Exploit Guard blocking Chrome making calls Win32k.sys
I am in the process of implementing Exploit Guard in our W10 corporate image.
I configured it using the GPO "Use a common set of exploit protection settings" that makes use of a XML file. Initially, Chrome.exe was not included in the XML file.
I realized that when I opened Chrome, an event ID 10 appeared in
Application and Service Logs -> Microsoft -> Windows -> Security Mitigations -> Kernel mode
Process 'DeviceHarddiskVolume2Program Files
(x86)GoogleChromeApplicationchrome.exe' (PID 9740) was blocked
from making system calls to Win32k.sys.
I even explicitly included chrome.exe
as an exception in the Program Setting list, forcing OFF in the setting "Disable Win32 system calls". To do that, I just added this code to the XML file:
<AppConfig Executable="chrome.exe">
<SystemCalls> DisableWin32kSystemCalls="false"/>
</AppConfig>
But nothing changes, and the same event ID appears. One interesting thing is that Chrome seems to work fine, with no error windows or crashes.
Any idea how to solve this situation?
google-chrome security exploit
add a comment |
I am in the process of implementing Exploit Guard in our W10 corporate image.
I configured it using the GPO "Use a common set of exploit protection settings" that makes use of a XML file. Initially, Chrome.exe was not included in the XML file.
I realized that when I opened Chrome, an event ID 10 appeared in
Application and Service Logs -> Microsoft -> Windows -> Security Mitigations -> Kernel mode
Process 'DeviceHarddiskVolume2Program Files
(x86)GoogleChromeApplicationchrome.exe' (PID 9740) was blocked
from making system calls to Win32k.sys.
I even explicitly included chrome.exe
as an exception in the Program Setting list, forcing OFF in the setting "Disable Win32 system calls". To do that, I just added this code to the XML file:
<AppConfig Executable="chrome.exe">
<SystemCalls> DisableWin32kSystemCalls="false"/>
</AppConfig>
But nothing changes, and the same event ID appears. One interesting thing is that Chrome seems to work fine, with no error windows or crashes.
Any idea how to solve this situation?
google-chrome security exploit
Run Chrome and then in PowerShell enter the commandGet-ProcessMitigation -Name chrome -RunningProcesses
. Look under "System Call:" and let us know your settings. On mine it says "DisableWin32kSystemCalls : OFF, Audit : OFF, Override SystemCall : False". If yours is different, please share exactly how and where you Win32k System Calls.
– harrymc
Feb 11 at 10:14
I also have "System Call:DisableWin32kSystemCalls: OFF Audit: OFF Override SystemCall : False, and I still see the event appearing every time I open Chrome. You dont have the event? maybe another GPO setting provoking this behaviour?
– YaKs
Feb 11 at 10:53
add a comment |
I am in the process of implementing Exploit Guard in our W10 corporate image.
I configured it using the GPO "Use a common set of exploit protection settings" that makes use of a XML file. Initially, Chrome.exe was not included in the XML file.
I realized that when I opened Chrome, an event ID 10 appeared in
Application and Service Logs -> Microsoft -> Windows -> Security Mitigations -> Kernel mode
Process 'DeviceHarddiskVolume2Program Files
(x86)GoogleChromeApplicationchrome.exe' (PID 9740) was blocked
from making system calls to Win32k.sys.
I even explicitly included chrome.exe
as an exception in the Program Setting list, forcing OFF in the setting "Disable Win32 system calls". To do that, I just added this code to the XML file:
<AppConfig Executable="chrome.exe">
<SystemCalls> DisableWin32kSystemCalls="false"/>
</AppConfig>
But nothing changes, and the same event ID appears. One interesting thing is that Chrome seems to work fine, with no error windows or crashes.
Any idea how to solve this situation?
google-chrome security exploit
I am in the process of implementing Exploit Guard in our W10 corporate image.
I configured it using the GPO "Use a common set of exploit protection settings" that makes use of a XML file. Initially, Chrome.exe was not included in the XML file.
I realized that when I opened Chrome, an event ID 10 appeared in
Application and Service Logs -> Microsoft -> Windows -> Security Mitigations -> Kernel mode
Process 'DeviceHarddiskVolume2Program Files
(x86)GoogleChromeApplicationchrome.exe' (PID 9740) was blocked
from making system calls to Win32k.sys.
I even explicitly included chrome.exe
as an exception in the Program Setting list, forcing OFF in the setting "Disable Win32 system calls". To do that, I just added this code to the XML file:
<AppConfig Executable="chrome.exe">
<SystemCalls> DisableWin32kSystemCalls="false"/>
</AppConfig>
But nothing changes, and the same event ID appears. One interesting thing is that Chrome seems to work fine, with no error windows or crashes.
Any idea how to solve this situation?
google-chrome security exploit
google-chrome security exploit
edited Feb 19 at 4:05
Pikachu the Purple Wizard
148213
148213
asked Feb 11 at 9:29
YaKsYaKs
32
32
Run Chrome and then in PowerShell enter the commandGet-ProcessMitigation -Name chrome -RunningProcesses
. Look under "System Call:" and let us know your settings. On mine it says "DisableWin32kSystemCalls : OFF, Audit : OFF, Override SystemCall : False". If yours is different, please share exactly how and where you Win32k System Calls.
