Controlled Folder Access

Oussebon

Oussebon

Multiverse Poster
So I'm experimenting with 1809 as a clean install on a freshly formatted SSD. My old installation (which I've kept on my other SSD) is 1709 - so one of the first things I did was switch on Controlled Folder Access as this seems like one of the best features any Windows update has brought to Windows 10.

The protected folders are the default ones only (i.e. my user + Public \Documents \Pictures \Videos \Music \Desktop \ Favourites) plus D: which is documents only and no programs or data folders for programs (e.g. game save file locations) are installed to set to D:. The Windows libraries (Documents, Downloads, Pictures, etc) are still all set to their defaults on C: as I've not got around to switching those to D: yet.

If someone encrypts my ~7TB steam library on J:, I'll just redownload it very slowly

So far, CFA has blocked:

  • one of my games repeatedly.
  • Part of Nvidia's driver installation.
  • msiexec.exe
  • Searchindexer.exe
  • the GOG Galaxy installer.

msiexec.exe - I am not familiar with, but given that the notifications for CFA happened when freshly downloaded Windows Updates were installing and that it lives in C:\Windows\System32\ I can hazard a guess as to what that is...

The game and GOG client may be trying to write things to Documents, so - fine I guess?

I'm not 100% sure it ought to be blocking search indexer, or Windows Update. Before realising CFA had got at either of those, I did find myself having to restart the updates a few times, and when I first opened search indexing options to see what folders it was indexing as I saw in task manager that my disk usage was surprisingly low for a fresh Windows installation, I found search indexing was disabled, presumably because CFA stopped it doing whatever it had been trying to do...

I'm open to the possibility of user error here, but I only did the installation today (10 Pro N), and spent most of the time since migrating / updating portable browsers that weren't as portable as they ought to have been; I haven't had time to personally bork Windows yet.

Or is the above actually 100% normal?
 
Last edited:
T

Tony1044

Prolific Poster
Oussebon said:
So I'm experimenting with 1809 as a clean install on a freshly formatted SSD. My old installation (which I've kept on my other SSD) is 1709 - so one of the first things I did was switch on Controlled Folder Access as this seems like one of the best features any Windows update has brought to Windows 10.

The protected folders are the default ones only (i.e. my user + Public \Documents \Pictures \Videos \Music \Desktop \ Favourites) plus D: which is documents only and no programs or data folders for programs (e.g. game save file locations) are installed to set to D:. The Windows libraries (Documents, Downloads, Pictures, etc) are still all set to their defaults on C: as I've not got around to switching those to D: yet.

If someone encrypts my ~7TB steam library on J:, I'll just redownload it very slowly

So far, CFA has blocked:

  • one of my games repeatedly.
  • Part of Nvidia's driver installation.
  • msiexec.exe
  • Searchindexer.exe
  • the GOG Galaxy installer.

msiexec.exe - I am not familiar with, but given that the notifications for CFA happened when freshly downloaded Windows Updates were installing and that it lives in C:\Windows\System32\ I can hazard a guess as to what that is...

The game and GOG client may be trying to write things to Documents, so - fine I guess?

I'm not 100% sure it ought to be blocking search indexer, or Windows Update. Before realising CFA had got at either of those, I did find myself having to restart the updates a few times, and when I first opened search indexing options to see what folders it was indexing as I saw in task manager that my disk usage was surprisingly low for a fresh Windows installation, I found search indexing was disabled, presumably because CFA stopped it doing whatever it had been trying to do...

I'm open to the possibility of user error here, but I only did the installation today (10 Pro N), and spent most of the time since migrating / updating portable browsers that weren't as portable as they ought to have been; I haven't had time to personally bork Windows yet.

Or is the above actually 100% normal?
Click to expand...

MSIEXEC.EXE is the Windows Installer and is invoked by .MSI files (even .EXE [e.g. setup.exe] tends to invoke an MSI - it can run at seemingly random times when you've got background updates, self-repairing MSI files etc.

It should have access.

Games etc - will try to write to e.g. %APPDATA% and will need unblocking.

Drivers will need access to e.g. SYSTEM32 and others.

Indexing shouldn't be blocked but I've seen similar behaviour with e.g. terminal services client trying to write back a hidden .RDP file that gets blocked, so I assume it'll just need the source unblocking.

It's an incredibly useful feature - I mentioned it here when it first came out - but it's also a bit of a pain to initially get set up and can be a bit chatty/overzealous occasionally, but it's well worth the extra overhead in my personal opinion.
 
SpyderTracks

SpyderTracks

We love you Ukraine
As Tony1044 says it’s a pain to configure atm, but very handy to have.

I personally disable it whenever I’m doing an install and then re enable, then it will flag if it has any difficulties when running the software and you can add an exclusion if necessary. It’s more gentle than it was in 1803 imho, but still needs work.
 
ubuysa

ubuysa

The BSOD Doctor
That's interesting stuff. I don't use CFA because my security system (Comodo) sandboxes any unknown process preventing access to any real resources.

I did play with CFA for a day or so before installing Comodo and found similar conflicts to those you mention. It was one reason why I fell back to my reliable Comodo security system. I also know that many installers want to write to the Documents folder on install and I assumed (dangerous I know) that these were the problems, but I didn't explore further.

You can turn on an audit mode using the elevated PowerShell command Set-MpPreference -EnableControlledFolderAccess AuditMode. That apparently allows the access but logs it to the event log, so you can at least see what is accessing your user folders in the initial few days before disabling access and adding the allowed processes via the exception list.

Based on my very limited experience of CFA that sounds normal. :)
 
T

Tony1044

Prolific Poster
One thing I wish Microsoft would do is add a better way to add exceptions.

Although I haven''t dug into it on any of the latest builds, it's traditionally a one executable at a time kind of thing and it's manual in that you have to remember the path and executable to browse to it - it'd be nice to have the option for an executable any spawned processes etc as well as a simple popup that tells you which executable was blocked, why and a button to allow it.
 
SpyderTracks

SpyderTracks

We love you Ukraine
Tony1044 said:
One thing I wish Microsoft would do is add a better way to add exceptions.

Although I haven''t dug into it on any of the latest builds, it's traditionally a one executable at a time kind of thing and it's manual in that you have to remember the path and executable to browse to it - it'd be nice to have the option for an executable any spawned processes etc as well as a simple popup that tells you which executable was blocked, why and a button to allow it.
Click to expand...

They have improved it a little in 1809, now if you get a conflict you can go to recent programs blocked in cfa and it will add exceptions on that program, much better, but still a work in progress.
 
T

Tony1044

Prolific Poster
SpyderTracks said:
They have improved it a little in 1809, now if you get a conflict you can go to recent programs blocked in cfa and it will add exceptions on that program, much better, but still a work in progress.
Click to expand...

That's good to know. The original release felt like it was one of those things that was definitely needed but rushed out of the door to meet some arbitrary target.

I just downloaded the latest "2019" long term service channel (as they now brand it) to try on my laptop which is based on the very latest version of Win 10 so I'm curious to see what has improved.
 
Oussebon

Oussebon

Multiverse Poster
Would you mind checking if they fixed the thing where if you disable web search results in the start menu/search, it actually disables them? Apparently they broke it in 1803 and it's not fixed yet but is going to be fixed 1st half of 2019.

They broke the Performance Monitor in 1803 and that's not fixed in 1809 either......

Blast, I clicked edit in error and I've messed up your post Oussebon. Sincere apologies, ubuysa
 
Last edited by a moderator:
You must log in or register to reply here.
Top