We have used DISM (Deployment Image Servicing and Management) tools for many years but were surprised to see this message popup on a users Windows 11 desktop:
App or process blocked: DismHost.exe
Protected folder: \Device\Harddisk\Volume3
Blocked by: Controlled folder access
Most companies and users are not using Controlled Folder Access feature in Windows Defender, but we like it an enable it as a general rule. The idea is that if Defender thinks a program should not be accessing folder (i.e. DISMHOST.EXE is trying read/write files to your desktop), it pops up and tells you it was blocked. That makes good sense to us and our clients.
What Is DISMHOST.EXE
It is a command-line tool used to service and prepare Windows images, including those used for Windows PE, Windows Recovery Environment (Windows RE), and a good-old normal Windows Setup. It can be used to service (i.e. inject drivers or delete files) from a Windows image (.wim) file or a virtual hard disk (.vhdx).
DismHost.exe is usually found in the C:\Windows\SysWoW64\dism. It’s not a virus or a “potentially unwanted app”. However, if a virus or malware program uses the DismHost.exe file as its host, Windows Defender and other antivirus programs may not treat it as a threat so if you see something odd, it could be something to be concerned with.
Why Windows Controlled Folder Access May Block DISMHOST.EXE
As for why Windows Controlled Folder Access would block it, this feature is part of Windows Defender Security. When enabled, it tracks the apps (executable files, scripts, and DLLs) trying to make changes to files in the protected folders. If the app is malicious or not recognized, the feature will block the attempt in real-time, and you’ll receive a notification of the suspicious activity.
In the case of DismHost.exe, it’s possible that one of the processes it hosts may be a third-party service, which Windows Security is not trusting. You can either disable Controlled Folder Access, ignore the messages, or find out which service is touching these folders and determine if you want to remove or ignore it.
In our case we opted to allow it to work.
DismHost and Windows Defender
While we have not been able to verify it directly ourselves, we have read and had clients point to many blog posts that get back to this one which indicates Windows Defender will copy DismHost to C:\USERS\[user]\APPDATA\LOCAL\TEMP if it was unable to complete a scan.
That file and all files in C:\USERS\[user]\APPDATA\LOCAL\TEMP are safe to delete.
0 Comments