4.5 Other Memory Protection Features

Note: Hardware-enforced DEP can only function if PAE has also been enabled. The good

news is that Windows will typically enable PAE automatically when hardware-enforced

DEP is activated, You can verify this with the BCDedit.exe tool,

DEP is configured at boot time per the nx policy setting in the boot configura¬

tion data. You can view the currcnt poHcy via the following command:

Bcdedit /enum all | findstr

There are four system-wide policies that Windows can adhere to (see Table

4.7).

Table 4.7 DEP Policies

Policy

Description

Optln

DEP is enabled for system modules only, user applications must explicitly

opt in

OptOut

DEP is enabled for all modules, user applications must explicitly opt out

AlwaysOn

Enables DEP for all applications and disables dynamic DEP configuration

AlwaysOff

Disables DEP for all applications and disables dynamic DEP configuration

You can set DEP policy at the command line using BCDedit.exe:

Bcdedit /set nx AlwaysOn

You can also set DEP policy by opening the Performance Options window

via Advanced System Properties (see Figure 4.7). This GUI interface, how¬

ever, doesn't let you specify the AlwaysOn or AlwaysOff policies. It only allows

you to specify the Opt In or OptOut policies.

If dynamic DEP configuration has been enabled, an individual process can

opt in or opt out of DEP using the following API call declared in Wi nbase. h:

BOOL WINAPI SetProcessDEPPol1cy(_in DWORD dwFlags);

If dwFlags is zero, DEP is disabled for the invoking process. If this input

parameter is instead set to 1, it permanently enables DEP for the life of the

process.

Note: Applications that are built with the /nxcompat linker option are automatically

opted in to DER

Parti I 145