noexecute DEP parameter in boot.ini

The noexecute parameter is a switch in the boot.ini file used to enable, disable, and configure Data Execution Prevention (DEP).

The noexecute switch enables no-execute protection called the Data Execution Protection (DEP) which makes the computer memory manager to mark pages containing data as no-execute. This is done so that data pages cannot be executed as code.

This option is useful in preventing malicious code from exploiting buffer overflow bugs with unexpected program input in order to execute unauthorized code.

Data Execution Prevention is a set of hardware and software methods designed to prevent harmful code from running in protected memory locations. You can find more about Data Execution Prevention at this page: DEP Data Execution Prevention.

Which versions of Windows support noexecute?

The noexecute option is only available starting on 32-bit versions of Windows when running on processors supporting the no-execute protection.

The Data Execution Prevention is always enabled on 64-bit versions of Windows running on processors that support the DEP prevention. Data Execution Prevention is enabled on 64-bit processes by default and cannot be disabled. 64-bit processes therefore ignore the /noexecute parameter. If you run a 64-bit operating system, the /noexecute parameter affects only 32-bit processes running on your system.

The /noexecute parameter in your boot.ini file enables software-enforced DEP. If your processor supports Data Execution Prevention, then noexecute also enables hardware-enforced Data Execution Prevention DEP.

What are the possible values for noexecute?

The noexecute switch can come in four different flavors.

/NOEXECUTE=OPTIN
Optin enables Data Execution Prevention for core system images and those specified in the DEP configuration dialog. Optin enables DEP only for operating system components, including the Windows kernel and drivers. Administrators can enable DEP on selected executable files. This is the Windows default setting.

/NOEXECUTE=OPTOUT
Optout enables Data Execution Prevention for all images, operating system and all processes except those specified in the DEP configuration dialog (System in Control Panel).

/NOEXECUTE=ALWAYSON
Alwayson enables DEP on all images. This option enables DEP for the operating system and all processes. This includes the Windows kernel and drivers. All attempts to disable DEP will be ignored.

/NOEXECUTE=ALWAYSOFF
Alwaysoff disables Data Execution Prevention (DEP) completely. Attempts to enable DEP selectively will be ignored. On Windows XP with SP2, this subparameter also disables Physical Address Extension (PAE). This switch does not disable PAE on Windows Server 2003 with SP1.

What is the default setting for noexecute?

If the /noexecute parameter is not present in the boot.ini file, all operating systems that support Data Execution Prevention behave the same way like as if the noexecute parameter was set to /noexecute=optin.

Windows XP with SP2 comes by default with the /noexecute=optin setting. You can notice that this parameter gets added into your boot.ini after you upgrade from SP1 to SP2.

Data Execution Prevention in Windows System?

The Data Execution Prevention (DEP) and settings related to it can also be set in the Control Panel -> System screen. See the How to change Data Execution Prevention DEP? page.

Are there any other boot.ini parameters that I should know about?

Yes, you might be interested in knowing about the /fastdetect switch: Fastdetect boot.ini switch.

The /3GB switch is also an important one to know about: 3GB Switch in Windows boot.ini.