Troubleshooting

Protected Memory Access Blocked Prompts – How to Disable them?

Last Updated: September 26, 2022
6 minutes read

After the famous ransomware attacks, the Redmond giant decided to safeguard its users from similar threats, and to do so, it incorporated its OS with the Controlled Folder Access protection. This feature blocks the access of suspicious processes, applications, and services to protected system resources and folders.

Although the concept is great and has been lingering on for quite a while, its execution got a lot of users in trouble when they started to notice a continuous bombardment of ‘protected memory access blocked’ messages on their screens.

This happened even with legitimate applications like Word, Photoshop, games, and drivers like DiskTrace.exe. At several times, services like Taskhostw.exe or WinSAT.exe of the Windows OS itself were blocked. Usually, the following type of message is shown: 

Protected Memory Access Blocked Prompt in Windows Security
Protected Memory Access Blocked Prompt in Windows Security

What Causes Protected Memory Access Blocked? 

The ‘Protected Memory Access blocked’ prompt is a message due to Controlled Folder Access (CFA) but may be triggered by the following: 

  • Missing Administrative Privileges: If an application is missing administrative privileges and tries to access a protected system resource, then the CFA may stop it from accessing the protected memory.  
  • Corrupt or Outdated Application: If the installation of an application is corrupt or outdated (like Vipre Internet Security), it may become incompatible with the CFA resulting in the protected memory issue at hand. 
  • Corrupt System Files: If the essential system or application files are corrupt and CFA cannot verify their authenticity, then it may block these files from accessing protected memory.  
  • Infected Router or Network: If the network or its router is infected with the malware or behaves like one, then Windows Security may block network-related services from accessing protected system resources. 

How to Fix and Stop the Blocked Prompts?

Start with the first method and work your way down accordingly as they are listed according to the difficulty level.

1. Launch the Problematic Application as Administrator

If the problematic application is missing the administrative privileges and trying to access a protected system resource, then the Controlled Folder Access may stop it from doing so. Here, launching the problematic application (like CCleaner) as an administrator may solve the problem. 

  1. Right-click on the problematic application e.g., Ccleaner, and select Run as Administrator.

    Running the application as an administrator
    Running the application as an administrator

If a UAC prompt is received, click Yes, and afterward, check if the system is clear of the protected memory issue.

2. Add the Problematic App to the Exclusions List of Controlled Folder Access

verified solution

If the above methods did not work for you, then adding the application or process triggering the issue to the exclusions list may stop the bombardment of the protected memory access messages. Although, the process is a simple one a user should be vigilant, so, he should not allow malware to the protected folders. \

There is another issue with the protected memory message that the path to the process causing the issue is not visible. So, we will try to cover all the aspects and you should follow the undermentioned steps to clear the issue, but, before doing that, make sure to perform a thorough scan of the system with Windows Defender and other free utilities like ESET Sysrescue and Malwarebytes.

Step 1: Find the Location of the Problematic Process

Through the Task Manager

First, we’ll need to find the location of the problematic process through the task manager.

  1. Right-click on Windows and select Task Manager.
  2. Now, in the Task Manager window, right-click on the problematic process (e.g., Dell Data Vault Collector Service) and select Open File Location.
  3. Then, File Explorer will open with the file’s location. Click in the Address bar of the File Explorer and copy the path.
Through the Event Viewer

The above method may work for 3rd party apps but for system services, it may not work and a user can use the Event Viewer to find out the problematic process.

  1. Click Windows, type, and open Event Viewer.

    Launching Event Viewer
    Launching Event Viewer
  2. Now, in the left pane, check the following paths (one by one) by expanding the folders: 
    Application and Services Logs > Microsoft > Windows > Windows Defender > Operational

Application and Services Logs > Microsoft > Windows > Windows Defender > WHC
  3. Then check for the events referring to the memory block error. Usually, the following Event IDs referred to the issue: 
    1123, 1124, 1127, 5007

    Opening Windows Defender Events in the Event Viewer
    Opening Windows Defender Events in the Event Viewer
  4. Once found, in the General tab, check for the Process Name and copy the path of the process. You may also find the problematic process by using Process Explorer.

    Copying the Path of the Problematic Process of Controlled Folder Access Process from the Event Viewer
    Copying the Path of the Problematic Process of Controlled Folder Access Process from the Event Viewer

You can also find the problematic process’s path by executing the following in the PowerShell (Admin). If you know the event ID, you can also add it to the code:

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.ID -eq "1123" -or $_.ID -eq "1124"}
Pause

Step 2: Check the Status of the Application or Process

This is the trickiest part as there is no single formula that fits all but we will try out best to outline general guidelines. 

  1. Search the web for the process or application causing the issue to check if it is a safe file to exclude from the Controlled Folder Access. 
  2. Then submit the file to the VirusTotal to check if the file is safe. 
  3. Now download Microsoft’s SigCheck from this URL.

    Downloading Sigcheck
    Downloading Sigcheck
  4. Then use the SigCheck to verify if the File’s signature is legitimate. 

