microsoft Defender Antivirus security intelligence and product updates - Microsoft Defender for Endpoint

Manage how Microsoft Defender Antivirus receives protection and product updates.
learn.microsoft.com

In addition to MAPS, Defender updates are also received via Windows Updates:
  • Security Intelligence Update (KB2267602)
  • Antivirus antimalware platform (KB4052623)
  • Malicious Software Removal Tool x64 (KB890830)
 
Last edited:
  • +Reputation
Reactions: simmerskool

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,057
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,401
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,211
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top