SOLVED: What is DismHost.exe & Why Would Windows Controlled Folder Access Block It?

Published by Ian Matthews on

We have used DISM (Deployment Image Servicing and Management) tools for many years but were surprised to see this message popup on a users Windows 11 desktop:

App or process blocked: DismHost.exe
Protected folder: \Device\Harddisk\Volume3
Blocked by: Controlled folder access

dismhost access alert protection history

Most companies and users are not using Controlled Folder Access feature in Windows Defender, but we like it an enable it as a general rule. The idea is that if Defender thinks a program should not be accessing folder (i.e. DISMHOST.EXE is trying read/write files to your desktop), it pops up and tells you it was blocked. That makes good sense to us and our clients.

What Is DISMHOST.EXE

It is a command-line tool used to service and prepare Windows images, including those used for Windows PE, Windows Recovery Environment (Windows RE), and a good-old normal Windows Setup. It can be used to service (i.e. inject drivers or delete files) from a Windows image (.wim) file or a virtual hard disk (.vhdx).

DismHost.exe is usually found in the C:\Windows\SysWoW64\dism. It’s not a virus or a “potentially unwanted app”. However, if a virus or malware program uses the DismHost.exe file as its host, Windows Defender and other antivirus programs may not treat it as a threat so if you see something odd, it could be something to be concerned with.

Why Windows Controlled Folder Access May Block DISMHOST.EXE

As for why Windows Controlled Folder Access would block it, this feature is part of Windows Defender Security. When enabled, it tracks the apps (executable files, scripts, and DLLs) trying to make changes to files in the protected folders. If the app is malicious or not recognized, the feature will block the attempt in real-time, and you’ll receive a notification of the suspicious activity.

In the case of DismHost.exe, it’s possible that one of the processes it hosts may be a third-party service, which Windows Security is not trusting. You can either disable Controlled Folder Access, ignore the messages, or find out which service is touching these folders and determine if you want to remove or ignore it.

In our case we opted to allow it to work.

DismHost and Windows Defender

While we have not been able to verify it directly ourselves, we have read and had clients point to many blog posts that get back to this one which indicates Windows Defender will copy DismHost to C:\USERS\[user]\APPDATA\LOCAL\TEMP if it was unable to complete a scan.

That file and all files in C:\USERS\[user]\APPDATA\LOCAL\TEMP are safe to delete.

Categories: Windows 11 & Windows 10Windows Server

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

disk genius disk clone tutorial

SOLVED: VIDEO: How To Use Free DiskGenius To Clone M.2 SSD

In our case we needed to upgrade an existing MDOT to NVME SSD from two terabytes to four terabytes and didn’t want to lose or damage our windows installation. We really did not want to Read more…

how to delete a user profile from a remote computer using powershell

SOLVED: How To Delete a User Profile On a Remote Computer Using PowerShell

We recently had a customers server have several User Profile issues and we were not able to log onto the server. The solution was to delete the user profiles remotely using this simple PowerShell command Read more…

wifi forget network greyed out - clip

SOLVED: Why FORGET Network Button is Greyed Out

We recently had a client struggle to troubleshoot their WiFi network problems for 2 months before asking us to help. The new they need to remove the WiFi network from some Windows 10 and Windows Read more…