Windows Defender Core Isolation blocks an overclocking software

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
I have read about Core Isolation module on Windows Defender and it is pretty interesting. I would very much like to use it, but it blocks ThrottleStop, an undervolt and overclock software, which I use in order to cool down the temperatures on my laptop.

As far as I have read, Core Isolation protects high-security processes from being injected by malicious software. I can understand why ThrottleStop would need to do this in order to limit my hardware's performance, but I cannot see a way to exclude it from this module.

I have manually added the whole folder and executables to the exclusions, but I believe this only applies for real-time protection and scanning, since it does nothing.

So far, I have the Core Isolation module disabled so I can run ThrottleStop. Any ideas?
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Several users on this forum have run into the issue that ThrottleStop does not start when Windows 10's Core Isolation feature is turned on. Based on my looking into this, the solution would be for ThrottleStop's WinRing*.dll binaries to be signed. The main ThrottleStop executable as well as the drivers, WinRing*.sys, are signed with keys that chain up to trusted roots, but the DLL's are not.

Signing the DLL's should allow ThrottleStop to operate with Core Isolation on. This is evidenced by attempting to launch ThrottleStop with Core Isolation on, then looking in Event Viewer, under Windows Logs -> System, where the source is the Service Control Manager, event ID 7000. This shows:

 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Thanks for sharing the article. Sadly, I know already it is a common issue. I am just hoping somebody knows a work around to temporarily fix it without having to disable the module.
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Thanks for sharing the article. Sadly, I know already it is a common issue. I am just hoping somebody knows a work around to temporarily fix it without having to disable the module.
You can't. In short, all access to IOMMU and other sensitive registers are disabled by default and all API hooks are terminated.
I did notify the author of ThrottleStop after many people complained that TS isn't working after new W10 update. We were spellbound why OC tools weren't working out of the blue!
Maybe @Andy Ful and other MT senior members can shed more light into this. I am just a noob in this protected memory access thingy!
 
P

Pkjfkknm

I have read about Core Isolation module on Windows Defender and it is pretty interesting. I would very much like to use it, but it blocks ThrottleStop, an undervolt and overclock software, which I use in order to cool down the temperatures on my laptop.

As far as I have read, Core Isolation protects high-security processes from being injected by malicious software. I can understand why ThrottleStop would need to do this in order to limit my hardware's performance, but I cannot see a way to exclude it from this module.

I have manually added the whole folder and executables to the exclusions, but I believe this only applies for real-time protection and scanning, since it does nothing.

So far, I have the Core Isolation module disabled so I can run ThrottleStop. Any ideas?

core isolation is much an alpha\beta feature
there no way to allow a blocked dll injection or load in core isolation
throttlestop author wrote "tired of carrying community on my back"
so do not expect fix
fix is not to use core isolation
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top