Data Execution Prevention (DEP) is a security feature that helps protect a PC from certain types of security risks such as buffer overflow attacks and memory-based attacks. By exploiting a weakness in a program or system, these hacks may let malicious code execute on a computer. DEP works by designating some sections of memory as non-executable. This means that codes cannot be executed from these locations. This is accomplished by setting a specific bit in its page table entry called NX, which stands for No eXecute, or XD, which stands for eXecute Disabled. In this guide, you will learn how to Disable Data Execution Prevention, and how to determine that hardware DEP is available and configured on your PC.

The OS is responsible for setting the NX bit for the stack and heap memory locations. When a faulty program or malware attempts to execute code from an NX-marked memory page, the CPU will reject it and instead generate an interrupt, causing the OS to shut down the application. This can help prevent some sorts of attacks by making malicious code more difficult to execute. Here are other related posts: Windows Package Manager: How to install applications with Winget CLI, and how to disable modern standby on Windows 10 and 11.

Why should we disable Data Execution Prevention (DEP)?

There are certain situations where it may become necessary to disable Data Execution Prevention (DEP) in order to run certain programs or applications that may not be compatible with DEP. This can happen when a program or application tries to run code from an area of memory that DEP has marked as non-executable, causing the program or application to crash or malfunction.

In some cases, a software developer may have written the code in such a way that it does not comply with DEP, making the software incompatible with DEP. In these situations, turning off DEP may be necessary to run the software.

However, it is important to note that turning off DEP can leave your computer more vulnerable to security threats and should only be done as a last resort.

Another reason is that some applications or scripts may need to run from specific memory locations that DEP marks as non-executable.

How to turn on and turn off Data Execution Prevention (DEP) in Control Panel

Follow the steps below to turn on or turn off DEP support in Control Panel. Press the Windows key and search for Control Panel.

Click on System and Security and then on System from the Control Panel as shown below.

In the System settings, click on Advanced system settings.

In the Advanced tab, click on the Settings button in the Performance section.

Click the Data Execution Prevention tab, and on click “Turn on DEP for all programs and services except those I select.”

YOu can turn off DEP for an individual program. To do so, select the check box next to the program that you want to turn off DEP for, and then click OK.

If the program is not on the list, click Add. Browse to the Program Files folder, and find the executable file for the program (it will have an .exe file name extension), and then click Open.

Click OK, in the System Properties dialog box if it appears, and then click OK again. You might need to restart your computer for the changes to take effect.

How to turn off and turn on DEP support as Boot option via Command Prompt

There are other DEP settings that cannot be changed in the control panel; they can only be set as a boot option using the service program bcdedit in a command prompt with elevated rights.

Follow the steps below to edit the boot configuration file for DEP in recovery mode via the command prompt. Press “Windows key + I key” to open Settings, select System and click on Recovery from the right side.

Select the Restart now button next to the Advanced startup section and click Restart from the follow up prompt.

Select Advanced startup in Recovery — Click on Advanced startup in Recovery

The PC will restart, and show the Advanced options window. Select Troubleshoot from the options displayed, by using the arrow keys from your keyboard.

Select Advanced options.

Choose Command Prompt.

Now, you can enter the following command according to DEP support settings to be enabled or disabled.

One option is to enable DEP support unconditionally. The DEP support options GUI is disabled in this mode, and no exceptions can be specified. Any DisableNX compatibility options will be disregarded as well.

 bcdedit /set {current} nx AlwaysOn

In contrast, the first option is to turn off DEP support completely. With this setting, like with the first option, the DEP support options GUI will also be turned off.

bcdedit /set {current} nx AlwaysOff

To return to one of the GUI switchable modes, use:

bcdedit /set {current} nx OptIn

For the workstation default, which enables DEP support for Windows essential programs and services, or:

bcdedit /set {current} nx OptOut

Enabling DEP support for all executable files as the server default. For the bcdedit command to take effect, the Windows PC must be restarted each time. The output of the following command will show the status (current) in each instance.

bcdedit /enum

How to confirm that hardware DEP is working in Windows via Command Prompt

You can use the Wmic command-line tool to examine the DEP settings. To determine whether hardware-enforced DEP is available, follow these steps:

Press the Windows key to open the Start menu, search for Command Prompt and click to open it.

On the command prompt. Type the command below and press ENTER.

wmic OS Get DataExecutionPrevention_Available

If the output is “TRUE,” hardware-enforced DEP is available.

To determine the current DEP support policy, follow these steps. At the command prompt, type the command and press ENTER:

wmic OS Get DataExecutionPrevention_SupportPolicy

The value returned will be 0, 1, 2 or 3. This value corresponds to one of the DEP support policies that are described in the table below.

DataExecutionPrevention_SupportPolicy property value	Policy Level	Description
2	OptIn (default configuration)	Only Windows system components and services have DEP applied
3	OptOut	DEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied
1	AlwaysOn	DEP is enabled for all processes
0	AlwaysOff	DEP is not enabled for any processes

Table source: Microsoft

I hope you find the post helpful. You have learned how to Disable Data Execution Prevention, and determine that hardware DEP is available and configured on your computer. If you have any questions, please leave a comment below.