1

I have a Windows desktop software that needs to write new folder/files into the %USERPROFILE%\Documents\ folder. There is a Windows option, under "Ransomware protection", that protects "Controlled folders". Usually, this is disabled, but there are customers who have this turned on, which causes my app to crash when starting up (because it cannot write into the folder).

This 'authorization' cannot be bypassed by administrator rights, i.e. if you run the app as admin the app is still blocked by Windows. The app is digitally code signed by a time-stamped certificate from a trusted certificate authority. Still, this "Controlled folders access" blocks my app.

Typically, the users of my software don't have this option enabled, but some of them do. I would prefer to avoid that we have to instruct our customers to "add our software to the exception of Ransomware protection"... It seems unprofessional and sketchy. But at the moment, that's the only way I can make it work.

Is there anything I can do, on my side, when I deploy my app, that can be accepted by Windows to write into the Documents folder?

EDIT: For example, if I could add an exception via command line, that I could try to put such command to be run by the installer (which requires admin rights). But I'm not sure if this is possible.

Improve this question
7
  • 1
    I suspect it may depend on how the app is launched, e.g. is it run from Start menu or in a different way. I noticed quite a few "trusted" apps (including Firefox and even Windows' own Notepad) being blocked if they were started in an unusual way... That aside, though, it would be really an improvement if your app didn't outright crash in such situations, as there are more cases when access might be denied than just this one.
    – grawity_u1686
    Commented Mar 23, 2023 at 8:52
  • @user1686 Agreed on the "the app shouldn't crash on these situations". I don't know about the other ways of starting it up, but I'll try to explore that
    – cinico
    Commented Mar 23, 2023 at 8:54
  • So you're writing new folder/files to Documents and that triggers anti-ransomware protection for some reason? I misunderstood then, I thought you were writing to a document there.
    – Destroy666
    Commented Mar 23, 2023 at 9:00
  • @Destroy666 That's correct: I'm trying to write new folder/files as the app starts up, and that triggers the anti-ransomware protection
    – cinico
    Commented Mar 23, 2023 at 9:07
  • Does the protection catch you if you wait 60 seconds or some other length of time? Do you have to write to the documents folder or would %appdata% do? What kind of "software" is this, an exe or some kind of script? I notice at learn.microsoft.com/en-us/microsoft-365/security/… it says "Apps can also be added manually to the trusted list by using Configuration Manager or Intune."
    – Mokubai
    Commented Mar 23, 2023 at 9:43

1 Answer 1

Reset to default
1

The Microsoft article Protect important folders with controlled folder access unfortunately says this:

Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with certificate and file indicators.

Your only option is to set your application as trusted.

The article Customize controlled folder access has this advice for using PowerShell that is Run as Administrator:

Enter the following cmdlet:

Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>"

For example, to add the executable test.exe located in the folder C:\apps, the cmdlet would be as follows:

Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
Improve this answer
2
  • Nice! I marked as accepted answer because I'm confident it will work, but if not I will report back. Thank you!!
    – cinico
    Commented Mar 23, 2023 at 12:37
  • It works! To add to this, I am going to create a PowerShell script and run it after the installer. I'm using InnoSetup, so I will follow this answer (hopefully it will help someone in the future).
    – cinico
    Commented Mar 23, 2023 at 15:11

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .