You're on the right track using event viewer. I'm going to mention a word some consider evil and the bane of mankind....CO-PILOT.
Here is the answer I got from the all-knowing (said facetiously) AI.
Event Viewer→ Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational
3) Look for these event IDs around the timestamp
- 1123 — Controlled Folder Access blocked an app
- 1127 — Controlled Folder Access allowed an app
- 5007 — Defender settings changed
- 1116 / 1117 — Malware detection events
- 1006 / 1007 — Network protection blocks
These events will show:
- The real process behind the block
- The path it tried to access
- The user context
- The service or scheduled task involved
This is the single most important step — it reveals the parent process that the popup hides.
Additional places to check when the cause isn’t obvious
1) Scheduled Tasks
Many apps (JetBrains IDEs, Jackett, game launchers, cloud sync tools) run update checks via scheduled tasks that call PowerShell or service hosts.
Check:
Task Scheduler → Task Scheduler Library → (sort by Last Run Time)
Look for tasks that run at the same time as the popup.
2) Services using svchost groups
Some services run inside shared svchost.exe groups. To see which service group is active at the moment of the popup:
tasklist /svc /fi "imagename eq svchost.exe"
Compare timestamps to see which service was active.
3) Windows Defender Protection History
Windows Security → Virus & threat protection → Protection historyFilter by “Controlled folder access”.
This often shows the
blocked path even when the popup doesn’t.
Likely culprits based on your tab’s context
Your open forum thread mentions two common offenders:
- Jackett auto-updater (writes to SystemTemp)
- JetBrains DataGrip (PowerShell scripts and project indexing)
Both are known to trigger CFA blocks, and both run background tasks multiple times per day.
If you use either, they’re high on the suspect list.
What to do once you identify the process
Depending on what you find:
- If it’s a legitimate app updater Disable its auto-update task or add only that specific executable as an exclusion.
- If it’s a JetBrains IDE Exclude only the project folder or the IDE’s update helper, not System32.
- If it’s a service you don’t recognize That’s a red flag — we should dig deeper.
- If it’s a script in AppData or Temp Often indicates an updater or a misbehaving background tool.
What not to do
- Don’t exclude System32, svchost.exe, or Windows Installer.
- Don’t add broad folder exclusions.
- Don’t click “Unblock” repeatedly — it doesn’t fix the root cause.
