Why isn’t DEP on by default when hardware supports it?

Topic

New Reply

Recently I stumbled onto the performance and appearance settings while trying to get rid of shadow text under my icons.

And I noticed that DEP (Data Execution Protection) was set to only protect essential Windows programs, rather than protect all.

My machine supports DEP in hardware.

I turned full checking on, and so far there are no issues. So why isn’t it the default? Is there a hidden problem I’ll see in the future?

Reply | Quote

Replies

It isn’t on by default because there is the possibility of a problem in the future. All the Windows processes and utilities have been tested through DEP, but it isn’t possible for Microsoft to test every conceivable program or utility that might be installed by the end user.

By turning on DEP for all programs and services, you have made yourself aware of a place to look if some future program or utility installation doesn’t seem to work correctly. That’s also the reason you have the ability to add exclusions to DEP, in case there is some future problem with DEP there’s an easy fix.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Thanks. The issue I see here is that the number of users who will do this is essentially zero!

It would be better if Microsoft supported this by having it on, with really good feedback when a problem was detected to the user could add an exception easily.

Which leads to the obvious question – how valuable is DEP in practice for detecting attacks?

Reply | Quote

http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

Reply | Quote

If I turn on DEP I have several useful programs from legitimate sources which don’t run.

That’s why the default is “off” – it filters out too much for typical real-world users.

So – if you have to have it switched off in order to do the reasonable things you want to do, it is in practice useless . . .

. . . a bit like passwords which are so long that you have to write them down.

Reply | Quote

I’m slightly confused by your all or nothing approach. DEP lets you list programs to be ignored. Or does that not work in practice?

Reply | Quote

That’s why the default is “off”

There is no “Off” option.

It’s either On for “essential Windows programs and services” or On for “all programs and services except those I select.”

I have it on for all programs and services, I have no exclusions, and I don’t have any issues with anything that I run on my PC’s.

YMMV

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Recently I stumbled onto the performance and appearance settings while trying to get rid of shadow text under my icons.

And I noticed that DEP (Data Execution Protection) was set to only protect essential Windows programs, rather than protect all.

My machine supports DEP in hardware.

I turned full checking on, and so far there are no issues. So why isn’t it the default? Is there a hidden problem I’ll see in the future?

well what kind of computer are you using, Millwood? and what kind of processor does your computer use? older legacy CPUs/processor chips (such as Intel Pentium 3s, AMD K7s, and older) don’t support hardware DEP and Windows will tell you whether your CPU chip supports hardware DEP or not. Use CPU-Z from the CPUID.com web site to gather info about your processor chip.

Reply | Quote

My machine supports DEP in hardware.

well what kind of computer are you using, Millwood? and what kind of processor does your computer use? older legacy CPUs/processor chips (such as Intel Pentium 3s, AMD K7s, and older) don’t support hardware DEP and Windows will tell you whether your CPU chip supports hardware DEP or not. Use CPU-Z from the CPUID.com web site to gather info about your processor chip.

As noted in the OP, the machine in question does support DEP in hardware. That particular area does not need further investigation

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

It’s on by default on my system.

Maybe someone ran the BCDEDIT command and changed the default settings.

It can be disabled in hardware in BIOS (on most motherboards), but if Windows sees it as enabled in hardware, it’s ON in Windows. I’m not aware of a BCDEDIT switch to enable/disable DEP.[/size]

There is no “Off” option.

It’s either On for “essential Windows programs and services” or On for “all programs and services except those I select.”

I have it on for all programs and services, I have no exclusions, and I don’t have any issues with anything that I run on my PC’s.

YMMV

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Install EMET 5.1 on your system.
https://support.microsoft.com/en-us/kb/2458544

Reply | Quote

haha! Thanks jwoods!!!! I just can’t keep up.

Reply | Quote