DataGuard blocks SnippingTool as svchost.exe on Windows 10 and 11 devices when taking screenshots with the tool. Allowing Snippingtool.exe does not solve the issue.
When you take a screenshot with Snipping Tool using the Win+Shift+S keyboard shortcut or with the print screen button, it takes the screenshot immediately and automatically tries to save the file to the users OneDrive folder. When using this method, it uses svchost.exe during this process and this causes svchost.exe to be the last process to access the protected folder. Since svchost.exe is not a trusted application, it will be blocked by DataGuard.
We do not recommend to add svchost.exe as a trusted application.
There are a few workarounds for this issue:
The first workaround is that you exclude the screenshots folder from DataGuard so that the folder is not protected. Example of an exclusion:
- You exclude the screenshots folder from DataGuard so that the folder is not protected
- You open Snipping Tool manually from the Windows Start Menu
- You use the Vaults feature for DataGuard
Note: The folder name and path can differ based on the Windows language, so this exclusion might not work for all users, but additional exclusions can be created similarly as in the above example. You can view the DataGuard block detection from the Security Events page in the Elements Endpoint Protection portal to see the path.
- Log in to the Elements Endpoint Protection portal (https://elements.withsecure.com)
- Go to the Profiles page
- Select the profile that is in use on the affected devices
- Go to the DataGuard settings page
- Scroll down to the Manually excluded folders section
- Click Add path
- Add: %userprofile%\Onedrive*\Pictures\Screenshots\
- Click Save and publish
The second workaround is that you can simply open Snipping Tool manually from the Windows Start Menu. When you open Snipping Tool manually and take a screenshot, you can yourself choose the location to which you want to save it. Using this workaround, you can save the file directly to a DataGuard protected folder since the last process to access the protected folder is SnippingTool.exe and it is by default a trusted application.
Third option would be to drop DataGuard completely and use the Vaults (it is subset of DataGuard). Unlike DataGuard, the Vaults defines list of user documents and only the explicitly defined applications allowed to operate over such documents. It doesn't consider a generic folders i.e. problematic location of screen shots as protected. The Vaults should reduce false positive rates and still provide good level of protection.
Article no: 000042527