How to Configure Memory Protection in Windows XP SP2

How to Configure Memory Protection in Windows XP SP2 http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnf...

1 of 11 9/6/2007 9:44 PM

Quick Links | Home | Worldwide

Search Microsoft.com for:

TechNet Home | TechCenters | Downloads | TechNet Program | Subscriptions | Security Bulletins | Archive

Search for

GoTechNet Home > TechNet Security > Guidance > Windows XP

How to Configure Memory Protection in Windows XP SP2

Published: December 9, 2004

On This Page

Introduction

Before You Begin

Enabling DEP for all Programs on Your Computer

Enabling the DEP Exception List

Configuring System-wide DEP Options

Related Information

Introduction

Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer against the

insertion of malicious code into areas of computer memory reserved for non-executable code

by implementing a set of hardware and software-enforced technologies called Data Execution

Prevention (DEP). Hardware-enforced DEP is a feature of certain processors that prevents

the execution of code in memory regions that are marked as data storage. This feature is

also known as No-Execute and Execution Protection. Windows XP SP2 also includes

software-enforced DEP that is designed to reduce exploits of exception handling mechanisms

in Windows.

Unlike an antivirus program, hardware and software-enforced DEP technologies are not

designed to prevent harmful programs from being installed on your computer. Instead, they

monitor your installed programs to help determine if they are using system memory safely.

To monitor your programs, hardware-enforced DEP tracks memory locations declared as

"non-executable". To help prevent malicious code, when memory is declared

"non-executable" and a program tries to execute code from the memory, Windows will close

that program. This occurs whether the code is malicious or not.

Note: Software-based DEP is part of Windows XP SP2 and is enabled by default, regardless

of the hardware-enforced DEP capabilities of the processor. By default software-enforced

DEP applies to core operating system components and services.

The default configuration of DEP is designed to protect your computer with minimal impact

to application compatibility. However, depending on your DEP configuration, it is possible

that some programs might not run correctly. You can use the tasks described in this

document to configure DEP on your computer:

• Enable DEP for all programs on your computer

• Add programs to the DEP exception list

• Disable DEP for your entire computer

IMPORTANT: The instructions in this document were developed by using the Start menu

that appears by default when you install your operating system. If you have modified your

Start menu, the steps might differ slightly.

For definitions of security-related terms, see the following:

• "Microsoft Security Glossary" on the Microsoft Web site at

http://go.microsoft.com/fwlink/?LinkId=35468

Additional Resources

TechNet Security

Security Bulletin Search

Products

Guidance

Tools

Understanding Security

Partners

Downloads

Community

Events & Webcasts

Virtual Labs

Scripting for Security

Small Business Security

Midsize Business

Security

Events & Errors

Knowledge Base Search

Go


2 of 11 9/6/2007 9:44 PM

For more information regarding DEP, see the following:

• Microsoft Knowledge Base Article 875352 on the Microsoft Help and Support Web site at

http://go.microsoft.com/fwlink/?linkid=35494

Top of page

Before You Begin

This document provides guidance for configuring DEP on Windows XP SP2.

Note: Hardware-enabled DEP is enabled by default on computers with DEP compatible

processors that run Microsoft Windows XP 64-Bit Edition. 64-bit applications will not run from

"non-executable" areas of memory. Hardware-enabled DEP cannot be disabled.

Software-enabled DEP on Windows XP SP2 and 32-bit applications running on any

processors can be configured to use "executable" or "non-executable" areas of memory.

Top of page

Enabling DEP for all Programs on Your Computer

The default configuration for hardware and software DEP protects core Windows components

and services and has a minimal impact on application compatibility, but you can choose to

configure DEP to protect all applications and programs on your computer. If you configure

DEP to protect all applications and programs on your computer you will have the benefit of

additional protection, but it might lead to additional application compatibility issues. If you

configure DEP to protect all applications and programs on your computer, you can exempt

individual 32-bit applications from software DEP protection if they have compatibility issues.

You cannot disable hardware DEP or exempt 64-bit applications running on 64-bit Windows

XP systems with DEP compatible processors.

Requirements to perform this task

• Credentials: You must log on to your computer using an account with local Administrator

rights.

Configuring DEP to protect all applications

To enable the DEP for all applications

1. Click Start, and then click ControlPanel.

2. Under Pickacategory, click PerformanceandMaintenance.

3. Under or Pick a Control Panel icon, click System.

4. Click the Advanced tab.


3 of 11 9/6/2007 9:44 PM

Figure 1 System Properties - Advanced tab

5. In the Performance area, click Settings.

Figure 2 Performance Options

6. Click the DataExecutionPrevention tab.


4 of 11 9/6/2007 9:44 PM

Figure 3 Data Execution Prevention tab

7. Select Turn on DEP for all programs and services except for those I select .

8. Click Apply, and then click OK. A dialog box appears and informs you that you must

restart your computer for the setting to take effect. Click OK.

