Results 1 to 15 of 15
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    10546
    Posts
    23
    Thanks
    0
    Thanked 3 Times in 2 Posts

    Why isn't DEP on by default when hardware supports it?

    Recently I stumbled onto the performance and appearance settings while trying to get rid of shadow text under my icons.

    And I noticed that DEP (Data Execution Protection) was set to only protect essential Windows programs, rather than protect all.

    My machine supports DEP in hardware.

    I turned full checking on, and so far there are no issues. So why isn't it the default? Is there a hidden problem I'll see in the future?

  2. #2
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    It isn't on by default because there is the possibility of a problem in the future. All the Windows processes and utilities have been tested through DEP, but it isn't possible for Microsoft to test every conceivable program or utility that might be installed by the end user.

    By turning on DEP for all programs and services, you have made yourself aware of a place to look if some future program or utility installation doesn't seem to work correctly. That's also the reason you have the ability to add exclusions to DEP, in case there is some future problem with DEP there's an easy fix.
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    10546
    Posts
    23
    Thanks
    0
    Thanked 3 Times in 2 Posts
    Thanks. The issue I see here is that the number of users who will do this is essentially zero!

    It would be better if Microsoft supported this by having it on, with really good feedback when a problem was detected to the user could add an exception easily.

    Which leads to the obvious question - how valuable is DEP in practice for detecting attacks?

  4. #4
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,609
    Thanks
    147
    Thanked 870 Times in 832 Posts

  5. #5
    5 Star Lounger
    Join Date
    Jan 2004
    Location
    Praha
    Posts
    988
    Thanks
    56
    Thanked 105 Times in 90 Posts
    If I turn on DEP I have several useful programs from legitimate sources which don't run.

    That's why the default is "off" - it filters out too much for typical real-world users.

    So - if you have to have it switched off in order to do the reasonable things you want to do, it is in practice useless . . .

    . . . a bit like passwords which are so long that you have to write them down.

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    10546
    Posts
    23
    Thanks
    0
    Thanked 3 Times in 2 Posts
    I'm slightly confused by your all or nothing approach. DEP lets you list programs to be ignored. Or does that not work in practice?

  7. #7
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    Quote Originally Posted by MartinM View Post
    That's why the default is "off"
    There is no "Off" option.

    It's either On for "essential Windows programs and services" or On for "all programs and services except those I select."

    I have it on for all programs and services, I have no exclusions, and I don't have any issues with anything that I run on my PC's.

    YMMV
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  8. #8
    2 Star Lounger
    Join Date
    Jan 2010
    Location
    Los Angeles, California, USA
    Posts
    120
    Thanks
    0
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by Millwood View Post
    Recently I stumbled onto the performance and appearance settings while trying to get rid of shadow text under my icons.

    And I noticed that DEP (Data Execution Protection) was set to only protect essential Windows programs, rather than protect all.

    My machine supports DEP in hardware.

    I turned full checking on, and so far there are no issues. So why isn't it the default? Is there a hidden problem I'll see in the future?
    well what kind of computer are you using, Millwood? and what kind of processor does your computer use? older legacy CPUs/processor chips (such as Intel Pentium 3s, AMD K7s, and older) don't support hardware DEP and Windows will tell you whether your CPU chip supports hardware DEP or not. Use CPU-Z from the CPUID.com web site to gather info about your processor chip.
    Last edited by np-7930; 2015-03-14 at 22:02.

  9. #9
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    Quote Originally Posted by Millwood View Post
    My machine supports DEP in hardware.
    Quote Originally Posted by np-7930 View Post
    well what kind of computer are you using, Millwood? and what kind of processor does your computer use? older legacy CPUs/processor chips (such as Intel Pentium 3s, AMD K7s, and older) don't support hardware DEP and Windows will tell you whether your CPU chip supports hardware DEP or not. Use CPU-Z from the CPUID.com web site to gather info about your processor chip.
    As noted in the OP, the machine in question does support DEP in hardware. That particular area does not need further investigation
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  10. #10
    jwoods
    Guest
    It's on by default on my system.

    Maybe someone ran the BCDEDIT command and changed the default settings.

  11. #11
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    Quote Originally Posted by jwoods View Post
    It's on by default on my system.

    Maybe someone ran the BCDEDIT command and changed the default settings.
    It can be disabled in hardware in BIOS (on most motherboards), but if Windows sees it as enabled in hardware, it's ON in Windows. I'm not aware of a BCDEDIT switch to enable/disable DEP.
    Quote Originally Posted by bbearren View Post
    There is no "Off" option.

    It's either On for "essential Windows programs and services" or On for "all programs and services except those I select."

    I have it on for all programs and services, I have no exclusions, and I don't have any issues with anything that I run on my PC's.

    YMMV
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  12. #12
    jwoods
    Guest
    Quote Originally Posted by bbearren View Post
    I'm not aware of a BCDEDIT switch to enable/disable DEP.
    http://www.thewindowsclub.com/disabl...ion-prevention

  13. #13
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    Install EMET 5.1 on your system.
    https://support.microsoft.com/en-us/kb/2458544

  14. #14
    jwoods
    Guest

  15. The Following User Says Thank You to jwoods For This Useful Post:

    Fascist Nation (2015-03-17)

  16. #15
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    haha! Thanks jwoods!!!! I just can't keep up.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •