Windows 10: Inconsistent Controlled file access behaviour 1809 LTSC

Discus and support Inconsistent Controlled file access behaviour 1809 LTSC in AntiVirus, Firewalls and System Security to solve the problem; Dont want to pollute the tutorial thread with this problem, seems to be one of many apparent bugs I have come across. But here is the description of... Discussion in 'AntiVirus, Firewalls and System Security' started by Chrysalis, May 4, 2021 at 6:47 AM.

  1. Chrysalis Win User

    Inconsistent Controlled file access behaviour 1809 LTSC


    Dont want to pollute the tutorial thread with this problem, seems to be one of many apparent bugs I have come across. But here is the description of the problem. So today I started looking into this feature, I had noticed it was already turned on for a while on the default settings, didnt need to toggle the widget, but since I had defender off for several weeks in practice it has only been on for maybe a week. So I wasnt sure if it was working at all, so I enabled it for my user profile folder know that many apps constantly write to that location, and sure enough it didnt take long to start seeing notifications. However I have noticed two clear problems. Both apparent in audit mode. Audit mode can only be accessed via group policy, the security applet toggle is just a basic on and off. So looking at the documentation on Microsoft's website and the description inside group policy, the way this feature should work is there is a predefined list of whitelisted applications, I expect for user conveniance, they dont want users been hassled having to whitelist explorer, notepad etc. But this whitelist is not limited to Microsoft binaries like UAC, it does include 3rd party applications as well. After I had added my user profile folder to the protection list very quickly I received prompts from dumeter service, vivaldi web browser and powershell. From the logs, powershell was for updating its command history. Vivaldi was for updating the recent files location, but it would also be for the browser profile if I hadnt moved it off my user profile folder. So there is a few problems I have noticed. When I enabled audit mode after I realised that is a more sensible approach to seeing what applications would be affected, two things were happening. 1 - After a period of time, the logs were reporting blocked access instead of "would be blocked", and I got the blocked notifications as well. I checked in group policy still on audit, and security applet was still forced in the off position saying settings managed by organisation. So this problem is kind of like the anti tamper weirdness that 1809 currently has. 2 - Once this starts happening vivaldi suddenly is not whitelisted anymore, start getting notifications and log entries for it, if I push it back to block mode sure enough its still in the whitelist. I do have a working theory as to what is going on, basically defender is still actively updated on 1809 LTSC, but the security applet is not been updated along with it, possibly along with other OS support files, and I feel it may have got to the point the two are not fully compatible with each other anymore (remember all the anti tamper weirdness posted in tutorial thread for LTSC). I am now finding myself questioning the LTSC decision, as in theory it should be a more stable build of windows, but I expect Microsoft are treating it as an afterthought compared to the latest consumer versions. Most bugs I have found are defender/security related, I found one last week where the defender log is not honouring timezone settings, so it was showing a time one hour in the future on its log. Yes I did screenshot it lol. (attached at bottom, check the definition update time and compare to clock at bottom right) Not sure what I am going to do at this point on the windows build, as I dont like the idea of feature updating windows on an annual basis, maybe 21H2 LTSC will be much better (at least for couple of years before defender gets too detached again) so will see. LOG snippets below. the 22:15:49 I had switched from audit to blocked back to audit again which made it audit again, after that setting was not changed and can see on the next occurence when back at pc just after midnight it started blocking evem though its still in audit mode. Also vivaldi remains in whitelist whilst this is occuring. Code: PS C:\Windows\system32> Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.ID -eq "1123" -or $_.ID -eq "1124" -or $_.ID -eq "1127"} ProviderName: Microsoft-Windows-Windows DefenderTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------30/04/2021 00:04:03 1123 Warning C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...30/04/2021 00:03:47 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 22:15:49 1124 Information C:\Program Files\Vivaldi\Application\vivaldi.exe would have been...29/04/2021 22:15:19 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 22:08:36 1124 Information C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe would ...29/04/2021 21:52:33 1123 Warning C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...29/04/2021 21:52:10 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:14:09 1123 Warning C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...29/04/2021 21:02:36 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:02:36 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:00:13 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:00:13 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 20:38:59 1124 Information C:\Program Files\Vivaldi\Application\vivaldi.exe would have been...29/04/2021 20:38:59 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 20:27:18 1124 Information C:\Program Files\Vivaldi\Application\vivaldi.exe would have been... - - - Updated - - - An update, I discovered if I turn this off in the security applet, then enable audit mode, the mode sticks, so I expect its another anti tamper protection. So it does behave in audit mode providing it was already turned off before enabling it. - - - Updated - - - Another update, it actually still is all over the place, after some sleep and using PC again, I noticed I got another is blocked notification (still in audit mode) so checked the logs. here is latest entries. Code: TimeCreated Id LevelDisplayName Message----------- -- ---------------- -------30/04/2021 13:49:41 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 13:17:20 1124 Information C:\Program Files (x86)\MPC-HC Repack\mpc-hc64.exe would have bee...30/04/2021 11:30:25 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 10:38:29 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 05:25:23 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 03:09:09 1124 Information C:\Program Files\KeePass Password Safe\KeePass.exe would have be...30/04/2021 02:58:13 1124 Information C:\Program Files (x86)\BrokenURL\BrokenUrl.exe would have been b...30/04/2021 02:54:39 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke... I noticed a pattern, it was ignoring audit for vivaldi.exe, but running rest of applications in audit mode. Audit/Block/Off is a global setting, not per application. I then restarted vivaldi and powershell, I think the issue is that the applications only apply the new settings on a new launch.

