SmoothDesigners

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.

http://support.microsoft.com/kb/875352

There may come a time when have to disbale DEP either for the purpose of troubleshooting a problem or otherwise

Disable Data Execution Prevention (DEP)

1. Right click on My Computer and Select Properties.
2. Click the Advanced tab, and in the Startup and Recovery section, click the Settings button.
3. In the System Startup section, click the Edit button.
4. Now find the text that says /noexecute=OptIn.
5. You need to replace OptIn (which the default) with AlwaysOff.


Be sure to enter this text carefully and exactly as it’s mentioned above. Failure to do so could prevent your computer from booting.

Your boot.ini file should read:/noexecute=AlwaysOff

6. Click File and then click Save.
7. Click OK to close Startup and Recovery window.
8. Click OK to close System Properties windows
9. Restart your computer.

This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support.

Verifying DEP is Disabled

1. Right click on My Computer and select Properties.
2. Click the Advanced tab.
3. In the Performance section, click the Settings button and then click Data Execution Prevention tab.
4. None of the DEP settings should be available.  Click OK to close Performance Settings window.
5. Click OK to close System Properties window.

DEP is now completely disabled. If you want to enable it again, follow this guide but instead of replacing OptIn with AlwaysOff, replace AlwaysOff with OptIn (the default).

Configuration	Description
OptIn	This setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that “opt-in.” With this option, only Windows system binaries are covered by DEP by default.
OptOut	DEP is enabled by default for all processes. You can manually create a list of specific programs that do not have DEP applied by using the System dialog box in Control Panel. Information technology (IT) professionals can use the Application Compatibility Toolkit to “opt-out” one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect.
AlwaysOn	This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied.
AlwaysOff	This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the Boot.ini file.

This entry was posted on Sunday, July 26th, 2009 at 5:08 pm and is filed under Security, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.