I got the new Parallels update a couple of days ago. I had the problem installing Parallels Tools and fixed that by disabling Windows Defender. Once installed, I re-enabled it. Now, I periodically see Windows Defender complaining about prl_tools.exe trying to change a controlled folder. This has only started since the last update. Now, I'm perfectly fine with giving it permission, but I'd like to know what it's trying to do before I do that. Details from the Event Log: Log Name: Microsoft-Windows-Windows Defender/Operational Source: Microsoft-Windows-Windows Defender Date: 3/22/2019 11:17:05 AM Event ID: 1127 Task Category: None Level: Warning Keywords: User: SYSTEM Computer: XXX Description: Controlled Folder Access blocked C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe from making changes to memory. Detection time: 2019-03-22T15:17:05.908Z User: NT AUTHORITY\SYSTEM Path: \Device\Harddisk0\DR0 Process Name: C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe Signature Version: 1.291.66.0 Engine Version: 1.1.15800.1 Product Version: 4.18.1902.2 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" /> <EventID>1127</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2019-03-22T15:17:05.909390800Z" /> <EventRecordID>1154</EventRecordID> <Correlation /> <Execution ProcessID="3868" ThreadID="4504" /> <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> <Computer>XXX</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Product Name">%%827</Data> <Data Name="Product Version">4.18.1902.2</Data> <Data Name="Unused"> </Data> <Data Name="ID"> </Data> <Data Name="Detection Time">2019-03-22T15:17:05.908Z</Data> <Data Name="User">NT AUTHORITY\SYSTEM</Data> <Data Name="Path">\Device\Harddisk0\DR0</Data> <Data Name="Process Name">C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe</Data> <Data Name="Signature Version">1.291.66.0</Data> <Data Name="Engine Version">1.1.15800.1</Data> </EventData> </Event>
Hi, it happens that the Windows Defender does not allow you to download and save a deliberately safe file. If you disable it, does everything work ok?
It probably will. But before I disable it for prl_tools.exe, I want to know what Parallels is trying to do in this protected directory and why it needs to. It's protected for a reason. Also, this wasn't happening prior to the latest update.
Actually, prl_tools.exe is a standard windows process. And Parallels Tools is a set of drivers for the guest OS that is installed in your VM. So, like other drivers Parallels Tools located on the Windows System folders. Did you protect this folder or maybe another one?
I didn't change anything. I was running fine, got the parallels update last week and now I'm getting this error. Defender is configured the same way it was before. Maybe Microsoft changed something? The path that is supposedly hitting is \device\harddrive0\dr0. Is prl_tools.exe attempting to access the physical disk volume? (Virtual, of course, but you know what I mean)
prl_tools.exe may access disk volume to get partition info to monitor disk space usage. How to configure Windows Defender to produce abovementioned warnings?
I believe it's the Ransomware protection, Contolled folder access. I've attached a file of the setting I think it being hit.