-
Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
ThrottleStop blocked by windows security.
- Thread starter turl
- Start date
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,011 (1.32/day)
@turl
Thanks for the info. Are you on Windows 11?
I use Windows Defender but my main computer is still running Windows 10 Pro. I manually checked and installed the most recent Defender Updates. I exited ThrottleStop after that and ThrottleStop restarted just fine without any complaints from Defender.
Is your computer part of a company network?
Thanks for the info. Are you on Windows 11?
I use Windows Defender but my main computer is still running Windows 10 Pro. I manually checked and installed the most recent Defender Updates. I exited ThrottleStop after that and ThrottleStop restarted just fine without any complaints from Defender.
Is your computer part of a company network?
In the meantime i've got a following comment from our IT (it was a corp network no access to add defender exclusions).
"security has blocked the list of signed drivers which are being actively exploited by malware"
Maybe it's related to CVE-2020–14979, however cannot get more info.
Currently I'm on 1.421.837.0 definitions (WIN10)
"security has blocked the list of signed drivers which are being actively exploited by malware"
Maybe it's related to CVE-2020–14979, however cannot get more info.
Currently I'm on 1.421.837.0 definitions (WIN10)
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,011 (1.32/day)
That CVE talks about the WinRing0 driver. ThrottleStop has not used the WinRing0 driver for years.
If your corporate IT department or Microsoft has decided to start blocking the ThrottleStop.sys driver, there is nothing I can do to solve that problem.
No one has ever contacted me about any malware that is actively exploiting the ThrottleStop.sys driver.
If I ever find out anything new, I will post it here. Defender will be gone the day that it starts blocking me from running ThrottleStop.
Edit - I was just reading about the latest Asus BIOS versions for their Z790 and Z690 motherboards.
It looks like Intel has been twisting some arms. Asus have removed the ability to toggle the C1E C state off from their recent BIOS versions. Users quickly found out that it was still possible to use ThrottleStop to disable C1E. Gamers and music creators love the reduced latency when the C states are disabled. Is this the real reason why the ThrottleStop.sys driver was suddenly put on the malware list? Who knows. The driver that ThrottleStop uses has been working flawlessly for more than 4 years without a single report of any exploits.
Last edited:
This is information i got from Microsoft support:
"We identified the vulnerable driver associated with ThrottleStop.exe – RwDrv.sys, part of RWEverything, a free utility that allows access to hardware components such as SPI flash memory chip states a system’s BIOS/UEFI firmware. We blocked this driver due to this vulnerability.
Here are some articles that further explain the vulnerability:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode | by Matt Graeber | Posts By SpecterOps Team Members
How To Remove HackTool:Win32/Rwdrv [Updated December 2024]"
I was able to get the info by : vulnerabledrivers@microsoft.com
Looks this might become wider issue when definitions are spread. The hint was that this is not a defender rule but rather :
"ASR Rules is a different block than Windows Defender" - Atack Surface Reduction
"We identified the vulnerable driver associated with ThrottleStop.exe – RwDrv.sys, part of RWEverything, a free utility that allows access to hardware components such as SPI flash memory chip states a system’s BIOS/UEFI firmware. We blocked this driver due to this vulnerability.
Here are some articles that further explain the vulnerability:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode | by Matt Graeber | Posts By SpecterOps Team Members
How To Remove HackTool:Win32/Rwdrv [Updated December 2024]"
I was able to get the info by : vulnerabledrivers@microsoft.com
Looks this might become wider issue when definitions are spread. The hint was that this is not a defender rule but rather :
"ASR Rules is a different block than Windows Defender" - Atack Surface Reduction
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,011 (1.32/day)
I agree. It could be lights out for ThrottleStop. It was fun while it lasted.
ThrottleStop.exe uses the ThrottleStop.sys driver. This is not the same as the RwDrv.sys driver that RWEverything uses.
It is interesting that I am still able to run ThrottleStop while using the newer 1.421.843.0 Windows Defender definitions without any problems. Do you have full Administrator privileges for your account?
Thanks for contacting Microsoft. I will continue to look into this issue.
- Joined
- May 14, 2004
- Messages
- 27,964 (3.72/day)
| Processor | Ryzen 7 5700X |
|---|---|
| Memory | 48 GB |
| Video Card(s) | RTX 4080 |
| Storage | 2x HDD RAID 1, 3x M.2 NVMe |
| Display(s) | 30" 2560x1600 + 19" 1280x1024 |
| Software | Windows 10 64-bit |
I think an older version of TS used that driver? Maybe MS just blocked TS and assumed all builds use the same driver?
