This article was inspired by the mention of DEP on the "Security Now" net cast.
Episode 59
The link above is to the text transcript of the net cast. The actual net cast can
be accessed at the top of transcript page.
This net cast was broadcast at the end of September 2006. This web page was first published
in early October 2006. Since then, DEP has been discussed on the 8th session of "Windows Weekly" net cast in early
December 2006.
Windows Weekly
Data Execution Protection is discussed on "Security Now" the week before Christmas
during Episode 71(text transcript)
These links provide different views of the subject and a little more information
is added with each time this subject is discussed.
January 18, 2007 Steve Gibson released his freeware program "SecurAble". This small
utility will analyze your computer and report to you in an instant the availability
of three of the most important security features your processor possesses. One of these
features just happens to be DEP. Use of this utility is much easier than jumping through
all the hoops described in this article. Its a small file that downloads quickly
even on dial up connections at this link
SecurAble
February 8, 2007
Once again the subject of Data Execution Prevention is covered on the "Security Now"
net cast Episode 78.
In this particular discussion, software DEP gets a brief description and it is reported
that some hardware manufacturers have been making the default setting for hardware
DEP "off".
After the release of Service Pack 2, it didn't take long for XP users to become acquainted with the new Security Center. Casual users will not realize that Microsoft quietly added an additional feature with SP2. The feature I'm referring to is DEP (data execution protection). This enhancement monitors memory usage and prevents the execution of code located in data only areas.
Although to get full protection of DEP you need an AMD processor with the NX (no execute page protection) feature or an Intel processor with the XD (execute disable bit) feature. This is the hardware enforced portion of DEP that stops the execution of code from areas of memory reserved to hold data. If your computer has hardware support for DEP Windows will automatically place the processor in the required PAE (physical address extension) mode. This is according to Microsoft, however, there are some sites that report the requirement of large amounts of RAM before the processor will go into the PAE mode.
There is also a software enforced portion that is available to any Win XP computer with Service Pack 2. The software enforced portion is based on Safe SEH (structured exception handling). Even without hardware support Windows by default activates the software portion in the "OptIN" mode. In this mode only Windows system programs and services are monitored. You can change the setting to monitor all of your programs increasing your computer's security, however, some programs conflict with DEP and false reports can be generated. This is called the "Opt Out" mode, in which you can stop the monitoring of specific programs eliminating the false reports.
As mentioned, DEP is by default enabled for Windows programs and services. To enable DEP for all programs we have to navigate our way to the proper dialog box.
When the right click menu appears click on "Properties". This calls up the "System Properties" dialog box.
Click on the "Advanced" tab at the top.
Click on the "Settings" button located in the "Performance" section. This calls up the "Performance Options" dialog box.
Click on the tab labeled "Data Execution Prevention"
As you can see Windows programs and services are monitored by default.
Here at the bottom Windows tells you if you do not have hardware support. If there is
nothing here then you Do HAVE hardware support.
Update:08/19/2008 - Windows Vista has a similar approach for handling DEP. The difference is in the path one takes to reach the "Performance Options" window. Access the "Performance Information and Tools" window via the Control Panel. With this window open click the "Advanced Tools" link in the left hand column. With "Advanced Tools" open click the "Adjust the appearance and performance of windows" link. This opens the "Performance Options" window which functions like its counterpart in Windows XP.
To enable DEP for all programs click the radio button as shown. Next click "Apply" then "OK". You will get a message stating that a restart is necessary.
Once you have applied the changes and restarted your computer, it is a good idea to keep a close watch for warning screens and if a program you have been using is suddenly failing to run return DEP to the default configuration and see if that fixes the problem. If it does then that particular program could be a candidate for the "Opt Out" screen. This is the empty box below the "Turn on DEP for all programs..." radio control button. The "Add" button below this is what we need now.
Click the arrow in the "Look In" box and select your hard drive, probably "C:". Since programs are usually installed in the "Program Files" folder that is the most likely next selection. From there open the folder containing the program you are wanting to "Opt Out" and select the main executable file. The warning you got should have given a few clues here. When the main executable is selected it will appear in the "Opt Out" box with with a check box next to it. To opt the program back in either clear the check mark or highlight (select) it and click the remove button.
Originally this article ended here. Since then we have had some specific questions asked that were not covered in the initial release. One question was, "How can you tell if you have a processor that has DEP support. A little research and the addition of a couple of lines to the original text answered that question. One of the additional lines raised another question, "How can you tell if hardware support is in fact enabled?" That's what the following addition will cover. Think of it as a Service Pack if you like :)
The easiest method to determine if hardware DEP is enabled is to open your "System Properties" dialog box. This can be done via the "Control Panel" or by "Start" > right click "My Computer" > select "Properties" as covered at the beginning of this article. As shown above, the area just above the "Support Information" button will report the mode in which your processor is running. If PAE mode is mentioned all is well.
The other method while not as easy, provides you with a definitive answer. If you choose this method take care not to change any settings. With that bit of warning out of the way here are the steps to take. From the "Start" menu click on "Run". When the "Run" box opens, you will need to type "wbemtest" (without the quotes) into the box labeled "Open:" then click "OK"
This opens the "Windows Management Instrumentation Tester" Click "Connect"
The "Connect" dialog will open.Type "root\cimv2" in the top box. Then click the button labeled "Connect"
When the "Connect" dialog disappears you will notice the rest of the WMI Tester has become active. Click the button labeled "Enum Instances"
This opens the "Class Info" dialog. Under "Enter superclass name" type "Win32_OperatingSystem" Then click "OK"
The "Query Result" box will open.
Here you find the entry "Win32_OperatingSystem Name=Microsoft.....""
Double click it.
In Vista this box will show the entry "Win32_OperatingSystem=@" which will need to be double clicked.
This opens the "Object editor". In the properties area located in the center scroll down to find "DataExecutionPrevention_Available" Double Click it.
This opens the "Property Editor" Right there in the middle is the answer. If it indicates "False" you DO NOT have hardware support. If "True" is located here then you have hardware DEP enabled.
Microsoft,Microsoft Office, Windows, Windows XP and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names have been included in the above text that are trademarks of the respective companies.
