Q&A Data Execution Prevention (DEP)

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
It is enabled by default. It can be disabled for x86 (32-bit) binaries on the system level or only for some binaries. It cannot be disabled for x64 (64-bit), ARM, and ARM-64 binaries.
All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed.

All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
 

SecureL7

New Member
Jul 3, 2021
3
There is an option in advanced system settings of Windows to turn on DEP for all programs and services. Did you do this, and is it wise to do so?
DEP is security feature that protects your hardware from programs that use memory incorrectly and mostly it isn’t recommended to disable it but then it’s up to you.
 
  • Like
Reactions: venustus
F

ForgottenSeer 85179

There is an option in advanced system settings of Windows to turn on DEP for all programs and services.
Did you do this, and is it wise to do so?
yes i do it and it’s recommend using that enforcement.

It is enabled by default "for essential Windows programs and services only".
I am asking about the second option: "for all programs and services".
It can break programs. That’s why it isn’t enforced but I doesn’t care. It doesn’t exist any reason not enabling it.
I guess nobody will see any problems
 
  • Like
Reactions: venustus and shmu26

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
It is enabled by default "for essential Windows programs and services only".
I am asking about the second option: "for all programs and services".
When you use Exploit Protection to configure DEP, then it is applied just like in my previous post (enabled by default for all programs). You can disable DEP for compatibility only for x86 (32-bit processes) that do not natively support DEP. Except for the Exploit Protection feature, one can also use the old method:
Settings >> Advanced Settings >> Advanced >> click Settings under Performance section >> click Data Execution Prevention tab:

1626975416844.png


I think that this feature is overridden by Exploit Protection settings. So, it can be used when DEP is disabled in Exploit Protection (applied to x86 processes). Furthermore, it will work only for processes that do not support DEP natively. If the process has native DEP protection, you will see the alert that DEP cannot be disabled for it.
 

Attachments

  • 1626975481691.png
    1626975481691.png
    23.3 KB · Views: 60
F

ForgottenSeer 85179

See Data Execution Prevention (DEP) must be configured to at least OptOut.
Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator).
Enter "BCDEDIT /set {current} nx OptOut". (If using PowerShell "{current}" must be enclosed in quotes.)
"AlwaysOn", a more restrictive selection, is also valid but does not allow applications that do not function properly to be opted out of DEP.

Opted out exceptions can be configured in the "System Properties".
 
F

ForgottenSeer 85179

I would not use these settings. All that is needed can be done independently via Exploit Protection. :unsure:
I’m not sure as Exploit protection GUI doesn’t list any settings. Only the advanced list for program specific settings list all.

i also doesn’t see any problems so far
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
I’m not sure as Exploit protection GUI doesn’t list any settings. Only the advanced list for program specific settings list all.

i also doesn’t see any problems so far
Probably all your applications have native (hardcoded) DEP which will ignore any Windows DEP settings. You can use Exploit Protection to not force DEP for any x86 legacy application which does not have native DEP. The settings noted by @shmu26 are legacy settings used from Windows XP when many processes did not have native DEP. They are still in Windows 10 for compatibility after upgrading.
If you have default Exploit Protection settings and default settings noted by @shmu26, they will force DEP for all processes anyway.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,072
Probably all your applications have native (hardcoded) DEP which will ignore any Windows DEP settings. You can use Exploit Protection to not force DEP for any x86 application which does not have native DEP. The settings noted by @shmu26 are legacy settings used from Windows XP when many processes did not have native DEP. They are still in Windows 10 for compatibility after upgrading.
If you have default Exploit Protection settings and default settings noted by @shmu26, they will probably force DEP for all processes anyway.
If you enable full DEP this way:
"Settings >> Advanced Settings >> Advanced >> click Settings under Performance section >> click Data Execution Prevention tab"
You have an option there for exceptions, in case a certain program doesn't like DEP.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
If you enable full DEP this way:
"Settings >> Advanced Settings >> Advanced >> click Settings under Performance section >> click Data Execution Prevention tab"
You have an option there for exceptions, in case a certain program doesn't like DEP.
Yes. That is why Microsoft still keeps this legacy feature, because someone (on Windows 7, 8.1, or older Windows 10) could put there a list of legacy applications that have not got native DEP. Others can simply forget about this and simply use the new feature eg. Exploit Protection. This new feature also can exclude an application from system-wide DEP settings.
 
F

ForgottenSeer 85179

Probably all your applications have native (hardcoded) DEP which will ignore any Windows DEP settings. You can use Exploit Protection to not force DEP for any x86 legacy application which does not have native DEP. The settings noted by @shmu26 are legacy settings used from Windows XP when many processes did not have native DEP. They are still in Windows 10 for compatibility after upgrading.
If you have default Exploit Protection settings and default settings noted by @shmu26, they will force DEP for all processes anyway.
I wonder why nobody at official Microsoft forum give me that answer.

Thanks!
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
How these two features work together (tested on Gnuplot application).

LEGACY = feature noted by @shmu26
EP = Exploit Protection options for DEP

LEGACY_1 means the first option (ticked on the picture)
LEGACY_2 means the second option
1627036284807.png


LEGACY_1 and EP default:
The x86 processes that do not natively support DEP are not forced to use DEP. Others are run with DEP.

LEGACY_2 (empty list) and EP default ---> all programs are forced to use DEP

LEGACY_2 (with list of exclusions) and EP default :
  • the programs from the list are run without DEP,
  • these excluded programs are not visible in EP mitigations.
LEGACY_2 (with list of exclusions) and EP with exclusions ---> EP overrides LEGACY_2 for overlapping items.
 
F

ForgottenSeer 85179

How these two features work together (tested on Gnuplot application).

LEGACY = feature noted by @shmu26
EP = Exploit Protection options for DEP

LEGACY_1 means the first option (ticked on the picture)
LEGACY_2 means the second option
View attachment 259852

LEGACY_1 and EP default:
The x86 processes that do not natively support DEP are not forced to use DEP. Others are run with DEP.

LEGACY_2 (empty list) and EP default ---> all programs are forced to use DEP

LEGACY_2 (with list of exclusions) and EP default :
  • the programs from the list are run without DEP,
  • these excluded programs are not visible in EP mitigations.
LEGACY_2 (with list of exclusions) and EP with exclusions ---> EP overrides LEGACY_2 for overlapping items.
So how enforce DEP for x86 with EP?
 
  • Like
Reactions: JoyousBudweiser

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
So how enforce DEP for x86 with EP?
There are many tutorials, for example:
Useful article about DEP:

If you want to do it for all x86 applications then set LEGACY_2 (empty list) and default EP. This will enforce “ATL thunk emulation” to increase compatibility.

If you want to do this for a particular application then use EP Program settings tab and choose the application.
Next, you must navigate to the DEP mitigation, tick "Override system settings" and set ON. You can also tick “ATL thunk emulation” if the application crashes.

1627048219043.png


Most machines with Windows 10 do not have applications that would need enforcing DEP, because they have DEP natively enforced, independently of Windows settings.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
If you use Process Explorer and run as administrator, you can select the column "DEP status" and it will show this for all you running programs and processes.

View attachment 259854

I used Process Explorer too, but It can be done in many ways also via Task Manager.(y)

 
Last edited:
Top