DEP Data Execution Prevention

Data Execution Prevention (DEP) helps to prevent an application or service from executing code in a non-executable memory region. Data Execution Prevention DEP is a security feature available in modern Microsoft Windows operating systems.

In simple terms, Data Execution Prevention DEP blocks a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with Data Execution Prevention DEP enabled, execution of the injected code causes an exception. Data Execution Prevention DEP blocks programs that take advantage of exception-handling mechanisms in Windows.

How does Data Execution Prevention DEP work?

DEP runs in two modes. Data Execution Prevention DEP is a set of hardware and software methods that perform additional checks on memory. These checks help prevent malicious code from running in the memory of your computer.

DEP helps prevent certain exploits or attacks from programs that store code via for example a buffer overflow.

Hardware-enforced Data Execution Prevention DEP...

Hardware-enforced DEP provides instructions to the CPU to mark certain memory pages as nonexecutable. Hardware-enforced DEP technically sets a bit in the page table entry that tells the system to prevent code from being executed from a virtual memory page that should contain only data.

Software-enforced Data Execution Prevention DEP...

Software-enforced Data Execution Prevention protects only user-mode processes. It must be supported by the operating system. Software-enforced DEP does not protect from execution of code in data pages but instead from another type of attack which is called Security Exception Handling (SEH) overwrite.

What is the benefit of using Data Execution Prevention DEP?

The main benefit of Data Execution Prevention DEP is to help prevent your computer from executing code in memory data pages.

In most cases, code is usually not executed from the default heap and stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when a such execution occurs.

Software-enforced DEP supplements the hardware Data Execution Prevention by preventing malicious code from taking advantage of exception-handling mechanisms in Windows.

What is the disadvantage of DEP?

As with many improvements that provide benefits, Data Execution Prevention DEP also introduces some disadvantages. If your system is susceptible to being infected by a virus, it is wise to use Data Execution Prevention DEP on your computer.

Where can I check or change DEP setting on my computer?

If you need to change the Data Execution Prevention DEP setting on your computer, you can do so following these steps:

-> go to the Start menu,
-> Settings,
-> Control Panel,
-> System,
-> Advanced tab,
-> click Settings under Performance,
-> and lastly the Data Execution Prevention tab

The print screen behind the following thumbnail shows this:

The Data Execution Prevention DEP setting can be also implemented in your BOOT.INI file through the NOEXECUTE switch. See the noexecute DEP parameter in boot.ini page for more details.

What versions of Windows support Data Execution Prevention DEP?

Data Execution Prevention DEP was introduced in Windows XP Service Pack 2.

It is also included in Windows XP Tablet PC Edition 2005.

Data Execution Prevention DEP comes in Windows Vista and was also included in Windows Server 2003 Service Pack 1 and later.

Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005 provide support for both hardware and software Data Execution Prevention.

Hardware-enforced DEP must be supported by both the operating system and also the processor on the computer. If the operating system supports DEP, but the processor does then not, only software-enforced DEP is enabled on the system.