1

Looking in Application and Service Logs -> Microsoft -> Windows -> Security Mitigations -> Kernel mode, I seem to have two programs that consistently appear in here:

steamwebhelper.exe' (PID -) was blocked from making system calls to Win32k.sys, event id 10

and

chrome.exe' (PID -) was blocked from generating dynamic code, event ID 2

Now reading through this documentation it seems to be part of their exploit protection, coming with a suite of limitations you can place on processes.

Now the steamwebhelper one makes up the bulk, and seems to happen everytime its run. Chrome seems to be more sporadic however. I've got maybe 8 or 9 going back to June, though I have no idea what the presence of them indicates, or whether I have cause for concern.

Does anyone else have these present in their logs?

Improve this question
6
  • 1
    Yes, I have them. If everything seems to be working fine in Chrome, then you can effectively ignore these events. When a memory allocation fails (with execute protection), the app should have some safe fallbacks. Here's a potentially better explanation from MS.
    – leeharvey1
    Commented May 20, 2022 at 11:17
  • @leeharvey1 interestingly, going off of my browser history, this only seems to happen sometimes on launch, ie before I've even attempted to do anything else eith the browser.
    – GaussStrife
    Commented May 20, 2022 at 12:49
  • @leeharvey1 Are yours occurring only on the launching of chrome, as opposed to any other specific action?
    – GaussStrife
    Commented May 26, 2022 at 15:36
  • No, my events don't normally occur during Chrome startups. If I had to guess, they seem more related to Chrome app updates, or background crash reporting. I have other Chromium browsers, and they're reporting too -- but not during launches.
    – leeharvey1
    Commented May 27, 2022 at 13:01
  • So same event 2 for dynamic code, chromium browsers, but not just after launch? Hmmm, I'll have to see what I am doing next time to determine it. I suppose if it's a common thing, it's probably just being done because of the way the browser is handling code, as opposed to something malicous right?
    – GaussStrife
    Commented May 27, 2022 at 13:21

1 Answer 1

Reset to default
0
+50

You have no room for worry, as long as these applications run correctly.

The Chrome warnings seem the most worrying for you, but are probably for third-party inclusions in the browser, typically for advertisements.

The mitigation here might have even been that of blocking JavaScript code that has been obfuscated. For more information see the article
Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware.

As regarding steamwebhelper.exe, I checked the Task Scheduler and have not found any mention of it, which means it's running only when the Steam client is running. It seems to basically be a browser based on Chrome, so uses multiple processes when running. It is said to be used for the in-game browser for viewing Store and Community pages in the Steam window. As such, it's used for non-essential tasks, and whatever function that is blocked by Windows Defender doesn't seem to stop it from functioning well.

I would therefore not worry about these events, as long as these applications keep on working correctly. While it's possible to create exclusions from mitigation for selected applications, the process is complex and an error might inadvertently lower your defenses for other applications as well.

Improve this answer
10
  • Yes, I can confirm that steamhelper only runs when Steam does. For Chrome, the reason for my concern is whether this is just something it does, or as a response to something. I went back through my browser history for the dates the messages are generated, and they only happen when Chrome is launched, but before I search or open anything. Moreover, I have Javascript disabled by default, so I am unsure what this could even be as a response to. Have you observed these in your logs also?
    – GaussStrife
    Commented May 26, 2022 at 10:56
  • Yes, I have heaps of such messages for Chrome and also for Edge (which is Chromium-based). None for my Firefox-based browser. I'll probably clear this log, with dozens of messages per day. I don't suspect my computer is infected, as I periodically do antivirus scans by more than one antivirus product.
    – harrymc
    Commented May 26, 2022 at 11:29
  • It wasn't even infection I was concerned about. It was whether a particular site was causing this. But on inspection, it seems to just get generated by chrome when I launch it, which I find confusing given no scripts are being run at that point, so it raises the question (at least to me) of why the mitigation is being applied, but doesn't get applied in other instances.
    – GaussStrife
    Commented May 26, 2022 at 14:37
  • I mean in the case of your ones, are they the same event 2 regarding dynamic scripts or a different one?
    – GaussStrife
    Commented May 26, 2022 at 14:39
  • Not enough details are given with the event to answer your question. I would think that Microsoft is just being over-sensitive. For example, this can be triggered by JavaScript code that looks to be obfuscated, but I have met coders that used obfuscation-like techniques because it reduces the JavaScript code and so improved load times.
    – harrymc
    Commented May 26, 2022 at 15:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .