Windows Tip Sheet

Data Execution Prevention

WinXP SP2 stops unauthorized code, like malware, from running off system memory.

• By Don Jones
• 03/29/2006

WinXP SP2 supports a hardware standard called Data Execution Protection (DEP), a feature of some microprocessors. The idea is to prevent malicious code from maliciously inserting itself into otherwise non-malicious areas of Windows' memory, which is typically reserved for non-executable code. WinXP SP2 also includes a software version of DEP designed to, in Microsoft's words, "reduce exploits of exception handling mechanisms in Windows" (read: stop viruses from taking advantage of our bugs). And it's even on by default.

DEP isn't an antivirus solution: Viruses can still install themselves. But DEP does keep an eye on system memory where no executable code should live, and makes sure that it doesn't take up residence there to get itself called in response to an operating system exception. Essentially, if code tries to execute from these "non-executable" memory areas, Windows steps on it.

By default, XP's software DEP is turned on for the core operating system components, but you can turn it on for much more, enabling it for all programs, disabling it entirely, or add applications to the DEP exception list. You can't turn off hardware DEP, if your processor has it (many x64 processors do).

A link to the full DEP configuration instructions is below, but the short course is: Open the Properties of My Computer, select the Advanced tab, and click Settings under Performance. You'll see a DEP tab where configuration occurs. Enjoy.

Additional Resources:

• Determining if a computer has DEP hardware
• More detail on DEP than you maybe want
• Configuring DEP in WinXP SP2