Windows 2016 monthly patching - TiWorker.exe - Attempted to dump password hash from SAM Database
July 2020 Windows Servers 2016 patches are failing to install as ENS 10.7.0.1705 threat prevention is blocking the following process. Any idea of how to suppress this false positive?
NT AUTHORITY\SYSTEM ran C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3801_none_7ed07ae422175cd5\TiWorker.exe, which tried to access HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\JD\, violating the rule "Attempt to Dump Password Hash from SAM Database ", and was blocked. For information on how to respond to this event, see KB85494.
In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.