• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

ThrottleStop blocked by windows security.

turl

New Member
Joined
Dec 17, 2024
Messages
5 (1.00/day)
Looks like Windows Defender / our company has decided that ThrottleStop is not safe.
Did you notice similar issues? Is there a way to somehow fix it ?

1734451834365.png
 

unclewebb

ThrottleStop & RealTemp Author
Joined
Jun 1, 2008
Messages
8,011 (1.32/day)
@turl

Thanks for the info. Are you on Windows 11?

I use Windows Defender but my main computer is still running Windows 10 Pro. I manually checked and installed the most recent Defender Updates. I exited ThrottleStop after that and ThrottleStop restarted just fine without any complaints from Defender.

Is your computer part of a company network?

1734457989799.png
 

turl

New Member
Joined
Dec 17, 2024
Messages
5 (1.00/day)
In the meantime i've got a following comment from our IT (it was a corp network no access to add defender exclusions).
"security has blocked the list of signed drivers which are being actively exploited by malware"

Maybe it's related to CVE-2020–14979, however cannot get more info.

Currently I'm on 1.421.837.0 definitions (WIN10)
 

unclewebb

ThrottleStop & RealTemp Author
Joined
Jun 1, 2008
Messages
8,011 (1.32/day)
CVE-2020–14979
That CVE talks about the WinRing0 driver. ThrottleStop has not used the WinRing0 driver for years.

If your corporate IT department or Microsoft has decided to start blocking the ThrottleStop.sys driver, there is nothing I can do to solve that problem.

being actively exploited by malware
No one has ever contacted me about any malware that is actively exploiting the ThrottleStop.sys driver.

If I ever find out anything new, I will post it here. Defender will be gone the day that it starts blocking me from running ThrottleStop.

Edit - I was just reading about the latest Asus BIOS versions for their Z790 and Z690 motherboards.

1734502855095.png


It looks like Intel has been twisting some arms. Asus have removed the ability to toggle the C1E C state off from their recent BIOS versions. Users quickly found out that it was still possible to use ThrottleStop to disable C1E. Gamers and music creators love the reduced latency when the C states are disabled. Is this the real reason why the ThrottleStop.sys driver was suddenly put on the malware list? Who knows. The driver that ThrottleStop uses has been working flawlessly for more than 4 years without a single report of any exploits.
 
Last edited:

turl

New Member
Joined
Dec 17, 2024
Messages
5 (1.00/day)
I was using ThrottleStop for years - without any issues.
I will try to get reasons and get back here if succeed.
 

turl

New Member
Joined
Dec 17, 2024
Messages
5 (1.00/day)
This is information i got from Microsoft support:

"We identified the vulnerable driver associated with ThrottleStop.exe – RwDrv.sys, part of RWEverything, a free utility that allows access to hardware components such as SPI flash memory chip states a system’s BIOS/UEFI firmware. We blocked this driver due to this vulnerability.
Here are some articles that further explain the vulnerability:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode | by Matt Graeber | Posts By SpecterOps Team Members
How To Remove HackTool:Win32/Rwdrv [Updated December 2024]"

I was able to get the info by : vulnerabledrivers@microsoft.com

Looks this might become wider issue when definitions are spread. The hint was that this is not a defender rule but rather :
"ASR Rules is a different block than Windows Defender" - Atack Surface Reduction
 

unclewebb

ThrottleStop & RealTemp Author
Joined
Jun 1, 2008
Messages
8,011 (1.32/day)
Looks this might become wider issue when definitions are spread.
I agree. It could be lights out for ThrottleStop. It was fun while it lasted. :(

RwDrv.sys
ThrottleStop.exe uses the ThrottleStop.sys driver. This is not the same as the RwDrv.sys driver that RWEverything uses.

Currently I'm on 1.421.837.0 definitions (WIN10)
It is interesting that I am still able to run ThrottleStop while using the newer 1.421.843.0 Windows Defender definitions without any problems. Do you have full Administrator privileges for your account?

Thanks for contacting Microsoft. I will continue to look into this issue.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
27,964 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
ThrottleStop.exe uses the ThrottleStop.sys driver. This is not the same as the RwDrv.sys driver that RWEverything uses.
I think an older version of TS used that driver? Maybe MS just blocked TS and assumed all builds use the same driver?
 
Joined
Dec 25, 2020
Messages
7,013 (4.81/day)
Location
São Paulo, Brazil
System Name "Icy Resurrection"
Processor 13th Gen Intel Core i9-13900KS Special Edition
Motherboard ASUS ROG Maximus Z790 Apex Encore
Cooling Noctua NH-D15S upgraded with 2x NF-F12 iPPC-3000 fans and Honeywell PTM7950 TIM
Memory 32 GB G.SKILL Trident Z5 RGB F5-6800J3445G16GX2-TZ5RK @ 7600 MT/s 36-44-44-52-96 1.4V
Video Card(s) ASUS ROG Strix GeForce RTX™ 4080 16GB GDDR6X White OC Edition
Storage 500 GB WD Black SN750 SE NVMe SSD + 4 TB WD Red Plus WD40EFPX HDD
Display(s) 55-inch LG G3 OLED
Case Pichau Mancer CV500 White Edition
Audio Device(s) Apple USB-C + Sony MDR-V7 headphones
Power Supply EVGA 1300 G2 1.3kW 80+ Gold
Mouse Microsoft Classic Intellimouse
Keyboard IBM Model M type 1391405 (distribución española)
Software Windows 11 IoT Enterprise LTSC 24H2
Benchmark Scores I pulled a Qiqi~
Sounds like a custom defender rule added by the OP's Company rather than MS?

