Custom Search

Search My Download Corner

Wednesday, June 4, 2008

Data Execution Prevention & Boot.ini File

Microsoft introduced Data Execution Prevention (DEP) In Windows XP Service Pack 2 (SP2). Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region.

Since late 2004 as with Hardware-enforced DEP, Intel has added NX ("No Execute") functionality to all desktop processors and mobile products. Prior to that, the only x86 processors that support No-Execute functionality are the AMD 32/64-bit Opteron and Athlon-64 & the Intel Itanium family of 64-bit processors (IA-64 architecture) support DEP.

In Software-enforced DEP Windows XP SP2 uses software-based DEP which monitors your programs to determine whether they use system memory safely.

DEP is occasionally the cause of software problems. DEP compatibility issues can occur for both programs and drivers

Disable Data Execution Prevention in XP SP2

Easy way: Edit your boot.ini (a hidden file in C:\ ). Add /EXECUTE to the end of "Windows XP" -line. That disables the D.E.P.
For example,
multi(0)disk(0)rdisk(1)partition(3)\WINDOWS="Micro soft Windows XP Professional" /execute

Restart the computer to apply

To verify the status of DEP:
1. Right-click My Computer, and then click Properties.
Click Start, click Run, type sysdm.cpl, and then click OK.
2. On the Advanced tab, click Settings under Perfomance.
3. Click Data Execution Prevention, if the turn on buttons option is blurred out, DEP is successfully disable.

Alternate way to Disable Data Execution Prevention in XP SP2

Softwares & Drivers refused to be properly installed
One could just disable the DEP to get it to work. Boot your machine in safe mode and open up a command prompt window and enter the following as it appears:

bootcfg /raw “/noexecute=alwaysoff /fastdetect” /id 1

Although, if you have a dual or multi-boot system then you will need to edit the 'boot.ini' file manually by changing the '/noexecute' policy to 'alwaysoff'.

This could be caused by hardware on the computer and the reason why one isn't getting the failure message on any other machine.

Editing the Boot.ini file in Windows XP:
To view and edit the Boot.ini file:
1. Right-click My Computer, and then click Properties.
Click Start, click Run, type sysdm.cpl, and then click OK.
2. On the Advanced tab, click Settings under Startup and Recovery.
3. Under System Startup, click Edit.

Using the command line utility, Bootcfg.exe.
Note The Bootcfg.exe utility is only available in Windows XP Professional. This utility is not available in Microsoft Windows XP Home Edition. Therefore, this section does not apply to Windows XP Home Edition.
1. Click Start, and then click Run.
2. In the Open text box, type cmd.
3. At the command prompt, type bootcfg /?
4. The help and parameters for BOOTCFG.exe will display.

The Boot.ini file switches are as follows:

* /noexecute=option - There are four options to this switch:
o OptIn - Default setting. Only Windows system binaries are monitored by DEP.
o OptOut - Enables DEP for all processes. Users can create a list of applications which are not monitored by DEP using the DEP configuration options listed in the System Control Panel applet.
o AlwaysOn - Enables DEP for all processes. DEP is always applied, and exceptions lists are ignored and not available for users to apply.
o AlwaysOff - This disables DEP
* /execute - This disables DEP.

When the Boot.ini file is set to either /noexecute=AlwaysOff or /execute, Physical Address Extension (PAE) mode is not invoked.

Likewise, on a processor that does not support hardware no-execute page-protection, PAE mode is not invoked.

Note: Microsoft recommends that you not disable DEP globally.This would put the computer in a less secure state. (We disable DEP permanently for compatibility but advise to install anti virus, spyware, firewall software for security. Look under label Protection in this Blog for recommendation.)

Repairing or Replacing Boot.ini in Windows XP

Enter Windows XP Recovery Console. The Recovery Console is an advanced diagnostic mode of Windows XP with special tools that will allow you to restore the boot.ini file.

When you reach the command prompt (detailed in Step 6 in the link above), type the following command and then press Enter.

bootcfg /rebuild


The bootcfg utility will scan your hard drives for any Windows XP installations and then display the results. Follow the remaining steps to add your Windows XP installation to the boot.ini file.

The first prompt asks Add installation to boot list? (Yes/No/All).

Type Y in response to this question and press Enter.


The next prompt asks you to Enter Load Identifier:.

This is the name of the operating system. For example, type Windows XP Professional or Windows XP Home Edition and press Enter.

The final prompt asks you to Enter OS Load options:.

Type /Fastdetect here and press Enter.

Take out the Windows XP CD, type exit and then press Enter to restart your PC.

Assuming that a missing or corrupt boot.ini file was your only issue, Windows XP should now start normally.

Turn Off Data Execution Prevention in Windows Vista

Click on the Start menu and in the search box, type "CMD". Right-click on the CMD shortcut that appears and select Run as administrator.

Then type the following:
bcdedit.exe /set {current} nx AlwaysOff

It should say that everything is ok.
Restart the computer to apply.

To turn it back on again, type the following

bcdedit.exe /set {current} nx AlwaysOn

If this does not work take out {current} and it should work.
Restart the computer to apply.

To Verify the Status of DEP -
A) In the command prompt, type wmic OS Get DataExecutionPrevention_SupportPolicy and press Enter.
B) You will get a number that will tell you the status of DEP.
C) Close command prompt when done.
NOTE: 2 is the default setting.
0 = AlwaysOff - DEP is disabled for all processes. (Step 6 above)
1 = AlwaysOn - DEP is enabled for all processes.
2 = OptIn - DEP is enabled for only Windows system components and services have DEP applied. Default setting. (Step 5 above)
3 = OptOut - DEP is enabled for all processes. Administrators can manually create a list of specific applications which do not have DEP applied. (How to Turn DEP On or Off for a Program)

To Enable or Disable DEP for IE7

NOTE: This will be for the 32 bit version of IE7. This is enabled by default in the 64 bit IE7. DEP is disabled by default in the 32 bit IE7.
WARNING: Some Active X add-ons may not work with DEP on. It can cause them to crash and prevent the startup of IE7 by DEP closing it.

1. Open the Start Menu.
2. Click on All Programs and right click on Internet Explorer, then click Run as administrator.
NOTE: If you cannot get IE7 to open using step 2, then click on All Programs and Accessories. Next, right click on Internet Explorer (No Add-ons) and click Run as administrator instead.
WARNING: If you do not use Run as administrator, the Enable memory protection to help mitigate online attacks option will be grayed out in steps 5 and 6 below.

3. In IE7, click on Tools -> Internet Options.
4. Click on the Advanced tab. (See screenshot below)

5. To Enable DEP for the 32 bit IE7 -
A) Under Security, check Enable memory protection to help
mitigate online attacks.

6. To Disable DEP for the 32 bit IE7 -
A) Under Security, uncheck Enable memory protection to help
mitigate online attacks.

7. Click OK to apply.

How to Fix a Crashing Internet Explorer in Vista

View blog reactions


Post a Comment