- Jul 3, 2015
- 8,153
There is an option in advanced system settings of Windows to turn on DEP for all programs and services.
Did you do this, and is it wise to do so?
Did you do this, and is it wise to do so?
Please provide comments and solutions that are helpful to the author of this topic.
Isn't it enabled by default?There is an option in advanced system settings of Windows to turn on DEP for all programs and services.
Did you do this, and is it wise to do so?
All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed.
All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
DEP is security feature that protects your hardware from programs that use memory incorrectly and mostly it isn’t recommended to disable it but then it’s up to you.There is an option in advanced system settings of Windows to turn on DEP for all programs and services. Did you do this, and is it wise to do so?
yes i do it and it’s recommend using that enforcement.There is an option in advanced system settings of Windows to turn on DEP for all programs and services.
Did you do this, and is it wise to do so?
It can break programs. That’s why it isn’t enforced but I doesn’t care. It doesn’t exist any reason not enabling it.It is enabled by default "for essential Windows programs and services only".
I am asking about the second option: "for all programs and services".
When you use Exploit Protection to configure DEP, then it is applied just like in my previous post (enabled by default for all programs). You can disable DEP for compatibility only for x86 (32-bit processes) that do not natively support DEP. Except for the Exploit Protection feature, one can also use the old method:It is enabled by default "for essential Windows programs and services only".
I am asking about the second option: "for all programs and services".
Yes, that's exactly what I am talking about. I looked in there and it not enabled for all programs.Settings >> Advanced Settings >> Advanced >> click Settings under Performance section >> click Data Execution Prevention tab:
Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator).
Enter "BCDEDIT /set {current} nx OptOut". (If using PowerShell "{current}" must be enclosed in quotes.)
"AlwaysOn", a more restrictive selection, is also valid but does not allow applications that do not function properly to be opted out of DEP.
Opted out exceptions can be configured in the "System Properties".
I would not use these settings. All that is needed can be done independently via Exploit Protection.
I’m not sure as Exploit protection GUI doesn’t list any settings. Only the advanced list for program specific settings list all.I would not use these settings. All that is needed can be done independently via Exploit Protection.
Probably all your applications have native (hardcoded) DEP which will ignore any Windows DEP settings. You can use Exploit Protection to not force DEP for any x86 legacy application which does not have native DEP. The settings noted by @shmu26 are legacy settings used from Windows XP when many processes did not have native DEP. They are still in Windows 10 for compatibility after upgrading.I’m not sure as Exploit protection GUI doesn’t list any settings. Only the advanced list for program specific settings list all.
i also doesn’t see any problems so far
If you enable full DEP this way:Probably all your applications have native (hardcoded) DEP which will ignore any Windows DEP settings. You can use Exploit Protection to not force DEP for any x86 application which does not have native DEP. The settings noted by @shmu26 are legacy settings used from Windows XP when many processes did not have native DEP. They are still in Windows 10 for compatibility after upgrading.
If you have default Exploit Protection settings and default settings noted by @shmu26, they will probably force DEP for all processes anyway.
Yes. That is why Microsoft still keeps this legacy feature, because someone (on Windows 7, 8.1, or older Windows 10) could put there a list of legacy applications that have not got native DEP. Others can simply forget about this and simply use the new feature eg. Exploit Protection. This new feature also can exclude an application from system-wide DEP settings.If you enable full DEP this way:
"Settings >> Advanced Settings >> Advanced >> click Settings under Performance section >> click Data Execution Prevention tab"
You have an option there for exceptions, in case a certain program doesn't like DEP.
I wonder why nobody at official Microsoft forum give me that answer.Probably all your applications have native (hardcoded) DEP which will ignore any Windows DEP settings. You can use Exploit Protection to not force DEP for any x86 legacy application which does not have native DEP. The settings noted by @shmu26 are legacy settings used from Windows XP when many processes did not have native DEP. They are still in Windows 10 for compatibility after upgrading.
If you have default Exploit Protection settings and default settings noted by @shmu26, they will force DEP for all processes anyway.
So how enforce DEP for x86 with EP?How these two features work together (tested on Gnuplot application).
LEGACY = feature noted by @shmu26
EP = Exploit Protection options for DEP
LEGACY_1 means the first option (ticked on the picture)
LEGACY_2 means the second option
View attachment 259852
LEGACY_1 and EP default:
The x86 processes that do not natively support DEP are not forced to use DEP. Others are run with DEP.
LEGACY_2 (empty list) and EP default ---> all programs are forced to use DEP
LEGACY_2 (with list of exclusions) and EP default :
LEGACY_2 (with list of exclusions) and EP with exclusions ---> EP overrides LEGACY_2 for overlapping items.
- the programs from the list are run without DEP,
- these excluded programs are not visible in EP mitigations.
There are many tutorials, for example:So how enforce DEP for x86 with EP?
If you use Process Explorer and run as administrator, you can select the column "DEP status" and it will show this for all you running programs and processes.
View attachment 259854