– harrymc
Feb 11 at 10:14
I also have "System Call:DisableWin32kSystemCalls: OFF Audit: OFF Override SystemCall : False, and I still see the event appearing every time I open Chrome. You dont have the event? maybe another GPO setting provoking this behaviour?
– YaKs
Feb 11 at 10:53
add a comment |
Run Chrome and then in PowerShell enter the commandGet-ProcessMitigation -Name chrome -RunningProcesses
. Look under "System Call:" and let us know your settings. On mine it says "DisableWin32kSystemCalls : OFF, Audit : OFF, Override SystemCall : False". If yours is different, please share exactly how and where you Win32k System Calls.
– harrymc
Feb 11 at 10:14
I also have "System Call:DisableWin32kSystemCalls: OFF Audit: OFF Override SystemCall : False, and I still see the event appearing every time I open Chrome. You dont have the event? maybe another GPO setting provoking this behaviour?
– YaKs
Feb 11 at 10:53
Run Chrome and then in PowerShell enter the command
Get-ProcessMitigation -Name chrome -RunningProcesses
. Look under "System Call:" and let us know your settings. On mine it says "DisableWin32kSystemCalls : OFF, Audit : OFF, Override SystemCall : False". If yours is different, please share exactly how and where you Win32k System Calls.– harrymc
Feb 11 at 10:14
Run Chrome and then in PowerShell enter the command
Get-ProcessMitigation -Name chrome -RunningProcesses
. Look under "System Call:" and let us know your settings. On mine it says "DisableWin32kSystemCalls : OFF, Audit : OFF, Override SystemCall : False". If yours is different, please share exactly how and where you Win32k System Calls.– harrymc
Feb 11 at 10:14
I also have "System Call:DisableWin32kSystemCalls: OFF Audit: OFF Override SystemCall : False, and I still see the event appearing every time I open Chrome. You dont have the event? maybe another GPO setting provoking this behaviour?
– YaKs
Feb 11 at 10:53
I also have "System Call:DisableWin32kSystemCalls: OFF Audit: OFF Override SystemCall : False, and I still see the event appearing every time I open Chrome. You dont have the event? maybe another GPO setting provoking this behaviour?
– YaKs
Feb 11 at 10:53
add a comment |
1 Answer
1
active
oldest
votes
To my great surprise I have the same warning.
To my greater surprise, I also have this same warning for browser_broker.exe
,
which is a component of Microsoft Edge. As its name suggests, this is probably
the component that decides which browser to call for a URL.
Since this warning is happening on Microsoft's own software when it's working correctly,
and is also happening on Chrome when it's working correctly,
I think that it is harmless and unavoidable.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404366%2fexploit-guard-blocking-chrome-making-calls-win32k-sys%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To my great surprise I have the same warning.
To my greater surprise, I also have this same warning for browser_broker.exe
,
which is a component of Microsoft Edge. As its name suggests, this is probably
the component that decides which browser to call for a URL.
Since this warning is happening on Microsoft's own software when it's working correctly,
and is also happening on Chrome when it's working correctly,
I think that it is harmless and unavoidable.
add a comment |
To my great surprise I have the same warning.
To my greater surprise, I also have this same warning for browser_broker.exe
,
which is a component of Microsoft Edge. As its name suggests, this is probably
the component that decides which browser to call for a URL.
Since this warning is happening on Microsoft's own software when it's working correctly,
and is also happening on Chrome when it's working correctly,
I think that it is harmless and unavoidable.
add a comment |
To my great surprise I have the same warning.
To my greater surprise, I also have this same warning for browser_broker.exe
,
which is a component of Microsoft Edge. As its name suggests, this is probably
the component that decides which browser to call for a URL.
Since this warning is happening on Microsoft's own software when it's working correctly,
and is also happening on Chrome when it's working correctly,
I think that it is harmless and unavoidable.
To my great surprise I have the same warning.
To my greater surprise, I also have this same warning for browser_broker.exe
,
which is a component of Microsoft Edge. As its name suggests, this is probably
the component that decides which browser to call for a URL.
Since this warning is happening on Microsoft's own software when it's working correctly,
and is also happening on Chrome when it's working correctly,
I think that it is harmless and unavoidable.
answered Feb 11 at 11:10
harrymcharrymc
262k14271579
262k14271579
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404366%2fexploit-guard-blocking-chrome-making-calls-win32k-sys%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Run Chrome and then in PowerShell enter the command
Get-ProcessMitigation -Name chrome -RunningProcesses
. Look under "System Call:" and let us know your settings. On mine it says "DisableWin32kSystemCalls : OFF, Audit : OFF, Override SystemCall : False". If yours is different, please share exactly how and where you Win32k System Calls.– harrymc
Feb 11 at 10:14
I also have "System Call:DisableWin32kSystemCalls: OFF Audit: OFF Override SystemCall : False, and I still see the event appearing every time I open Chrome. You dont have the event? maybe another GPO setting provoking this behaviour?
– YaKs
Feb 11 at 10:53