- Joined
- Dec 25, 2020
- Messages
- 7,013 (4.81/day)
- Location
- São Paulo, Brazil
| System Name | "Icy Resurrection" |
|---|---|
| Processor | 13th Gen Intel Core i9-13900KS Special Edition |
| Motherboard | ASUS ROG Maximus Z790 Apex Encore |
| Cooling | Noctua NH-D15S upgraded with 2x NF-F12 iPPC-3000 fans and Honeywell PTM7950 TIM |
| Memory | 32 GB G.SKILL Trident Z5 RGB F5-6800J3445G16GX2-TZ5RK @ 7600 MT/s 36-44-44-52-96 1.4V |
| Video Card(s) | ASUS ROG Strix GeForce RTX™ 4080 16GB GDDR6X White OC Edition |
| Storage | 500 GB WD Black SN750 SE NVMe SSD + 4 TB WD Red Plus WD40EFPX HDD |
| Display(s) | 55-inch LG G3 OLED |
| Case | Pichau Mancer CV500 White Edition |
| Audio Device(s) | Apple USB-C + Sony MDR-V7 headphones |
| Power Supply | EVGA 1300 G2 1.3kW 80+ Gold |
| Mouse | Microsoft Classic Intellimouse |
| Keyboard | IBM Model M type 1391405 (distribución española) |
| Software | Windows 11 IoT Enterprise LTSC 24H2 |
| Benchmark Scores | I pulled a Qiqi~ |
No, any settings that are enforced by the security system or through group policy show as managed by organization on Windows 11's control panel. Microsoft has been really hard at work hardening (pun intended) Windows, if I remember correctly, the Local Security Authority system will enforce vulnerable driver protection if credential guard, core isolation, memory integrity check and/or app control are enabled in Windows Security, the operating system will completely refuse to load these drivers. It is the default behavior on all officially supported hardware and in new installs of Windows 11, this is why Microsoft has been pushing for modern hardware that supports TPM, virtualization extensions, etc. - the modern Windows security architecture relies on these things.
The result is that software like ThrottleStop, which is designed to access hardware registers at a relatively low level become a huge no-no under these conditions.
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,011 (1.32/day)
Maybe. It is all a blur now. That was 15 years ago!
I think all of the versions before TS 9.0 were using the WinRing0 driver which has some known security issues. There have been no complaints since the WinRing0 driver was replaced by the ThrottleStop.sys driver.
Here is some info about Attack Surface Reduction. There might be a solution hiding in there.
Enable attack surface reduction rules - Microsoft Defender for Endpoint
Enable attack surface reduction rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
learn.microsoft.com
Not sure if you can convince your IT department to make an exception for ThrottleStop.sys
If you cannot run ThrottleStop, you are going to miss out on a Christmas surprise. Lots of new features are finally done including per profile power limits, per profile Speed Shift Min and Max values, per profile PROCHOT Offset values as well as V/F Tuning for the unlocked K and HX CPUs. Intel should thank me for the work I do.
A little off topic but I am seeing a lot of
on the horizon for this new version.
- Joined
- Aug 19, 2024
- Messages
- 365 (2.90/day)
- Location
- Texas, USA
| System Name | Obliterator |
|---|---|
| Processor | Ryzen 7 7700x PBO |
| Motherboard | ASRock x670e Steel Legend |
| Cooling | Noctua NH-D15 G2 LBC |
| Memory | G.skill Trident Z5 Neo 6000@CL30 |
| Video Card(s) | ASRock rx7900 GRE Steel Legend |
| Storage | 2 x 2TB Samsung 990 pro nmve ssd 2 X 4TB Samsung 870 evo sata ssd 1 X 18TB WD Gold sata hdd |
| Display(s) | LG 27GN750-B |
| Case | Fractal Torrent |
| Audio Device(s) | Klipsch promedia heritage 2.1 |
| Power Supply | FSP Hydro TI 1000w |
| Mouse | SteelSeries Prime+ |
| Keyboard | Lenovo SK-8825 (L) |
| Software | Windows 10 Enterprise LTSC 21H2 / Windows 11 Enterprise LTSC 24H2 with multiple flavors of VM |
Just for kicks, I loaded up a fresh copy of windows 11 pro on a modest office rig with an i5-12400. Nothing but windows with all updates and drivers coming from windows update. defender updated too. I disabled virtualization based security and core isolation memory integrity. Then downloaded and ran TS 9.6. was able to monitor and disable/enable things. Windows Defender did not try to eat it or block it in any way.
I'll leave it running for a while to see if it tries to eat it, but so far, i haven't been able to get defender to block it.
I'll leave it running for a while to see if it tries to eat it, but so far, i haven't been able to get defender to block it.
Maybe Attack Surface Reduction is some extra functionality, enabled only on corporate PCs by IT using group policy.
"To use the entire feature-set of attack surface reduction rules, you need:
"To use the entire feature-set of attack surface reduction rules, you need:
- Microsoft Defender Antivirus as primary AV (real-time protection on)
- Cloud-Delivery Protection on (some rules require that)
- Windows 10 Enterprise E5 or E3 License"
- Joined
- Oct 15, 2011
- Messages
- 2,479 (0.51/day)
- Location
- Springfield, Vermont
| System Name | KHR-1 |
|---|---|
| Processor | Ryzen 9 5900X |
| Motherboard | ASRock B550 PG Velocita (UEFI-BIOS P3.40) |
| Memory | 32 GB G.Skill RipJawsV F4-3200C16D-32GVR |
| Video Card(s) | Sparkle Titan Arc A770 16 GB |
| Storage | Western Digital Black SN850 1 TB NVMe SSD |
| Display(s) | Alienware AW3423DWF OLED-ASRock PG27Q15R2A (backup) |
| Case | Corsair 275R |
| Audio Device(s) | Technics SA-EX140 receiver with Polk VT60 speakers |
| Power Supply | eVGA Supernova G3 750W |
| Mouse | Logitech G Pro (Hero) |
| Software | Windows 11 Pro x64 23H2 |
I suspect libraries are going to get this, because of all the malicious-hacker-activity lately.