Disable Data Execution Prevention and determine that hardware DEP is available and configured

Posted on Matthew By Matthew No Comments on Disable Data Execution Prevention and determine that hardware DEP is available and configured
Data Execution Prevention
Data Execution Prevention

Data Execution Prevention (DEP) is a security feature that helps protect a PC from certain types of security risks such as buffer overflow attacks and memory-based attacks. By exploiting a weakness in a program or system, these hacks may let malicious code execute on a computer. DEP works by designating some sections of memory as non-executable. This means that codes cannot be executed from these locations. This is accomplished by setting a specific bit in its page table entry called NX, which stands for No eXecute, or XD, which stands for eXecute Disabled. In this guide, you will learn how to Disable Data Execution Prevention, and how to determine that hardware DEP is available and configured on your PC.

The OS is responsible for setting the NX bit for the stack and heap memory locations. When a faulty program or malware attempts to execute code from an NX-marked memory page, the CPU will reject it and instead generate an interrupt, causing the OS to shut down the application. This can help prevent some sorts of attacks by making malicious code more difficult to execute. Here are other related posts: Windows Package Manager: How to install applications with Winget CLI, and how to disable modern standby on Windows 10 and 11.

Why should we disable Data Execution Prevention (DEP)?

There are certain situations where it may become necessary to disable Data Execution Prevention (DEP) in order to run certain programs or applications that may not be compatible with DEP. This can happen when a program or application tries to run code from an area of memory that DEP has marked as non-executable, causing the program or application to crash or malfunction.

In some cases, a software developer may have written the code in such a way that it does not comply with DEP, making the software incompatible with DEP. In these situations, turning off DEP may be necessary to run the software. 

However, it is important to note that turning off DEP can leave your computer more vulnerable to security threats and should only be done as a last resort.

Another reason is that some applications or scripts may need to run from specific memory locations that DEP marks as non-executable.

How to turn on and turn off Data Execution Prevention (DEP) in Control Panel

Follow the steps below to turn on or turn off DEP support in Control Panel. Press the Windows key and search for Control Panel.

Open Control Panel
Open Control Panel

Click on System and Security and then on System from the Control Panel as shown below.

Open the System settings
Open the System settings

In the System settings, click on Advanced system settings.

Open the Advanced system settings
Open the Advanced system settings

In the Advanced tab, click on the Settings button in the Performance section.

Click the Performance Settings button
Click the Performance Settings button

Click the Data Execution Prevention tab, and on click “Turn on DEP for all programs and services except those I select.”

Select DEP support settings
Select DEP support settings

YOu can turn off DEP for an individual program. To do so, select the check box next to the program that you want to turn off DEP for, and then click OK.

If the program is not on the list, click Add. Browse to the Program Files folder, and find the executable file for the program (it will have an .exe file name extension), and then click Open.

Click OK, in the System Properties dialog box if it appears, and then click OK again. You might need to restart your computer for the changes to take effect.

How to turn off and turn on DEP support as Boot option via Command Prompt

There are other DEP settings that cannot be changed in the control panel; they can only be set as a boot option using the service program bcdedit in a command prompt with elevated rights.

Follow the steps below to edit the boot configuration file for DEP in recovery mode via the command prompt. Press “Windows key + I key” to open Settings, select System and click on Recovery from the right side.

Select Recovery in the System setting
Select Recovery in the System setting

Select the Restart now button next to the Advanced startup section and click Restart from the follow up prompt.

Select Advanced startup in Recovery
Click on Advanced startup in Recovery

The PC will restart, and show the Advanced options window. Select Troubleshoot from the options displayed, by using the arrow keys from your keyboard.

Select Troubleshoot
Click on Troubleshoot

Select Advanced options.

Select Advanced options
Select Advanced options

Choose Command Prompt.

Select Command Prompt
Select Command Prompt

Now, you can enter the following command according to DEP support settings to be enabled or disabled.

One option is to enable DEP support unconditionally. The DEP support options GUI is disabled in this mode, and no exceptions can be specified. Any DisableNX compatibility options will be disregarded as well.

 bcdedit /set {current} nx AlwaysOn

In contrast, the first option is to turn off DEP support completely. With this setting, like with the first option, the DEP support options GUI will also be turned off.

bcdedit /set {current} nx AlwaysOff

To return to one of the GUI switchable modes, use:

bcdedit /set {current} nx OptIn

For the workstation default, which enables DEP support for Windows essential programs and services, or:

bcdedit /set {current} nx OptOut

Enabling DEP support for all executable files as the server default. For the bcdedit command to take effect, the Windows PC must be restarted each time. The output of the following command will show the status (current) in each instance.

bcdedit /enum

How to confirm that hardware DEP is working in Windows via Command Prompt

You can use the Wmic command-line tool to examine the DEP settings. To determine whether hardware-enforced DEP is available, follow these steps:

Press the Windows key to open the Start menu, search for Command Prompt and click to open it.

Open Command Prompt
Open Command Prompt

On the command prompt. Type the command below and press ENTER.

wmic OS Get DataExecutionPrevention_Available
Check DEP status
Check DEP status

If the output is “TRUE,” hardware-enforced DEP is available.

To determine the current DEP support policy, follow these steps. At the command prompt, type the command and press ENTER: 

wmic OS Get DataExecutionPrevention_SupportPolicy
Check DEP policy level
Check DEP policy level

The value returned will be 0, 1, 2 or 3. This value corresponds to one of the DEP support policies that are described in the table below.

DataExecutionPrevention_SupportPolicy property valuePolicy LevelDescription
2OptIn (default configuration)Only Windows system components and services have DEP applied
3OptOutDEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied
1AlwaysOnDEP is enabled for all processes
0AlwaysOffDEP is not enabled for any processes
Table source: Microsoft

I hope you find the post helpful. You have learned how to Disable Data Execution Prevention, and determine that hardware DEP is available and configured on your computer. If you have any questions, please leave a comment below.

Rate this post
Security | Vulnerability Scans and Assessment, Windows Tags:, , , , ,

Related Posts

More Related Articles

Windows Server vNext What’s New? Install Windows Server 2025 on Beelink EQ12 PC Windows
Featured image 1 Transfer Windows License from one PC to the other on Windows Windows
servicechannels3 1 Long Term Servicing Branch vs Semi-Annual Channel Windows
Phone Link How to link an iPhone with Windows PC with Phone Link App Windows
Screenshot 2022 04 02 at 22.17.10 How to Install Kubectl on Windows 11 Windows
winn 11 3 Enable HyperV on Windows: How to install Windows 11 on HyperV Windows

Leave a Reply