    :)
     
  2. Chrysalis Win User

    Inconsistent "Controlled file access behaviour" 1809 LTSC

    Dont want to pollute the tutorial thread with this problem, seems to be one of many apparent bugs I have come across.

    But here is the description of the problem.

    So today I started looking into this feature, I had noticed it was already turned on for a while on the default settings, didnt need to toggle the widget, but since I had defender off for several weeks in practice it has only been on for maybe a week.

    So I wasnt sure if it was working at all, so I enabled it for my user profile folder know that many apps constantly write to that location, and sure enough it didnt take long to start seeing notifications.

    However I have noticed two clear problems. Both apparent in audit mode.

    Audit mode can only be accessed via group policy, the security applet toggle is just a basic on and off.

    So looking at the documentation on Microsoft's website and the description inside group policy, the way this feature should work is there is a predefined list of whitelisted applications, I expect for user conveniance, they dont want users been hassled having to whitelist explorer, notepad etc. But this whitelist is not limited to Microsoft binaries like UAC, it does include 3rd party applications as well.

    After I had added my user profile folder to the protection list very quickly I received prompts from dumeter service, vivaldi web browser and powershell.

    From the logs, powershell was for updating its command history. Vivaldi was for updating the recent files location, but it would also be for the browser profile if I hadnt moved it off my user profile folder.

    So there is a few problems I have noticed.

    When I enabled audit mode after I realised that is a more sensible approach to seeing what applications would be affected, two things were happening.

    1 - After a period of time, the logs were reporting blocked access instead of "would be blocked", and I got the blocked notifications as well. I checked in group policy still on audit, and security applet was still forced in the off position saying settings managed by organisation. So this problem is kind of like the anti tamper weirdness that 1809 currently has.
    2 - Once this starts happening vivaldi suddenly is not whitelisted anymore, start getting notifications and log entries for it, if I push it back to block mode sure enough its still in the whitelist.

    I do have a working theory as to what is going on, basically defender is still actively updated on 1809 LTSC, but the security applet is not been updated along with it, possibly along with other OS support files, and I feel it may have got to the point the two are not fully compatible with each other anymore (remember all the anti tamper weirdness posted in tutorial thread for LTSC). I am now finding myself questioning the LTSC decision, as in theory it should be a more stable build of windows, but I expect Microsoft are treating it as an afterthought compared to the latest consumer versions. Most bugs I have found are defender/security related, I found one last week where the defender log is not honouring timezone settings, so it was showing a time one hour in the future on its log. *Wink Yes I did screenshot it lol. (attached at bottom, check the definition update time and compare to clock at bottom right)

    Not sure what I am going to do at this point on the windows build, as I dont like the idea of feature updating windows on an annual basis, maybe 21H2 LTSC will be much better (at least for couple of years before defender gets too detached again) so will see.

    LOG snippets below.

    the 22:15:49 I had switched from audit to blocked back to audit again which made it audit again, after that setting was not changed and can see on the next occurence when back at pc just after midnight it started blocking evem though its still in audit mode. Also vivaldi remains in whitelist whilst this is occuring.

    Code:
    Inconsistent Controlled file access behaviour 1809 LTSC [​IMG]


    - - - Updated - - -

    An update, I discovered if I turn this off in the security applet, then enable audit mode, the mode sticks, so I expect its another anti tamper protection. So it does behave in audit mode providing it was already turned off before enabling it.
     
  3. Upgrading from Windows 10 LTSC 1809 to another version

    I get that LTSB and LTSC's whole thing is that "stability" side of things. But since 1809 is incredibly buggy and royally sucks, I want to know if there is a way to move LTSC to a different version.

    Trying to deploy LTSC 2019 (1809) on my campus but the stupid default programs bug is straight up bricking explorer, effectively turning the computer into a potato. Need a different version.

    ***Original title:Is there a way to upgrade Windows 10 LTSC 2019 (which is version 1809) to a different version?***
     
  4. jimbo45 Win User

    Inconsistent Controlled file access behaviour 1809 LTSC

    Outlook 365 inconsistent login behaviour with IMAP gmail

    Hi there
    @fireberd

    I've long since complained about the lack of configuratation possibilities for email accounts in the latest versions (click2run) of Office 2016/2019/365 especially if you have different inbound / outbound mail servers / different user accounts on them etc etc.

