It can cause issues with some older third-party software
Data Execution Prevention (DEP) is one of those ‘blursed’ things. It’s a blessing most of the time when it does its job and doesn’t interfere, but cursed when it does interfere.
Let’s look at DEP and how to configure it, or turn DEP off, depending on your needs.
What Is DEP & What Does It Do?
According to Microsoft, DEP is :
“…a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system.”
Dell simplifies it a bit and tells us that DEP
“…can help protect your computer by monitoring your programs to make sure that they use system memory safely.”
What does that mean? There are certain areas in the computer’s memory which aren’t intended to have code running in them, but sometimes code does run there.
Usually, the code that will run there is malicious. DEP will monitor those areas and if it sees something going on in those areas it will shut it down. If you want to get in-depth about how it works, read Microsoft’s detailed description of Data Execution Prevention.
So Why Does DEP Cause Problems?
Even today, computers are dumb. They cannot reason, they can only use the most basic of logic. Plus, that logic is put into them by humans so computers also get our mistakes put into them.
Sometimes, good programs will wander off into the areas that DEP monitors and work in those spaces.
When this happens, DEP will sometimes shut the entire program down and let you know via an error message. But sometimes DEP will just cause the program to run very poorly and there won’t be anything obvious to tell you why.
What Programs Have Problems With DEP?
Programs that conflict with DEP are typically older programs or built on old codebases. A lot of Enterprise Resource Planning (ERP) software is built on codebases that go back to the 1970s. There was no DEP then, so the program will go into areas that DEP patrols.
64-bit programs were created after DEP was well established, so they were developed to comply. Most programs that conflict with DEP will be 32-bit programs.
Non-Microsoft programs that interact with Windows Services heavily or run their own Windows Services may be tripped up by DEP. If that is the case, the vendor will recommend to completely turn off DEP.
For the home user, old games that are 32-bit, and someemulators for playing even older games, are the most likely to conflict with DEP.
Old device drivers or drivers downloaded from unofficial sources may also trigger DEP errors. Only download drivers from the hardware manufacturer or Microsoft, andupdate your drivers regularly.
How Do I Know If DEP Is The Problem?
You may have togo into Event Viewer and sift through the logs for Event ID 1000. If you find one, it may look like this:
Event ID : 1000 - DEP Error : Generic host for Win32 servicesGeneric Host Process for Win32 Services - DEP : Application Error
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
You may see other errors referencing things like:
- 0xFC:ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY – occurs when a device driver is trying to run in memory. It may be a bad or outdated driver. You’ll want to update your drivers.
- STATUS_ACCESS_VIOLATION (0xc0000005) – occurs when programs are trying to run in DEP protected memory space.
How To Configure Or Turn Off DEP
In Windows 10, DEP defaults to the setting Turn on DEP for essential Windows programs and services only. Most of the time, this is sufficient. It means that the majority of your programs will be ignored by DEP.
But if DEP helps protect the computer and it doesn’t have a performance hit, you may want to select Turn on DEP for all programs except those that I select. Then if you find a program that has a problem with DEP, we can add it as an exception. Let’s look at how to do that.
- Open the Control Panel then open System.
- On the left side of the System window, click on Advanced System Settings.
- The System Properties window should open and already be set to the Advanced tab. In the Performance area, click on Settings.
- In the Performance Options window, click on the Data Execution Prevention tab.
- With Turn on DEP for all programs except those that I select selected, click on the Add button near the bottom of the window.
- Navigate to the executable for the program that we’d like to add as an exception. It will most likely be in C:/Program Files (x86).
- In this example, we’re adding MediaMonkey, an old music player utility. Click on the .exe file once we find it and click on Open.
- In Performance Options, click on Apply. Now, MediaMonkey will run outside of DEP protection while all others will run within DEP protection.
Turn DEP Completely Off
If you want to turn DEP completely off, we advise only doing that as part of troubleshooting an issue. DEP is there for your protection.
Since it’s something that isn’t advised, there isn’t a good point-and-click way to do it. Let’s look at how we can turn off DEP.
- Open the Command window as Administrator. Do this by typing cmd in the program search field near the Start menu.
- Enter the command bcdedit.exe /set {current} nx AlwaysOff and press enter.
bcdedit.exe is a Windows utility for editing boot configuration data, hence bdcedit.
/set tells bcedit to set an option value entry in the boot configuration.
{current} tells becedit to work with the boot configuration being used right now.
nx is short for no execute and is the setting name for DEP in the boot configuration.
AlwaysOff is self-explanatory.
- Restart the computer.
- DEP will now be completely, and permanently off.
Turn DEP On For Everything
To turn DEP on for absolutely everything, the process and command is like above.
- Open the Command window as Administrator, following the instructions in the procedure above.
- Enter the command bcdedit.exe /set {current} nx AlwaysOn.
- Restart the computer.
- DEP will be turned on and all programs monitored.
After turning DEP to being always on or always off, it CANNOT be changed via the Data Execution Prevention tab in system settings.
Let’s look at how to change it so that the radio buttons in the DEP tab can be used again.
Set DEP Back To Default Behavior
To set DEP behavior back to default and make it manageable again via system settings, do the following.
- Open the Command window as Administrator.
- Enter the command bcdedit.exe /set {current} nx OptIn.
- Restart the computer.
- Now the radio buttons in the DEP tab in systems settings are accessible again.
To DEP Or Not To DEP
We recommend leaving DEP on its default setting of Turn on DEP for essential Windows programs and services only, unless it’s necessary to change it to troubleshoot problems that may be DEP-related.