Everything You Need to Know About Windows Data Execution Prevention or DEP
By Timothy Tibbetts |
Data Execution Prevention or DEP is a feature introduced in Windows XP Service Pack 2 that is still part of Windows today. In short, it's a hardware and software technology designed to monitor memory to stop malicious code from running. A more straightforward way to describe DEP is that it monitors all processes and services and stops a program if it isn't running correctly in memory. Here's everything you need to know.
You can enable, disable, or even strengthen or weaken your DEP protection, but it's usually best left alone. That said, sometimes you need to make changes to DEP. We suggest you make a restore point before you begin.
Verify Your Data Execution Prevention Status
If you're not sure what your DEP status is, open an elevated command prompt and type in wmic OS Get DataExecutionPrevention_SupportPolicy. You will see a number from 0-3 appear that tells you your status.
0 – DEP is disabled for all processes.
1 – DEP is enabled for all processes.
2 – DEP is enabled for only Windows system components and services (default).
3 – DEP is enabled for all processes.
Enable or Disable Data Execution Prevention System Wide
Should you need to enable or disable DEP, again open an elevated command prompt.
To disable DEP type in bcdedit.exe /set {current} nx AlwaysOff and to reenable DEP type in bcdedit.exe /set {current} nx AlwaysOn.
If you receive an error that says "This value is protected by Secure Boot Policy and cannot be modified or deleted" then you'll need to enter your BIOS to disable secure boot. Booting onto your BIOS varies by the motherboard and is for advanced users only, but we can give you the basics.
Reboot and watch the screen for something like "press F10 to enter setup." Typical keys are F1, F2, F10, or delete. Press whatever key it says to enter BIOS setup. Again, the BIOS setup varies by motherboard although typically you will find Secure Boot options under the System Configuration, Security, Boot or Authentication tabs. Once you find it, click on it and select disable. Reboot to apply the changes.
Enable or Disable Data Execution Prevention for Specific Programs
By default, DEP is on for essential programs. You can, however, whitelist any programs you want individually. To do this, open Open Windows Explorer or File Explorer. Right-click This PC or Computer and select Properties.
Next click on Advanced System settings and the System properties tab will open. Click on the Advanced tab and once again click on Settings under the Performance section. Performance Options will open and finally click on the Data Execution Prevention tab. Phew.
To whitelist a program select Turn on DEP for all programs and services except those I select and finally click on Add. You'll need to know the executable name, browse to it and click OK. You'll need to do this for each program or service. However, it's not something you often need to use.
Disable DEP in Internet Explorer 11 or Edge
DEP can also be disabled for Internet Explorer 11 only. Press the Winodws Key + S and begin typing internet options and click on Internet Options. Click on the Advanced tab and scroll down to the Security section. Uncheck Enable memory protection to help mitigate online attacks.
As far as we can tell, this was removed in Windows 10 and Microsoft Edge, most likely because of Windows Defender Smart Screen and other security features built into Windows and Edge.
That should cover all you need to know about DEP. Any questions or anything we missed, feel free to ask in the comments below.
comments powered by Disqus
You can enable, disable, or even strengthen or weaken your DEP protection, but it's usually best left alone. That said, sometimes you need to make changes to DEP. We suggest you make a restore point before you begin.
Verify Your Data Execution Prevention Status
If you're not sure what your DEP status is, open an elevated command prompt and type in wmic OS Get DataExecutionPrevention_SupportPolicy. You will see a number from 0-3 appear that tells you your status.
0 – DEP is disabled for all processes.
1 – DEP is enabled for all processes.
2 – DEP is enabled for only Windows system components and services (default).
3 – DEP is enabled for all processes.
Enable or Disable Data Execution Prevention System Wide
Should you need to enable or disable DEP, again open an elevated command prompt.
To disable DEP type in bcdedit.exe /set {current} nx AlwaysOff and to reenable DEP type in bcdedit.exe /set {current} nx AlwaysOn.
If you receive an error that says "This value is protected by Secure Boot Policy and cannot be modified or deleted" then you'll need to enter your BIOS to disable secure boot. Booting onto your BIOS varies by the motherboard and is for advanced users only, but we can give you the basics.
Reboot and watch the screen for something like "press F10 to enter setup." Typical keys are F1, F2, F10, or delete. Press whatever key it says to enter BIOS setup. Again, the BIOS setup varies by motherboard although typically you will find Secure Boot options under the System Configuration, Security, Boot or Authentication tabs. Once you find it, click on it and select disable. Reboot to apply the changes.
Enable or Disable Data Execution Prevention for Specific Programs
By default, DEP is on for essential programs. You can, however, whitelist any programs you want individually. To do this, open Open Windows Explorer or File Explorer. Right-click This PC or Computer and select Properties.
Next click on Advanced System settings and the System properties tab will open. Click on the Advanced tab and once again click on Settings under the Performance section. Performance Options will open and finally click on the Data Execution Prevention tab. Phew.
To whitelist a program select Turn on DEP for all programs and services except those I select and finally click on Add. You'll need to know the executable name, browse to it and click OK. You'll need to do this for each program or service. However, it's not something you often need to use.
Disable DEP in Internet Explorer 11 or Edge
DEP can also be disabled for Internet Explorer 11 only. Press the Winodws Key + S and begin typing internet options and click on Internet Options. Click on the Advanced tab and scroll down to the Security section. Uncheck Enable memory protection to help mitigate online attacks.
As far as we can tell, this was removed in Windows 10 and Microsoft Edge, most likely because of Windows Defender Smart Screen and other security features built into Windows and Edge.
That should cover all you need to know about DEP. Any questions or anything we missed, feel free to ask in the comments below.
comments powered by Disqus