Vista Forums - View Single Post - Data Execution Prevention with Windows Vista

11-22-2007

Andrew,

Thanks for the info on DEP.

I have shut mine off to install a piece of software (long story). Now I'd
like to be able to turn it on, but not always on. I'd like option 2.

I know bcdedit.exe /set {current} nx AlwaysOn turns it always on, but how to
I enable the other two options in the "Advanced system settings."?

Any help is welcome.

Jeff

"Andrew McLaren" wrote:

Quote:

> Hi Mickey,
>
> I haven't heard of DEP causing really widespread problems, although
> obviously you are seeing problems on your machine. The exact behaviour could
> vary depending on whether your CPU supports hardware DEP (the NX bit) or
> software DEP - which is actually a different form of operation. AMD and
> Intel EM64T Processors support hardware DEP; many (most?) 32-bit Pentium IV
> processors do not.
>
> Well-behaved programs, which keep a strict separation of data and executable
> code, should not be affected by DEP. Programs which are affected by DEP may
> contain security vulnerabilities, because malicious code could be injected
> into the data portions, and then executed.
>
> But I'm curious when you say "programs that were closed due to the feature
> still closed even when I turned the feature off through the run command". If
> you have applications which are shutting down even with DEP disabled, then
> DEP is probably not the culprit. How do you use the "run" command to disable
> DEP? Did you do a:
>
> "bcdedit.exe/set {current} nx AlwaysOff"
>
> and then reboot? That would disable DEP globally, for all applications. If
> your apps still close after this, the problem is not DEP. Are you still
> getting the "DEP - Windows has closed this program" dialogue box?
>
> You can verify whether Hardware DEP is actually available on your system by
> running this command:
>
> wmic OS Get DataExecutionPrevention_Available
>
> If it returns TRUE, the CPU supports DEP. To find the current DEP policy
> which is active, run the command:
>
> wmic OS Get DataExecutionPrevention_SupportPolicy
>
> The result will be one of:
>
> 0 AlwaysOff - DEP is not enabled for any processes
> 1 AlwaysOn - DEP is enabled for all processes
> 2 OptIn - Only Windows system components and services have DEP applied
> 3 OptOut - DEP is enabled for all processes. Administrators can manually
> create a list of specific applications which do not have DEP applied.
>
> "2" is the normal default setting. Apps which aren't part of Windows itself,
> should not be affected.
>
> You might want to run this to test if DEP is , indeed, active on your
> system.
>
> Overall, I don't think it's a problem which can be easily solved by an
> update from Microsoft - apps which execute data are a security risk and need
> to be re-written, or at least recompiled with a /GS flag. But Microsoft
> might add compatibility shims for certain well-known applications - these
> are updated via Windows Update as they are released.
>
> --
> Andrew McLaren
> amclar (at) optusnet dot com dot au
>
>
>

11-22-2007	#19 (permalink)
Jeff n/a posts	Re: Data Execution Prevention with Windows Vista Andrew, Thanks for the info on DEP. I have shut mine off to install a piece of software (long story). Now I'd like to be able to turn it on, but not always on. I'd like option 2. I know bcdedit.exe /set {current} nx AlwaysOn turns it always on, but how to I enable the other two options in the "Advanced system settings."? Any help is welcome. Jeff "Andrew McLaren" wrote: Quote: > Hi Mickey, > > I haven't heard of DEP causing really widespread problems, although > obviously you are seeing problems on your machine. The exact behaviour could > vary depending on whether your CPU supports hardware DEP (the NX bit) or > software DEP - which is actually a different form of operation. AMD and > Intel EM64T Processors support hardware DEP; many (most?) 32-bit Pentium IV > processors do not. > > Well-behaved programs, which keep a strict separation of data and executable > code, should not be affected by DEP. Programs which are affected by DEP may > contain security vulnerabilities, because malicious code could be injected > into the data portions, and then executed. > > But I'm curious when you say "programs that were closed due to the feature > still closed even when I turned the feature off through the run command". If > you have applications which are shutting down even with DEP disabled, then > DEP is probably not the culprit. How do you use the "run" command to disable > DEP? Did you do a: > > "bcdedit.exe/set {current} nx AlwaysOff" > > and then reboot? That would disable DEP globally, for all applications. If > your apps still close after this, the problem is not DEP. Are you still > getting the "DEP - Windows has closed this program" dialogue box? > > You can verify whether Hardware DEP is actually available on your system by > running this command: > > wmic OS Get DataExecutionPrevention_Available > > If it returns TRUE, the CPU supports DEP. To find the current DEP policy > which is active, run the command: > > wmic OS Get DataExecutionPrevention_SupportPolicy > > The result will be one of: > > 0 AlwaysOff - DEP is not enabled for any processes > 1 AlwaysOn - DEP is enabled for all processes > 2 OptIn - Only Windows system components and services have DEP applied > 3 OptOut - DEP is enabled for all processes. Administrators can manually > create a list of specific applications which do not have DEP applied. > > "2" is the normal default setting. Apps which aren't part of Windows itself, > should not be affected. > > You might want to run this to test if DEP is , indeed, active on your > system. > > Overall, I don't think it's a problem which can be easily solved by an > update from Microsoft - apps which execute data are a security risk and need > to be re-written, or at least recompiled with a /GS flag. But Microsoft > might add compatibility shims for certain well-known applications - these > are updated via Windows Update as they are released. > > -- > Andrew McLaren > amclar (at) optusnet dot com dot au > > >
My System Specs