Exploit Protection settings question

Necrosaro

Necrosaro

Active Member
Hellbovine made this post in another thread and going to make it seperate thread on it. I have disabled DEP but unsure of the others and wanted to check if any performance bonus was gained if any at all. I have defender removed and cannot find the reg files hanging around to edit some of them manually.

Any ideas in the location?

Start > Windows Security > App & browser control > Exploit protection settings > Control flow guard (CFG)
; Start > Windows Security > App & browser control > Exploit protection settings > Data Execution Prevention (DEP)
; Start > Windows Security > App & browser control > Exploit protection settings > Force randomization for images (Mandatory ASLR)
; Start > Windows Security > App & browser control > Exploit protection settings > Randomize memory allocations (Bottom-up ASLR)
; Start > Windows Security > App & browser control > Exploit protection settings > High-entropy ASLR
; Start > Windows Security > App & browser control > Exploit protection settings > Validate exception chains (SEHOP)
; Start > Windows Security > App & browser control > Exploit protection settings > Validate heap integrity
 
For anyone wanting to tinker with those tweaks, download the "Tweaks" folder from this guide (link) and then edit the registry files inside to view their contents. The above tweaks are all contained in the security file. For additional research on tweaks like these or anything else, I would recommend doing some advanced internet searches, using the following three sites to cross-reference tweaks:

- learn.microsoft.com
- admx.help
- tenforums.com

To get really accurate results, I use Boolean Logic, and enter something like the following in a Google search, including the quotation marks: "NoThumbnailCache" site:learn.microsoft.com

It will then search that specific website only, and for that precise search term. You can use this same method to search NTLite forums for words that are less than 4 letters, since the forum does not allow that, by doing a Google search like this: "DEP" site:ntlite.com
 
Last edited:
I should clarify, the ones you listed are a combination tweak, so all 7 of those share the same key. You have to use a registry compare tool and toggle them to find the setting you want. Reinstalling the Security Center and/or Windows would probably make testing easier.

Some of those are responsible for a lot of gaming problems. If you do searches for CFG or ASLR and games, you'll find Reddit posts and stuff from people saying "I turned off X and it totally fixed all stuttering..." These types of security features are what are being added to the newer Windows, which are really the cause of people sticking with older OS or versions for performance.

I'm confident for with enough time and effort you could figure out what changed in the registry between W10 1809 and 1903 or other versions which caused people to stick with those and not upgrade anymore. People just don't dig deep enough in general, and/or know what to look for.
 
Last edited:
Your performance gains will be minimal. Exploit Protection is a class of kernel mitigations to defeat buffer overflows by randomizing memory locations. Instead of assigning memory pages in a predictable (sequential) order, you shuffle the card deck.

If any exploit overflows memory in a process, the overflow lands into a non-adjacent page so the exploit fails. The cost is only taken when new memory pages are assigned, extra tables for tracking memory pools and random number generation.

From an execution side, it's transparent to apps. The downside is if you want to analyze a crash file, you have to pick all the memory pages out of the pile and re-assemble them.

PowerShell is available to import/export the settings.
Code: 
Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml
Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml
 
Hellbovine said:
Those reg keys and a ton of other relevant ones (500+) are all in my Optimized Image in the Gaming Lounge (https://www.ntlite.com/community/index.php?threads/gaming-lounge.2999/). Just download the "Tweaks" folder and then right-click on the .reg files and select "edit" and you can see all of the comments and tweaks :) That's why those things you posted have semicolons on them because they are commented in my tweaks.

I've been trying to get people to look through my files, but it seems nobody is looking at the contents. It has a treasure trove of WORKING tweaks for Windows 10 21H2, as every single key was meticulously researched by me, and thoroughly tested, also making sure that they all "stick" in a clean install using NTLite. I put emphasis on "working" because soooooo many reg tweaks on the internet do not work for the newer OS. Too many places just assume that old tweaks that used to work for XP/Vista/7 translated over to 8/10/11, and/or the info was just always wrong to begin with.

For additonal research, I *always* compare my registry keys against the following websites so that I can not only learn more, but have another layer of verification to the things I figured out on my own using reg compare tools or whatnot:

Admx.help
docs.microsoft
tenforums.com

Here's an example of how I search for something to get really accurate results (Boolean logic). In Google type this exactly as shown, even using the quotation marks:

"NoThumbnailCache" site:admx.help

It will then search that specific website only, and for that precise search term. You can use this same method to search NTLite forums for words that are less than 3 letters, since the forum does not allow that. For example:

"DEP" site:ntlite.com

Happy tweaking!
Click to expand...
Will take a gander there again and see what I can dig up in your treasure chest.
 
garlin said:
Your performance gains will be minimal. Exploit Protection is a class of kernel mitigations to defeat buffer overflows by randomizing memory locations. Instead of assigning memory pages in a predictable (sequential) order, you shuffle the card deck.

If any exploit overflows memory in a process, the overflow lands into a non-adjacent page so the exploit fails. The cost is only taken when new memory pages are assigned, extra tables for tracking memory pools and random number generation.

From an execution side, it's transparent to apps. The downside is if you want to analyze a crash file, you have to pick all the memory pages out of the pile and re-assemble them.

PowerShell is available to import/export the settings.
Code: 
Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml
Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml
Click to expand...
I know it will be minimum but at least it can be shown that they are and not some hokas pokas magic and can be used for future reference if needed.
 
You must log in or register to reply here.
Back
Top