Evaluate exploit protection


Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)

This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what would have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.


You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how exploit protection works.

Enable exploit protection in audit mode

You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell.

Windows Security app

  1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender.

  2. Click the App & browser control tile (or the app icon on the left menu bar) and then click Exploit protection.

  3. Go to Program settings and choose the app you want to apply protection to:

    1. If the app you want to configure is already listed, click it and then click Edit
    2. If the app is not listed, at the top of the list click Add program to customize and then choose how you want to add the app.
      • Use Add by program name to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
      • Use Choose exact file path to use a standard Windows Explorer file picker window to find and select the file you want.
  4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.

  5. Repeat this for all the apps and mitigations you want to configure. Click Apply when you're done setting up your configuration.


To set app-level mitigations to audit mode, use Set-ProcessMitigation with the Audit mode cmdlet.

Configure each mitigation in the following format:

Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>


  • <Scope>:
    • -Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
  • <Action>:
    • -Enable to enable the mitigation
      • -Disable to disable the mitigation
  • <Mitigation>:
    • The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
Mitigation Audit mode cmdlet
Arbitrary code guard (ACG) AuditDynamicCode
Block low integrity images AuditImageLoad
Block untrusted fonts AuditFont, FontAuditOnly
Code integrity guard AuditMicrosoftSigned, AuditStoreSigned
Disable Win32k system calls AuditSystemCall
Do not allow child processes AuditChildProcess

For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named testing.exe, run the following command:

Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode

You can disable audit mode by replacing -Enable with -Disable.

Review exploit protection audit events

To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.

Feature Provider/source Event ID Description
Exploit protection Security-Mitigations (Kernel Mode/User Mode) 1 ACG audit
Exploit protection Security-Mitigations (Kernel Mode/User Mode) 3 Do not allow child processes audit
Exploit protection Security-Mitigations (Kernel Mode/User Mode) 5 Block low integrity images audit
Exploit protection Security-Mitigations (Kernel Mode/User Mode) 7 Block remote images audit
Exploit protection Security-Mitigations (Kernel Mode/User Mode) 9 Disable win32k system calls audit
Exploit protection Security-Mitigations (Kernel Mode/User Mode) 11 Code integrity guard audit

See also