No, any settings that are enforced by the security system or through group policy show as managed by organization on Windows 11's control panel. Microsoft has been really hard at work hardening (pun intended) Windows, if I remember correctly, the Local Security Authority system will enforce vulnerable driver protection if credential guard, core isolation, memory integrity check and/or app control are enabled in Windows Security, the operating system will completely refuse to load these drivers. It is the default behavior on all officially supported hardware and in new installs of Windows 11, this is why Microsoft has been pushing for modern hardware that supports TPM, virtualization extensions, etc. - the modern Windows security architecture relies on these things.

The result is that software like ThrottleStop, which is designed to access hardware registers at a relatively low level become a huge no-no under these conditions.
 

unclewebb

ThrottleStop & RealTemp Author
Joined
Jun 1, 2008
Messages
8,011 (1.32/day)
I think an older version of TS used that driver?
Maybe. It is all a blur now. That was 15 years ago!

I think all of the versions before TS 9.0 were using the WinRing0 driver which has some known security issues. There have been no complaints since the WinRing0 driver was replaced by the ThrottleStop.sys driver.

Here is some info about Attack Surface Reduction. There might be a solution hiding in there.

Not sure if you can convince your IT department to make an exception for ThrottleStop.sys

If you cannot run ThrottleStop, you are going to miss out on a Christmas surprise. Lots of new features are finally done including per profile power limits, per profile Speed Shift Min and Max values, per profile PROCHOT Offset values as well as V/F Tuning for the unlocked K and HX CPUs. Intel should thank me for the work I do.

A little off topic but I am seeing a lot of :love: on the horizon for this new version.

1734597378826.png
 
Joined
Aug 19, 2024
Messages
365 (2.90/day)
Location
Texas, USA
System Name Obliterator
Processor Ryzen 7 7700x PBO
Motherboard ASRock x670e Steel Legend
Cooling Noctua NH-D15 G2 LBC
Memory G.skill Trident Z5 Neo 6000@CL30
Video Card(s) ASRock rx7900 GRE Steel Legend
Storage 2 x 2TB Samsung 990 pro nmve ssd 2 X 4TB Samsung 870 evo sata ssd 1 X 18TB WD Gold sata hdd
Display(s) LG 27GN750-B
Case Fractal Torrent
Audio Device(s) Klipsch promedia heritage 2.1
Power Supply FSP Hydro TI 1000w
Mouse SteelSeries Prime+
Keyboard Lenovo SK-8825 (L)
Software Windows 10 Enterprise LTSC 21H2 / Windows 11 Enterprise LTSC 24H2 with multiple flavors of VM
Just for kicks, I loaded up a fresh copy of windows 11 pro on a modest office rig with an i5-12400. Nothing but windows with all updates and drivers coming from windows update. defender updated too. I disabled virtualization based security and core isolation memory integrity. Then downloaded and ran TS 9.6. was able to monitor and disable/enable things. Windows Defender did not try to eat it or block it in any way.

I'll leave it running for a while to see if it tries to eat it, but so far, i haven't been able to get defender to block it.
 

turl

New Member
Joined
Dec 17, 2024
Messages
5 (1.00/day)
Maybe Attack Surface Reduction is some extra functionality, enabled only on corporate PCs by IT using group policy.

"To use the entire feature-set of attack surface reduction rules, you need:
  • Microsoft Defender Antivirus as primary AV (real-time protection on)
  • Cloud-Delivery Protection on (some rules require that)
  • Windows 10 Enterprise E5 or E3 License"
 
Joined
Oct 15, 2011
Messages
2,479 (0.51/day)
Location
Springfield, Vermont
System Name KHR-1
Processor Ryzen 9 5900X
Motherboard ASRock B550 PG Velocita (UEFI-BIOS P3.40)
Memory 32 GB G.Skill RipJawsV F4-3200C16D-32GVR
Video Card(s) Sparkle Titan Arc A770 16 GB
Storage Western Digital Black SN850 1 TB NVMe SSD
Display(s) Alienware AW3423DWF OLED-ASRock PG27Q15R2A (backup)
Case Corsair 275R
Audio Device(s) Technics SA-EX140 receiver with Polk VT60 speakers
Power Supply eVGA Supernova G3 750W
Mouse Logitech G Pro (Hero)
Software Windows 11 Pro x64 23H2
I suspect libraries are going to get this, because of all the malicious-hacker-activity lately.
 
Top