Windows 10: Does Windows Defender Exploit Protection log anywhere?

I've used EMET quite a bit in the past. I recently started using the Fall Creators Update "Exploit Protection" feature. I have the settings as aggressive as possible, and I'm not changing them. This post is not asking what Exploit Protection settings I should use. The settings in place are not a big problem, but they do require me to configure program exclusions as needed, because certain programs require certain exploit protection functions to be disabled in order to run.

With EMET, every time a process was terminated due to running afoul of its protection settings, a log entry would be written, and it was possible to check Event Viewer and clearly see why EMET killed the process. But with Exploit Protection, I can't find any such log entry, even under Windows Defender's logs.

Do such log entries get written at all? If so, where are they?

:)

 

Controlled folder access notification only partly readable

Controlled folder access events are logged in the Windows Defender Operational log, with Event ID 1123 used to log a blocked access event:



Right-click on the Start button and select Event Viewer.

Then navigate to Applications and Services >
Microsoft > Windows > Windows Defender >
Operational

Filter this log for: 1123 (integer only)

And then, optionally, Save Filter to Custom View.



If whitelisting your friendly apps is proving difficult, you can put
Controlled folder access in an Audit Mode where it will continue to monitor access to your document folders, but won’t block unrecognized apps. Run this line at the elevated PowerShell prompt to set the Audit Mode:



Set-MpPreference -EnableControlledFolderAccess AuditMode







Audited access events are logged with Event ID 1124:



Help prevent ransomware and threats from encrypting and changing files



Have a look at this Windows IT Pro Center document for further information:



Add additional folders and apps to be protected by Windows 10

 

Bug? In Windows Defender Exploit Guard.

If we assume that this is just a glitch, then you might be able to reset the Exploit protection defaults by exporting the settings from an unaffected PC (with default settings) and then importing those settings on the affected machines. This looks
to be the backup/restore tool for the Exploit protection settings:

Deploy Exploit protection mitigations across your organization

Export and Import Exploit Protection Settings in Windows 10

 

Does this document helps?

*Arrow docs.microsoft.com | list-of-all-windows-defender-exploit-guard-events

and docs.microsoft.com | evaluate-exploit-protection

 

You would think so, but those logs don't seem to capture the Exploit Protection events I'm interested in. I just changed an EP setting to purposely make it crash an application, and there's no log entry of it anywhere that I can see. I have about a billion instances of "chrome.exe was blocked from making system calls to Win32k.sys" in Security-Mitigations, though.

Thank you for the reply nonetheless. I will keep looking.

 

One thing I've just noticed.. If you downloaded their xml files to make custom filters, file for exploit protection events is bogus.. it's a copy of network protection events.

Create rule manually, like the code on the site: list-of-all-windows-defender-exploit-guard-events