Verifying DEP Settings for all Programs Are Applied

To verify DEP settings for all programs are applied





5. In the Performance area, click Settings and then click DataExecutionPrevention.

6. Verify that Turn on DEP for all programs and services except for those I select

is selected and then click OK to close Performance Settings.

7. Click OK to close SystemProperties then close PerformanceandMaintenance.

Top of page



5 of 11 9/6/2007 9:44 PM

If DEP causes a problem with your applications, a dialog box appears to let you know.

Figure 4 Dialog box that appears if an application has

attempted to execute and has encountered a problem with DEP

In cases where DEP causes application failures, Microsoft strongly recommends that you

contact the application vendor to determine if a DEP-compatible update is available.

Installing such an update is the preferred solution for application compatibility issues with

DEP.

If no update is available for your application, follow these steps to access and to configure

the Exception List. The Exception List is the list of applications that are excluded from DEP.

Note: The DEP exception list functionality is only available if the DEP configuration is set to

protect all programs and services. If you configure your computer to protect only essential

Windows components and services, the exception list is unavailable.


• Credentials: You must log on to your computer using an account with local Administrator

rights.


To enable the DEP exception list






6 of 11 9/6/2007 9:44 PM

Figure 5 System Properties - Advanced tab

5. In the Performance area, click Settings.

Figure 6 Performance Options

6. Click the DataExecutionPrevention tab.


7 of 11 9/6/2007 9:44 PM

Figure 7 Data Execution Prevention tab

7. Click Add.

8. Locate and select the executable for the application that is failing, and then click

Open.

9. In the warning box, click OK. The selected program now appears in the DEP program

area.

10. Click Apply, and then click OK. A dialog box appears and informs you that you must

restart your computer for the setting to take effect. Click OK.

Verifying DEP Exception List Settings Are Applied

To verify Memory Protection settings are applied






6. Verify that the exception list contains the desired programs and then click OK to close

PerformanceSettings.


8 of 11 9/6/2007 9:44 PM


Top of page

Configuring System-wide DEP Options

To make any system-wide changes to DEP for your computer, you must modify a switch to

the boot.ini configuration file for the Windows installation that you are currently running. The

boot.ini switch is:

• /noexecute =Policy_level

Table 1 lists the options for Policy_level.

Table1 DEP boot.ini policy level options

Policy Level Description

OptIn

(default configuration)

Only Windows system components and services have DEP

protection applied

OptOut DEP is enabled for all processes. Administrators can manually

create a list of specific applications which do not have DEP

applied

AlwaysOn DEP is enabled for all processes

AlwaysOff DEP is not enabled for any processes

IMPORTANT: After making any changes in the boot.ini file, you must restart your

computer.

WARNING: Microsoft recommends that you do NOT disable software-enforced DEP globally.

To do this would make your computer less secure. Hardware-enforced DEP cannot be

manually disabled.


• Credentials: You must log on to your computer as an account with local Administrator

rights.

Disabling DEP system-wide using boot.ini

To disable DEP using boot.ini




4. Click the Advanced tab, and in the Startup and Recovery area, click Settings.


9 of 11 9/6/2007 9:44 PM

Figure 8 Startup and Recovery

settings

5. In the SystemStartup area, click Edit.

Figure 9 Boot.ini file in Notepad

6. In Notepad, click Edit and then click Find.

7. In the Findwhat field, type /noexecute and then click FindNext.

8. In the Find dialog box click Cancel.

9. Replace the policy_level (for example, "OptOut") with "AlwaysOff” (without the

quotes).

WARNING: Be sure to enter the text carefully.

Note: Your boot.ini file switch should now read:

/noexecute=AlwaysOff


10 of 11 9/6/2007 9:44 PM

10. In Notepad, click File and then click Save.

11. Click OK to close StartupandRecovery.

12. Click OK to close SystemProperties and then restart your computer.

Verifying DEP is Disabled

To verify Memory Protection settings are applied






6. Verify that the DEP settings are unavailable and then click OK to close

PerformanceSettings.


Top of page

Related Information

For more information about Windows XP SP2 memory protection, see the following:

• "Changes to Functionality in Microsoft Windows XP Service Pack 2 - Part 3: Memory

Protection Technologies" on the Microsoft TechNet Web site at


For more information about Windows XP SP2 security, see the following:

• "Windows XP Security Guide v2 updated for Service Pack 2" on the Microsoft Download

Center Web site at http://go.microsoft.com/fwlink/?linkid=35309

• "Windows XP Security Guide Appendix A: Additional Guidance for Windows XP Service

Pack 2" on the Microsoft TechNet Web site at


For definitions of security-related terms, see the following:

• "Microsoft Security Glossary" on the Microsoft Web site at


Top of page


11 of 11 9/6/2007 9:44 PM

Manage Your Profile | Contact Us | Newsletter

© 2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement

Printer Friendly Version Send This Content Add To Favorites

How would you rate the usefulness of this content ?

1 2 3 4 5

Poor Outstanding

Tell us why you rated the content this way. (optional)

Documents

How to Configure Memory Protection in Windows XP SP2