    However there is an applet in the control panel (still called Mail Outlook 2016) which allows access to the classical advanced configuration screens --the new simplified screens are 100% useless if you have anything other than typical bog standard email acounts that the Ms database knows about -- the auto customising screens are an abomination !!

    If you have an older version of outlook 2016 you can export and re-import (it's a reg file) the profiles but that's a bit of a messy solution.

    Use the control panel applet while it still exists. Confusing but for O/2106,O/2019,O/365 it's still called Mail Outlook 2016.

    Use the manual setup ( 2nd option on screenshot 2 - haven't got english version but it's in the same place on an eng screen) -- then you'll get all the advanced options etc as before Ms went for the rediculous "auto setup" things - these do actually work !!!! I have some accounts with domain mail servers and they all send / receive mail via outlook 2019 perfectly now.


    Inconsistent Controlled file access behaviour 1809 LTSC [​IMG]



    Inconsistent Controlled file access behaviour 1809 LTSC [​IMG]



    Inconsistent Controlled file access behaviour 1809 LTSC [​IMG]


    etc etc.

    Cheers
    jimbo
     
Thema:

Inconsistent Controlled file access behaviour 1809 LTSC

Loading...
  1. Inconsistent Controlled file access behaviour 1809 LTSC - Similar Threads - Inconsistent Controlled file

  2. unusual behaviour by exe file

    in AntiVirus, Firewalls and System Security
    unusual behaviour by exe file: PUA:Win32/Solvusof, every time I scan defender says unusual behaviour for download folder in F, low https://answers.microsoft.com/en-us/windows/forum/all/unusual-behaviour-by-exe-file/ef3770d3-3c19-409a-b891-e4500a0fcfad
  3. Activating Windows 10 1809 LTSC

    in Windows 10 Updates and Activation
    Activating Windows 10 1809 LTSC: Hello, I have about 100 HP PC's that were purchased with Windows 10 Pro OEM from HP. Here is my issue. I need to know if I do not let the system hit the internet and then apply Windows 10 1809 LTSC license from the scratcher? If the unit hits the internet will it try and...
  4. Windows 10 Home Connecting to AzureAD, inconsistent behaviour...?

    in Windows 10 Ask Insider
    Windows 10 Home Connecting to AzureAD, inconsistent behaviour...?: I've got an Office365 tenant with AzureAD free and I'm trying to join new laptops to the domain for some new users. The laptops are running Windows 10 home. The users are licensed with Business basic and can sign in on the web portal but during the startup of a new laptop...
  5. File Timestamp inconsistencies

    in Windows 10 Support
    File Timestamp inconsistencies: First example: DISMRepairLogFile.txt. The file timestamp shown in Windows Explorer is 1 hour ahead of actual time. However, the individual entries in the content of the file are correct. Second Example: SrtTrail.txt. The file timestamp shown in Windows Explorer is 1 hour...
  6. Enviroment Uservariable: inconsistent behaviour

    in Windows 10 Installation and Upgrade
    Enviroment Uservariable: inconsistent behaviour: Hi all Due to unfortunate Windows Updates and other reasons sometimes it is advisable to cleanup your system and install Windows fresh. While installing Windows from scratch sometimes in the installprocess something goes wrong and Windows installed first a local admin...
  7. Windows 10 Enterprise 1809 LTSC 2019

    in Windows 10 Installation and Upgrade
    Windows 10 Enterprise 1809 LTSC 2019: I Want to know if this is save to use https://youtu.be/DV3Et2sOTVs https://answers.microsoft.com/en-us/windows/forum/all/windows-10-enterprise-1809-ltsc-2019/5c6ff5ba-b83c-4837-8f85-561babe4e9a7
  8. Outlook 365 inconsistent login behaviour with IMAP gmail

    in Microsoft Office and 365
    Outlook 365 inconsistent login behaviour with IMAP gmail: I am using Office 365 and several of my machines have switched to modern authentication for Gmail recently. A window popped up, asking me for my google login and password and I got the 2FA prompt on my phone correctly. So far everything works. One machine refuses to do so and...
  9. controlled file access and wmiprvse

    in AntiVirus, Firewalls and System Security
    controlled file access and wmiprvse: I am Windows 10 and I have controlled file access activated. I keep getting messages that wmiprvse.exe is being blocked for memory change. Does wmiprvse normally change storage or files? Should I allow it to do so? What is the full , legitimate path to the exe to allow it...
  10. Bluescreen when using dell VPN on LTSC 1809

    in Windows 10 BSOD Crashes and Debugging
    Bluescreen when using dell VPN on LTSC 1809: Hi All, I installed my computer to the Windows 10 Enterprise LTSC version 1809 and everything went fine. But after I installed the DELL VPN SMA Connect tunnel and started it up, then connected today I got this bluescreen. Please help me how to fix this issue, because I need...