Suggest a bcdedit template to turn DEP AlwaysOn

P

pmikep

Active Member
I was pleased to see a Post-setup template to turn off hibernation.

Now, may I suggest a template to Always Enable DEP?

I know that Win10/11 are supposed to have better memory management. Yet, DEP is still an option under System > Advanced system settings > Advanced > Performance >Data Execution Prevention.

Maybe DEP doesn't make a difference anymore in Win10/11. But I feel better enabling it. And it makes a difference in Win7.

bcdedit with parameters /set {current} nx AlwaysOn

(Or perhaps /set nx AlwaysOn ? 'Cause I just installed a Lite'd 21H2 into VBox and the Post-setup command didn't take. (I didn't see a DOS box flash after Windows' first start.)

Hmm ... I just installed Guest Additions and rebooted. And now DEP is AlwaysOn.

I don't know whether it was adding Guest Additions or rebooting - or both - that fixed it. (I still didn't see a command window flash open and closed, though.)
 
Last edited:
Why? Data Execution Prevention is enabled by default, in every Windows since W7.

Only uneducated users turn it off because they don't understand what it does. DEP costs almost zero overhead. It's a simple anti-malware stop by marking which memory pages are used as data vs execution. If you try a buffer overflow attack, it increases the chance your overflow overlaps a page not marked for execution, and your process is killed.

Some legacy apps trigger this protection by accident, and you can add DEP exceptions thru the UI, or by regedit.

W10/11 kernel protections have continuously improved with tighter security mechanisms. Many of those protections now annoy a great deal of NTLite users (gamers), and they always disable them for performance. In the absence of tighter security, there's no point disabling DEP when it costs virtually nothing to run.

There's no reason to add a template, when it's on by default unless you changed it.
 
You know more than I do, but my understand is that AlwaysOn is different from the standard Opt-In setting, in that AlwaysOn enforces DEP for every program/process. This fellow thinks so too.

I agree and I understand that Win10/11 kernel protections are better than Win7. So perhaps DEP AlwaysOn isn't "needed" for 10/11. But there are a few of us Old Timers who still use Win7 and having the template would be nice.

What's the harm in offering it?
 
Using your logic, why advocate for AlwaysOn instead of OptOut?

How to confirm that hardware DEP is working in Windows
DataExecutionPrevention_SupportPolicy property valuePolicy LevelDescription
2OptIn (default configuration)Only Windows system components and services have DEP applied
3OptOutDEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied
1AlwaysOnDEP is enabled for all processes
0AlwaysOffDEP is not enabled for any processes

DEP is known for killing legitimate apps, and there are instructions out there on how to add exceptions for them. AlwaysOn will prevent those legacy apps from being allowed to run.

I'm not nuhi, but to me templates should be reserved for items with universal recognition. There's no confusion in "disabling hibernation".
Adding "DEP AlwaysOn" will lead to confusion to the casual user.

Now what would be a better feature, is a customizable list of personal templates so you can add your own lines.
 
OK. I'm still cranky with a flu. Why not have NTLite add a new System setting, and allow you to pick a mode?
Then it will modify the image's BCD store for you.
 
pmikep said:
You know more than I do, but my understand is that AlwaysOn is different from the standard Opt-In setting, in that AlwaysOn enforces DEP for every program/process. This fellow thinks so too.

I agree and I understand that Win10/11 kernel protections are better than Win7. So perhaps DEP AlwaysOn isn't "needed" for 10/11. But there are a few of us Old Timers who still use Win7 and having the template would be nice.

What's the harm in offering it?
Click to expand...
DEP does offer a performance boost only in old systems(Amd FX) and down due to slower bandwidth of ram. If newer system(Ryzen or dd4 ram and up) leave it be.

I tested this on old and new systems and the new systems do not benefit at all!
 
garlin said:
Adding "DEP AlwaysOn" will lead to confusion to the casual user.
Click to expand...
I agree that this will cause confusion and even induce people to use this without knowing what it does thinking there is some advantage since it exists as an option.

I don't understand the point of messing with DEP.
 
This setting only affects 32 bit binaries.

The default is also only to enable it on Microsoft binaries, so wouldnt break 32 bit games etc.

A problem with setting always on is it also disables the compatibility shims, so you much more likely to get breakage.

64 bit binaries will have DEP enabled by default regardless.

Opt out is safer as it at least allows adding exclusions and shims will work. But dont be surprised if you have to add exceptions now and again.
 
You must log in or register to reply here.
Back
Top