Skip to content

Windows Defender repeatedly prompts to submit .codex\config.toml; one prompt showed the same path twice #30638

Description

@MercYuriy

Summary

Microsoft Defender on Windows has repeatedly shown Sample submission prompts involving Codex's local config.toml across separate events and machines.

A later screenshot captured on June 29, 2026 on laptop YURIYS_GAMINGPC directly showed Defender listing the same exact path twice in one prompt window:

  • C:\Users\shimk\.codex\config.toml
  • C:\Users\shimk\.codex\config.toml

This suggests either:

  • Codex is causing Defender to repeatedly see/re-evaluate this file during normal startup/update/plugin activity
  • Defender is overreacting to a normal Codex config file
  • or there is a duplicate-entry / duplicate-handle edge case in how the file is being surfaced

What is confirmed

  • Defender repeatedly prompted for Codex's local .codex\config.toml across separate events.
  • The pattern occurred on both desktop and laptop.
  • On the laptop, a preserved screenshot from 2026-06-29 directly showed a Defender Sample submission dialog for C:\Users\shimk\.codex\config.toml, with the same path shown twice in the same prompt window.
  • Earlier laptop investigation showed C:\Users\shimk\.codex\config.toml was newly created at 2026-06-03 03:10:50 America/Los_Angeles.
  • In that same minute, Codex logs showed plugin/install, bundled marketplace writes, and Chrome host reconciliation.
  • A nearby file, C:\Users\shimk\.codex\chrome-native-hosts-v2.json, was also created immediately afterward.
  • Defender on the laptop had SubmitSamplesConsent = 1, so prompting before upload is expected when Defender wants to submit a file sample.

What is not confirmed

  • I have not confirmed that every prompt involved the exact same unchanged file hash.
  • I have not found a Defender operational-log entry explicitly naming config.toml.
  • I have not proven whether the duplicate rows in the June 29 prompt were byte-identical copies, separate handles, or a Defender/UI duplication artifact.

Why this seems relevant to Codex

The timing on the laptop strongly suggests the file is being created or rewritten during normal Codex local-state/setup/update/plugin activity, not just sitting unchanged:

  • config.toml created: 2026-06-03 03:10:50 local time
  • config.toml written: 03:11:13
  • chrome-native-hosts-v2.json created: 03:11:14
  • Codex logs in the same minute showed plugin install + bundled marketplace writes + Chrome host reconciliation

That makes it plausible that Codex is regenerating or rewriting local config state in a way that repeatedly surfaces config.toml to Defender.

User impact

  • Repeated Windows Defender prompts during normal Codex use
  • User uncertainty about whether Codex local state is unsafe
  • One prompt showed the same exact path twice, which makes the behavior look buggy rather than merely cautious

Request

Could you investigate whether recent Windows/Desktop Codex behavior is rewriting or recreating .codex\config.toml (or surfacing it multiple times) in a way that triggers repeated Defender sample-submission prompts?

If useful, I can follow up with:

  • the exact screenshot text from the June 29 Defender prompt
  • the SHA-256 observed for the June 3 laptop config.toml
  • the local investigation summary correlating the file timestamps with Codex log activity

Metadata

Metadata

Assignees

No one assigned

    Labels

    appIssues related to the Codex desktop appbugSomething isn't workingconfigIssues involving config.toml, config keys, config merging, or config updateswindows-osIssues related to Codex on Windows systems

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions