Data Execution Prevention (DEP) and verify status


To totally unlock this section you need to Log-in


Login

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. From Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

Data Execution Prevention (DEP) and verify status

The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.

What can block DEP

DEP can help block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP, execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage of exception-handling mechanisms in Windows.

Hardware-enforced DEP

Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. A class of attacks exists that tries to insert and run code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception.

Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE) to mark the memory page.

Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However, processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with the appropriate attribute set.

Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP.

Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following:

  • The no-execute page-protection (NX) processor feature as defined by AMD.
  • The Execute Disable Bit (XD) feature as defined by Intel.

To use these processor features, the processor must be running in Physical Address Extension (PAE) mode. However, Windows will automatically enable PAE mode to support DEP. Users do not have to separately enable PAE by using the /PAE boot switch.

NOTE: because 64-bit kernels are Address Windowing Extensions (AWE) aware, there is not a separate PAE kernel in 64-bit versions of Windows.

Software-enforced DEP

An additional set of Data Execution Prevention security checks have been added to Microsoft Windows operating system since Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run since Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

System-wide configuration of DEP

DEP configuration for the system is controlled through switches. If you are logged on as an administrator, you can now easily configure DEP settings by using the System dialog box in Control Panel.

Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP.

  • OptIn: this setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, it is enabled by default for limited system binaries and programs that "opt-in." With this option, only Windows system binaries are covered by DEP by default.
  • OptOut: DEP is enabled by default for all processes. You can manually create a list of specific programs that do not have DEP applied by using the System dialog box in Control Panel. Information technology (IT) professionals can use the Application Compatibility Toolkit to "opt-out" one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect.
  • AlwaysOn: this setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied.
  • AlwaysOff: this setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the boot configuration file.

Hardware-enforced and software-enforced DEP are configured in the same manner. If the system-wide DEP policy is set to OptIn, the same Windows core binaries and programs will be protected by both hardware-enforced and software-enforced DEP. If the system cannot use hardware-enforced DEP, the Windows core binaries and programs will be protected only by software-enforced DEP.

Benefits

The primary benefit of DEP is that it helps prevent code execution from data pages, such as the default heap pages, various stack pages, and memory pool pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. If the exception is unhandled, the process will be stopped. Execution of code from protected memory in kernel mode causes a Stop error.

DEP can help block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP, execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage of exception-handling mechanisms in Windows.

Verify Status of Data Execution Prevention settings

Open an elevated command prompt and copy-paste the following and hit Enter:

wmic OS Get DataExecutionPrevention_SupportPolicy

The number which is displayed denotes the status of DEP on your machine.

0 – DEP is disabled for all processes.
1 – DEP is enabled for all processes.
2 – DEP is enabled for only Windows system components and services. (Default)
3 – DEP is enabled for all processes, but Administrators can manually create a list of specific applications which do not have DEP applied.

If DEP is turned on for all programs, it can cause issues with some certain programs, in some case. While it is normally not recommended to turn off DEP for the entire system, you can turn off Data Execution Prevention for a particular program in Windows – but don’t do it for the entire computer, as it may make your Windows less secure.

Use the graphical user interface (wbemtest)

To use the graphical user interface to determine whether DEP is available, follow these steps:

  1. Click Start, click Run, type wbemtest in the Open box, and then click OK.
  2. In the Windows Management Instrumentation Tester dialog box, click Connect.
  3. In the box at the top of the Connect dialog box, type root\cimv2, and then click Connect.
  4. Click Enum Instances.
  5. In the Class Info dialog box, type Win32_OperatingSystem in the Enter superclass name box, and then click OK.
  6. In the Query Result dialog box, double-click the top item. This item starts with "Win32_OperatingSystem.Name=Microsoft...".
  7. In the Object editor dialog box, locate the DataExecutionPrevention_Available property in the Properties area.
  8. Double-click DataExecutionPrevention_Available.
  9. In the Property Editor dialog box, note the value in the Value box.
  10. If the value is TRUE, hardware DEP is available.