If you just installed Windows 11 25H2 and suddenly your desktop is flashing with “Protected memory access blocked” alerts, you’re not crazy. This is a massive false positive issue impacting key Microsoft executables.
Here is the quick breakdown of why this is happening and the fix.
Why Controlled Folder Access (CFA) is a Great Idea
Before we fix it, know that CFA is a brilliant security layer. It’s Microsoft’s core defense against Ransomware.
Note that CFA is NOT enabled by default but anyone who is serious about cybersecurity will have turned it on and if you haven’t you should… immediately!
- How it Works: CFA acts as a gatekeeper for critical folders like your Documents, Pictures, Videos, and Desktop
- The Protection: Only apps on an established “trusted list” are allowed to make changes to files in these protected locations. An untrusted program (like a ransomware script) trying to encrypt your files is instantly blocked
- The Tradeoff: When an app does something suspicious, even if it’s legitimate, CFA blocks it first and asks questions later, resulting in our false positives
That trade-off is why Microsoft has not enabled CFA by default. They learned from other security measures, like Windows Vista‘s “User Access Control” feature, that most consumers want convenience over security.
The 25H2 Spike: Microsoft’s Official Reason
You’re not imagining the increase in alerts after the 25H2 upgrade. Microsoft confirmed that the spike is due to:
- Stricter Heuristics: The new 25H2 security components (Defender SmartScreen, file access telemetry) use more sensitive behavioral rules. Apps that dynamically load DLLs or update their data in a manner that now resembles a ransomware tactic are getting flagged, even if they are signed Microsoft programs
- Upgrade Removing Apps You Already Whitelisted: If you used an enablement package, certain legacy trust settings or exclusions might not have migrated cleanly, forcing a re-evaluation of trust for system executables
The result is CFA mistakenly blocking entirely legitimate applications like:
| Executable | Path | Function | Safe to Allow? |
| amdow.exe | Program Files\AMD\CNext\CNext\amdow.exe | AMD driver component, likely related to Radeon overlay or telemetry | Yes, if you use AMD Radeon software |
| AMDRSServ.exe | Program Files\AMD\CNext\CNext\AMDRSServ.exe | AMD Radeon Settings service manages display and driver settings | Yes, if you use Radeon Settings |
| cmd.exe | C:\Windows\System32\cmd.exe | Command Prompt used by scripts, installers, and automation tools | Yes, if part of your workflow |
| cmd.exe | C:\Windows\SysWOW64\cmd.exe | 32-bit version of Command Prompt | Yes, same as above if used legitimately |
| conhost.exe | C:\Windows\System32\conhost.exe | Console Windows Host that the the middleware between command line and Windows GUI | Yes, if triggered by trusted scripts |
| dllhost.exe | C:\Windows\SysWOW64\dllhost.exe | COM Surrogate core Windows process for handling DLLs | Yes, if path matches system default |
| identity_helper.exe | C:\Program Files (x86)\Microsoft\Edge\Application\142.0.3595.19\identity_helper.exe | Microsoft Edge identity component | Yes, but best added via wildcard exclusion as explained below |
| msedge.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | Microsoft Edge browser executable | Yes, but versioned path requires wildcard exclusion as explained below |
| OfficeC2RClient.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe | Microsoft Office Click-to-Run update client | Yes, if path is legitimate |
| reg.exe | C:\Windows\System32\reg.exe | Registry Editor CLI used to read/write registry keys | Yes, if part of known scripts or installers |
| schtasks.exe | Windows\System32\schtasks.exe | Windows Task Scheduler CLI used for creating and managing scheduled tasks | Yes, if used by trusted apps or scripts |
The Fix: How to See the Full Path & Whitelist Permanently
Because these apps are blocked due to behavioral changes and not reputation, we need to manually add them to the Allow List (whitelist).
NOTE: This is definitely reducing your security but considering the vast majority of consumers and companies do not have CFA enabled at all, you will still be wildly more secure than the average.
1. Identify the Full Path of the Blocked App
To whitelist the app, you need its exact location. The easiest way to get this is through the Windows Security UI:
- Click START and type Windows Security, then click on it
- Click Virus & Threat Protection
- Under Ransomware protection section, click Manage ransomware protection
- Click Allow an app through Controlled folder access
- Click Add an allowed app and select Recently blocked apps
- This list will show the full path (e.g.,
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe) for all the apps CFA recently blocked - This will be a good indication if the app is really from Microsoft or not.
- For instance, if you see
C:\USERS\YourName\APPDATA\TEMP\OfficeC2RClient.exeas the path… its likely malware.
- For instance, if you see
- This list will show the full path (e.g.,
2. Implement the Permanent PowerShell Exclusion (Required for Edge)
Simply allowing a constantly updating app like Edge through the UI is a temporary fix, as the version number in its path changes constantly (e.g., ...Edge\Application\**142.0.3595.19**\msedge.exe). We need a wildcard for a permanent solution. Unfortunately this cannot be completed using the Windows GUI; you have to use command line.
- RIGHT CLICK on the START button and look for WINDOWS TERMINAL (ADMIN) or POWERSHELL (ADMIN)
- Make sure you are running that AS AN ADMINISTRATOR
- Execute the following commands one by one to add the necessary exclusions.
- This uses the
*wildcard to bypass version number changes for Edge components
- This uses the
For Edge (using Wildcards for future updates):
PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\Microsoft\Edge\Application\*\identity_helper.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\Microsoft\Edge\Application\*\msedge.exe"
For other critical Microsoft system apps:
PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Windows\System32\dllhost.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe"
Once complete, the false positive alerts will stop, and your essential Microsoft applications will function correctly, all while keeping the core ransomware protection of Controlled Folder Access fully enabled.
0 Comments