Vista Forums - View Single Post - Data Execution Prevention with Windows Vista

08-05-2007

"Andrew McLaren" <andrew@fakeaddress.com> wrote in message
news:85B0C64B-54D1-4388-98B6-43406543C805@microsoft.com...
> Hi Mickey,
>
> I haven't heard of DEP causing really widespread problems, although
> obviously you are seeing problems on your machine. The exact behaviour
> could vary depending on whether your CPU supports hardware DEP (the NX
> bit) or software DEP - which is actually a different form of operation.
> AMD and Intel EM64T Processors support hardware DEP; many (most?) 32-bit
> Pentium IV processors do not.
>
> Well-behaved programs, which keep a strict separation of data and
> executable code, should not be affected by DEP. Programs which are
> affected by DEP may contain security vulnerabilities, because malicious
> code could be injected into the data portions, and then executed.
>
> But I'm curious when you say "programs that were closed due to the feature
> still closed even when I turned the feature off through the run command".
> If you have applications which are shutting down even with DEP disabled,
> then DEP is probably not the culprit. How do you use the "run" command to
> disable DEP? Did you do a:
>
> "bcdedit.exe/set {current} nx AlwaysOff"
>
> and then reboot? That would disable DEP globally, for all applications. If
> your apps still close after this, the problem is not DEP. Are you still
> getting the "DEP - Windows has closed this program" dialogue box?
>
> You can verify whether Hardware DEP is actually available on your system
> by running this command:
>
> wmic OS Get DataExecutionPrevention_Available
>
> If it returns TRUE, the CPU supports DEP. To find the current DEP policy
> which is active, run the command:
>
> wmic OS Get DataExecutionPrevention_SupportPolicy
>
> The result will be one of:
>
> 0 AlwaysOff - DEP is not enabled for any processes
> 1 AlwaysOn - DEP is enabled for all processes
> 2 OptIn - Only Windows system components and services have DEP applied
> 3 OptOut - DEP is enabled for all processes. Administrators can manually
> create a list of specific applications which do not have DEP applied.
>
> "2" is the normal default setting. Apps which aren't part of Windows
> itself, should not be affected.
>
> You might want to run this to test if DEP is , indeed, active on your
> system.
>
> Overall, I don't think it's a problem which can be easily solved by an
> update from Microsoft - apps which execute data are a security risk and
> need to be re-written, or at least recompiled with a /GS flag. But
> Microsoft might add compatibility shims for certain well-known
> applications - these are updated via Windows Update as they are released.
>
> --
> Andrew McLaren
> amclar (at) optusnet dot com dot au
>
>
I am always surprised when people use the command line to change settings,
when Vista has an easy system built in. In Advance System Settings. Here you
can turn DEP off on all programs or just those you choose to run without
protection.

I find it worth looking at only when I find a consistent problem with a
program.

--
Ian

08-05-2007	#3 (permalink)
Ian Betts n/a posts	Re: Data Execution Prevention with Windows Vista "Andrew McLaren" <andrew@fakeaddress.com> wrote in message news:85B0C64B-54D1-4388-98B6-43406543C805@microsoft.com... > Hi Mickey, > > I haven't heard of DEP causing really widespread problems, although > obviously you are seeing problems on your machine. The exact behaviour > could vary depending on whether your CPU supports hardware DEP (the NX > bit) or software DEP - which is actually a different form of operation. > AMD and Intel EM64T Processors support hardware DEP; many (most?) 32-bit > Pentium IV processors do not. > > Well-behaved programs, which keep a strict separation of data and > executable code, should not be affected by DEP. Programs which are > affected by DEP may contain security vulnerabilities, because malicious > code could be injected into the data portions, and then executed. > > But I'm curious when you say "programs that were closed due to the feature > still closed even when I turned the feature off through the run command". > If you have applications which are shutting down even with DEP disabled, > then DEP is probably not the culprit. How do you use the "run" command to > disable DEP? Did you do a: > > "bcdedit.exe/set {current} nx AlwaysOff" > > and then reboot? That would disable DEP globally, for all applications. If > your apps still close after this, the problem is not DEP. Are you still > getting the "DEP - Windows has closed this program" dialogue box? > > You can verify whether Hardware DEP is actually available on your system > by running this command: > > wmic OS Get DataExecutionPrevention_Available > > If it returns TRUE, the CPU supports DEP. To find the current DEP policy > which is active, run the command: > > wmic OS Get DataExecutionPrevention_SupportPolicy > > The result will be one of: > > 0 AlwaysOff - DEP is not enabled for any processes > 1 AlwaysOn - DEP is enabled for all processes > 2 OptIn - Only Windows system components and services have DEP applied > 3 OptOut - DEP is enabled for all processes. Administrators can manually > create a list of specific applications which do not have DEP applied. > > "2" is the normal default setting. Apps which aren't part of Windows > itself, should not be affected. > > You might want to run this to test if DEP is , indeed, active on your > system. > > Overall, I don't think it's a problem which can be easily solved by an > update from Microsoft - apps which execute data are a security risk and > need to be re-written, or at least recompiled with a /GS flag. But > Microsoft might add compatibility shims for certain well-known > applications - these are updated via Windows Update as they are released. > > -- > Andrew McLaren > amclar (at) optusnet dot com dot au > > I am always surprised when people use the command line to change settings, when Vista has an easy system built in. In Advance System Settings. Here you can turn DEP off on all programs or just those you choose to run without protection. I find it worth looking at only when I find a consistent problem with a program. -- Ian
My System Specs