Home » Windows Tips

DEP – Data Execution Prevention In Windows

 July 7, 2009 One Comment

DEP stands for Data Execution Prevention and it is a security feature in Microsoft Windows Operating system. Data Execution Prevention (DEP) can be enforced by hardware or software technologies or both, to prevent an application or service from executing code from a non-executable memory region.

DEP prevents code execution from data pages, such as the default heap pages, various stack pages, and memory pool pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. If the exception is unhandled, the process will be stopped. Execution of code from protected memory in kernel mode causes a Stop error.

Modes of Data Execution Prevention (DEP):

Data Execution Prevention (DEP) helps prevent certain exploits that store code via a buffer overflow, for example. There are two modes by which DEP can be enforced.

  • Hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable and
  • Software-enforced DEP for CPUs that do not have hardware support. Software-enforced DEP provided limited DEP support. It does not protect from execution of code in data pages, but instead offers protection from another type of attack, namely, SEH overwrite.

Hardware-enforced DEP:

Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. A class of attacks exists that tries to insert and run code from non-executable memory locations. Hardware-enforced DEP helps prevent these attacks by intercepting them and raising an exception.

Windows Vista DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands as non-executable. This helps prevent buffer overflow attacks from succeeding. In Windows Vista, the DEP status for a process, can be viewed on the Processes tab in the Windows Task Manager.

Hardware-enforced DEP enables the NX bit (no-execute page-protection feature) on AMD CPUs and the XD (Execute Disable Bit feature) on Intel CPUs, through the automatic use of PAE kernel in 32-bit Windows and the native support on 64-bit kernels.

To test if your system has a CPU that can enforce DEP,

  • Open the Start menu, right-click on My Computer and Choose “Properties” from the context menu.
  • On the “System Properties” window, click the “Advanced” tab .
  • click settings button under Performance
  • click the “Data Execution Prevention” tab

If your system lacks a CPU that supports DEP, the following message will be highlighted in yellow and present at the bottom of the tab.

Your computer’s processor does not support hardware-based DEP. However, Windows can use DEP software to help prevent some types of attacks.

If there is no such message as above, then your CPU is presumed to support DEP.

Software-enforced DEP:

Software-enforced DEP works by simply checking whether an exception thrown is registered in a function table for the application, and requires the program to be built with it. Thereby they block malicious code that takes advantage of exception-handling mechanisms in Windows. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.Though Hardware-enforced DEP is available for Windows XP SP2 and subsequent versions, ASLR (address space layout randomization) feature is available on on windows Vista and Windows 7.

Benefits of DEP:

The primary benefit of DEP is it helps block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP, execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage of exception-handling mechanisms in Windows.

DEP is occasionally the cause of software problems, usually with older software.Users have experienced problems using various command line commands that are a part of Microsoft’s Services for Unix, which is included as part of Vista as well as Windows Server 2003 R2.

In most cases, the problems may be solved by disabling the DEP features. You can read about how to enable or disable DEP in our next post.

Related posts:
  1. How To Enable or Disable DEP In Windows XP, Vista?
  2. CD Data Recovery With CDCheck
  3. Recover deleted files or folders on your windows vista/XP or linux with Data Recovery Wizard Professional v4.3.6
  4. Hard drive data recovery with DataRecovery software
  5. Free firewall for windows vista/XP (32-bit and 64-bit) – Comodo Firewall Pro 3.0
  6. How to fix corrupt or missing or conflicting DLL errors?
  7. Get better control on windows processes with Task manager extension
  8. Prevent directory listing in wordpress
  9. Excel workbooks – shared or collaboration mode to add or modify data simultaneously
  10. Backup Files, Data To Email

Filed under: Windows Tips

One Response to “DEP – Data Execution Prevention In Windows”

  1. Erik said:

    Hi,

    Is there a way to disable Hardware-enforced DEP and switch to use Software-enforced DEP?

    I need to do it temporarily in order to determine whether this is the cause that I have for recurring failing of an application I have.
    It works on one Vista machine and not on the other, and as far as I could see the above was the only difference between the two machines.

    Thanks,
    Erik

    # 3 August 2009 at 5:16 pm

Leave a Reply