1

I got a very strange problem. I used a notebook computer installed with Win 10, and compiled a .exe file from a very simple .c file using Dev-C++. The .exe file was created on the Desktop, and I could run the .exe file -- once only. After running the .exe file, which ended successfully, attempting to run the .exe file again resulted in a permission error. I even could not delete or move the .exe file. I then right clicked the file, and found that I had no permission to view the file's permission!! Clicking the "as administrator" button did not work either.

I first thought it was Dev-C++'s problem, so I installed another compiler called dm, but the results were the same -- I compiled another .c program using the command prompt, then checked the permission, it was fine. Then I executed it once, and then checked the permission again. I was even not allowed to view the permissions again!!

I tried using a Microsoft account to login to the notebook, and also tried using a local account which had administrator rights to login, both got the same symptoms as above. What was actually the problem? Are there some kind of problems in the updates on Win 10 causing this issue? Because this problem did not happen a month ago, and the Windows update was set as automatic.

Wolfgang Kuehn
  • 12,206
  • 2
  • 33
  • 46
GreenPenguin
  • 167
  • 2
  • 15
  • 3
    I'd check if your executables got quarantined by AV / Defender. – Filburt Nov 20 '17 at 17:36
  • @Filburt But should the quarantined files be moved to a particular folder, such as C:\ProgramData\Microsoft\Windows Defender\Quarantine, instead of staying on the Desktop with access permissions changed? – GreenPenguin Nov 21 '17 at 17:02
  • Luckily I never had to deal with either real or wrongly quarantined files myself. I could only speculate that what is left on your desktop isn't the original executable any more. What does get listed when you browse to your desktop via Explorer? Does the size or modification date change when you leave some time between compiling and running your exe? Did you check the Windows Event Logs for any hints? – Filburt Nov 21 '17 at 18:34
  • @Filburt Just an update of the issue: After the latest Win10 update, the problem is solved automatically. Very strange indeed. – GreenPenguin Nov 30 '17 at 08:06

1 Answers1

0

We just found out about this the hard way. Microsoft Defender Exploit Guard will insidiously take control of exe files, if configured accordingly, on first execution. Here in bash syntax:

   rustc src/hello.rs -o hello.exe
   # Read
   sha256sum hello.exe
   # -> ec973eeb25bda853f7ae854272679f94135d578afa0758b93ce5a3e12d424edd *hello.exe
   # Try to execute
   ./hello.exe
   # -> ./hello.exe: Permission denied
   # Read again
   sha256sum hello.exe
   # -> ./hello.exe: Permission denied

In MS Event Viewer, expand Applications and Services Logs, then Microsoft, then Windows, then Windows Defender. You will find a warning saying that Microsoft Defender Exploit Guard has blocked hello.exe, in this case while executing svchost.exe.

Mitigating this issue will probably put you in touch with your companies security team, have fun!

Wolfgang Kuehn
  • 12,206
  • 2
  • 33
  • 46
  • The question was posted in Nov 2017, and was automatically gone 10 days later after some Windows update. So was this actually a kind of bug from the MS Defender Exploit Guard at that time only? – GreenPenguin Dec 30 '21 at 09:33
  • @GreenPenguin At least the symtoms are the same. Our solution was to exclude some _magic_ folder from the MS Defender Actions. – Wolfgang Kuehn Dec 31 '21 at 19:29