locked
Controlled Folder Access stopped generating event 1123 RRS feed

  • Question

  • I've been testing Controlled Folder Access. When I started I was getting events with event id 1123 in the "Microsoft/Windows/Windows Defender/Operational" log. At some point these events stopped being generated. Now I'm unable to get these events to generate even though files access is being blocked.

    I'm testing on Windows 10 1803 (Build 17134.1).

    Here are steps I took:

    • Go to Windows defender>Virus & threat protection>Manage ransomware protection and turn on the Controlled folder access.
    • Next I downloaded cfatool.exe from https://demo.wd.microsoft.com/Content/CFAtool.exe
    • I ran the cfatool.exe application and attempted to create a file on my desktop. No file appears in the Desktop folder. CFA did indeed block the cfatool.exe. However, when I go back to the event log (Microsoft/Windows/Windows Defender/Operational) no event is generated.

    I've tried this on 4 separate computers. They all block the file without generating an event. I must be doing something wrong, but I'm not sure what I'm missing.

    Here is the article that talked about enabling CFA and the related events it should be logging.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard


    • Edited by rpenner Wednesday, February 13, 2019 3:14 PM
    Wednesday, February 13, 2019 3:14 PM

All replies

  • I can reproduce the issue on 2 different 1803 and one 1809 maschine after this patchday, now investigating which of the updates is triggering the issue. I Posted the issue on Windows Feedback Hub. If I find any solution or workaround I will post it here.
    • Edited by Dommel22 Monday, February 18, 2019 2:14 PM
    Monday, February 18, 2019 2:08 PM
  • Problem should be solved now by installing latest Windows Patches and Defender Signatures by Windows Update
    Friday, March 29, 2019 10:36 AM