Friday, December 7, 2012

How to really disable DEP (Data Execution Prevention) / BCDEdit

Windows DEP or Data Execution Prevention is often blocking you or your application from working properly.

If you explore Windows configuration and Help, you will find

My computer
  -> Right click
     -> Properties
         -> Advanced System Settings
            -> Performance Settings
               -> Data Execution Prevention

You can set a few options on or off, but this is rarely enough.

In order to REALLY disable DEP, you need to tell Windows at boot time.

For Windows 2003 or Windows XP
You need to go to

My computer
  -> Right click
     -> Properties
         -> Advanced System Settings
            -> Startup and Recovery Settings 

and edit your boot.ini from there
and add the parameter /NoExecute=AlwaysOff

For Windows Vista or Windows 7
There is a command line tool to do so, make sure to launch your command prompt "As Administrator" and run the command
BCDEdit.exe /set {current} nx AlwaysOff

You can also see all your boot options with
BCDEdit /enum

you will something similar to
Windows Boot Manager
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {5a9684f2-9ec0-11e1-a7c3-00137290c993}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 5

Windows Boot Loader
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {5a9684f6-9ec0-11e1-a7c3-00137290c993}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {5a9684f2-9ec0-11e1-a7c3-00137290c993}
nx                      AlwaysOff

Don't forget, this is a boot option, so you do need to reboot for Windows to take it into account.

No comments:

Post a Comment