Step 3: Exclude the File from Controlled Folder Access (CFA)

Here, we will exclude the file, process, or application from the Controlled Folder Access.

Warning:

You must keep in mind that if you are excluding a Windows process (although, Microsoft should have taken care of it) and there is a vulnerability in the process, then a hacker or malware may use that to gain the access to the folder and system, so, proceed at your own risk.

  1. Click Windows, search and open Windows Security.

    Accessing Windows Security
    Accessing Windows Security
  2. Now, in the left pane, head to the Virus & Threat Protection, and open Virus & Threat Protection Settings.

    Opening Virus & Threat Protections Settings
    Opening Virus & Threat Protections Settings
  3. Now select Controlled Folder Access settings and open Add or Remove Exclusions.

    Open Add or Remove Exclusions in CFA
    Open Add or Remove Exclusions in CFA
  4. Now click on Add an Exclusion and select the appropriate option (File, Folder, etc.).

    Adding an Exclusion
    Adding an Exclusion
  5. Afterward, navigate to the path where the problematic process/ application is located.

    File sucessfully excluded
    File sucessfully excluded
  6. Then check if the protected memory issue is resolved.

If you have to frequently exclude the apps from Controlled Folder Access, then executing the following in the PowerShell (Admin) will be an easy way (make sure to change “path to program.exe” with the path of the problematic file):

Add-MpPreference -ControlledFolderAccessAllowedApplications "path to program.exe"

3. Reinstall the Corrupt or Outdated Application

If the application that is triggering the ‘protected memory access blocked’ message has become corrupt or outdated, it may not be compatible with the Controlled folder Access (CFA). This will eventually result in an error message. In such a case, reinstalling the corrupt or outdated application may solve the problem.

For illustration, we will discuss the process of uninstalling Vipre Internet Security.

  1. Expand the System’s Tray and right-click on Vipre.
  2. Now hover over Active Protection > Disable Active Protection.

    Disabling Active Protection of the Vipre Internet Security
    Disabling Active Protection of the Vipre Internet Security
  3. Then select Until Manually Enabled and afterward, confirm to disable the Vipre antivirus.
  4. Now click Windows and scroll down till the Vipre Folder is shown.
  5. Then expand the Vipre folder and right-click on Vipre.
  6. Now click on Uninstall and then, in the Programs window, select Vipre and click on Uninstall.

    Uninstalling Vipre
    Uninstalling Vipre
  7. Then confirm to uninstall the application and follow the prompts to uninstall Vipre.
  8. Now reboot your system and upon reboot, check if the memory access blocked messages have vanished.

If the issue is resolved, you can reinstall the application after downloading the latest versions from the web.

Following applications are reported by users to trigger the issue:

  • Dell Support Assist
  • Security Products (AVG, Malwarebytes, etc.).

4. Disable the Controlled Folder Access

If none of the above did the trick for you or you are getting the protected memory access blocked message for nearly everything on the system, then you are left with no other choice but to disable the Controlled Folder Access or perform a clean installation of the system.

We strongly discourage users to not to disable this feature. If the protected memory access blocked message is not harming the operation of your machine, then it will be better to disable Windows notifications than to disable CFA. 

But before going to the route of disabling CFA, make sure your router or network (Terminal Server or RDP) is not causing the issue (by trying another router or network). 

Note: Proceed at your own risk as disabling the Controlled Folder Access (CFA) may expose your system/ data to threats (especially, Ransomware). 

Option 1: Use the Audit Mode

If you do not want to disable the Controlled Folder Access, then using it in the audit mode may be beneficial for you. To do so, open the PowerShell (Admin) and execute the following: 

Set-MpPreference -EnableControlledFolderAccess AuditMode

Option 2: Disable CFA

If using the Audit Mode is not your piece of cake and you must have to disable Controlled Folder Access, then follow the steps below: 

  1. Click Windows, search and open Windows Security. 
  2. Now head to the Virus & Threat Protection tab and open Manage Ransomware Protection.

    Opening Manage Ransomware Protection
    Opening Manage Ransomware Protection
  3. Now toggle the switch of Controlled Folder Access to the off position and hopefully, the system is clear of the protected memory messages.

    Disabling Controlled Folder Access
    Disabling Controlled Folder Access

5. Perform an In-Place Upgrade of Windows

If your essential system files have become corrupt, then the Controlled Folder Access may block access to these as it “thinks” these files/services as false positives for a ransomware process.

In this scenario, performing an in-place upgrade of the PC’s Windows may replace the corrupt system files and thus solve the problem. Before proceeding, make sure to back up the system’s data and create a system’s restore point.

You can follow the complete steps in our article on How to Perform an In-place upgrade.

Last Updated: September 26, 2022
6 minutes read
Photo of Shaheer Asif

Shaheer Asif

Shaheer is the lead troubleshooter at Computer Verge. He has over 7 years of IT experience. He has a Bachelor's degree in Computer Science and has completed various IT programming and support certifications.
Back to top button