What is Data Execution Prevention (DEP)?

Handling our system memory safely and protecting it from harmful programs and other programs that are prone to executable code run from a data page on different memory locations and specific data section is a challenging task. The essential Windows programs and services have been a big step forward in easing that task. This article will break down Data Execution Prevention (DEP), the pros and cons of software enforced DEP and ways of shielding your computer from malicious application attempts at running executable code.

These security controls are validated during specific web application security tests or break out assessments to analyse how untrusted applications can be launched within restricted environments. 

What is Data Execution Prevention (DEP)?

Data execution prevention (DEP) is a memory protection security feature introduced initially on Windows XP by Microsoft. Available for Linux and Mac OS under other names, which have the same feature, it prevents malicious code execution in the system memory locations.

In computing, data execution prevention (DEP) is a security feature that can help prevent damage from viruses and other security threats. DEP helps protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using system memory incorrectly, it closes the program and notifies you.

DEP is both hardware and software enabled protection policy setting. A detailed article on hardware and software DEP can be read from this blog by Microsoft, explaining the security features of DEP on hardware and software. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457155(v=technet.10)

What is the reason behind DEP technology?

DEP is important because it can help protect your computer from damage caused by viruses and other security threats. By monitoring your programs and closing them if they use system memory incorrectly, DEP can help prevent data loss or corruption.

This feature enables the marking of some locations on a computer’s memory as non-executable. Such protection can be simple buffer overflow attacks where the hacker overflows the buffer to write and execute code on “non-accessible” locations of the stack.

To prevent such attacks, Data Execution Prevention was introduced. With this feature enabled, it would become challenging for the hacker to overflow the buffer and perform malicious attacks like the famous Ret2libc attack, in which the attack overflows the buffer to point the instruction pointer (IP) to access dangerous locations in the memory.

DEP helps prevent damage from various types of malware and other security threats by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using system memory incorrectly, it closes the program and notifies you.

With Data Execution Prevention enabled, the “hackable” program would not have the execution rights on that particular location in the memory where the attackers overflow and point the instruction pointer preventing major attacks.

Enable DEP On Windows 11

With the fundamentals of DEP and how it can prevent several memory-related cyber attacks covered, let’s see how we can enable and disable it on the latest distribution of the Windows operating system, i.e., Windows 11. Data Execution Prevention is enabled by default on Windows, but there can be reasons for disabling it for a particular application for its smooth working.

So here are the steps:

Step 1:

Open system settings by clicking on the “Start” button and selecting the “Settings” option.

Step2:

Click on the “About” button located at the bottom of the system page.

Step 3:

Choose “Advanced System Settings” in the Device specifications blob and press enter.

Step 4:

Click on “Settings” under the advanced tab, and you’ll be prompted with the DEP settings of Windows 11.

Step 5:

Turn DEP on or off according to your need.

Why would I turn off DEP?

We saw how this technology is a blessing for the security team from what we discussed. Then why is there an option to disable this feature?

The answer to this question is simple. Unlike humans, computers do not have the ability or the programs to distinguish between good and bad. They are programmed for every decision they make.

Sometimes not a “malicious code” would need access to a memory that DEP is monitoring. Due to the security features enabled on that particular memory location, the good program won’t be able to work properly and hence we may be required to disable DEP.

Turn DEP Completely Off

To turn DEP completely off, we need to run a command prompt as administrator and run the following system commands on our computer.

Open the cmd and run the following status code bcdedit.exe /set {current} nx AlwaysOff as admin.

Let’s quickly look at what the command does.

bcdedit.exe is a Windows utility for editing boot configuration data.

/set tells bcedit to set an option value entry in the system boot configuration of the computer.

{current} tells bcedit to use the boot config being used at the moment.

nx is short for ‘no execute’ and is the set’s name for DEP in the configuration.

AlwaysOff explains itself.

Similarly, the command given below can be run to enable it.

bcdedit.exe /set {current} nx AlwaysON

Can DEP cause problems?

DEP can cause problems for old software which were not built considering DEP in action. Old codebase might cause issues with DEP enabled; hence you might consider changing the DEP setting using the steps shown above.

64-bit programs are built keeping DEP in mind; hence one will seldom face issues with them, but most 32-bit programs have certain difficulties and problems with DEP as they might not be the DEP compatible version.

Downloading old drivers or drivers from unverified sources too can cause DEP errors. Drivers must always be downloaded from the official Microsoft website.

Some error messages that help us identify that the system has a DEP error

We know that the system is facing some Data Execution Prevention or DEP error if we see some of the following code or error messages.

0xFC:ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY – This error tells us that we need to update our drivers as a device driver is trying to run in the system memory. Thus, the problem can be solved by updating the driver.

STATUS_ACCESS_VIOLATION (0xc0000005) – When programs run in memory space protected by DEP, this error occurs.

Event ID: 1000 – DEP Error: Generic host for Win32 services generic Host Process for Win32 Services – DEP: Application Error- This error also shows that the system is facing a DEP error.

Conclusion

DEP is a default security feature enabled on Windows operating system, and it is recommended not to play around with this feature until absolutely necessary. Its settings should only be changed when you are facing any of the errors mentioned in the above post. Data Execution Prevention (DEP) made it difficult for exploit development authors to write exploits and malware and hence is a great prevention technique to fail malware and memory-related exploits on our systems. For a successful attack, a disabled DEP is a must for any hacker, and it makes things a lot easier for exploit development.