Archive: DEP checking/enabling/disabling


DEP checking/enabling/disabling
  Can anyone help me with issue. How I can check if DEP is enable, after that to disable it during the installation or something like that.


!define PF_NX_ENABLED 12

System::Call kernel32::IsProcessorFeaturePresent(i${PF_NX_ENABLED})i.r0

${If} $0 != 0
DetailPrint "NX enabled"
${Else}
DetailPrint "NX disabled"
${EndIf}

in system->Advanced->Performance->Settings -> Data Execution Prevention.
There are two options :
- Turn on dep for essential windows programs and services only.
- Turn on dep for all programs and services except those I select:

How to check which one is currently selected using NSIS ?
I need my installer to change this setting to the first option. (dep for essential windows.. only).


There are actually four DEP modes; AlwaysOn, AlwaysOff, OptIn, or OptOut.

I think the setting might be stored in boot.ini on XP (maybe in the registry aswell) and you could probably find out with bcdedit(or whatever its called) on Vista


Thanks for the quick reply..
I'm quite new to installer & not very familiar with windows registry.
Where is the boot.ini located? & what's the name of the entry in the windows registry?


I don't know if there is a registry entry, that was just a guess.

for boot.ini you probably have to so something like:
ReadEnvStr $0 SystemDrive
MessageBox mb_ok "$0\boot.ini"

on vista, I have no idea, just call BCDEdit with nsExec probably

You need to reboot to disable DEP I think, why not fix the code that has DEP issues instead?


It's just that in the installer spec for the software says that DEP's setting could prevent the software from running the windows services installed. That's why i need to make sure the DEP is set to the one windows programs & services only.
I still have no idea which part of the software that depends on this setting :P..


Just thought I'd reply with what I wrote using the latest version of the Windows XP SP3 and higher check:

!define DEP_SYSTEM_POLICY_TYPE_ALWAYSOFF 0 ; disabled
!define DEP_SYSTEM_POLICY_TYPE_ALWAYSON 1 ; always on, ignore white list
!define DEP_SYSTEM_POLICY_TYPE_OPTIN 2 ; only windows components
!define DEP_SYSTEM_POLICY_TYPE_OPTOUT 3 ; on, use white list

; take note that XP SP3 and earlier do not have this function, and return result is "error"
System::Call kernel32::GetSystemDEPPolicy()i.r0
;MessageBox MB_OK "DEP is: $0"

StrCmp $0 "error" skipDEP
IntCmp $0 ${DEP_SYSTEM_POLICY_TYPE_ALWAYSOFF} skipDEP
IntCmp $0 ${DEP_SYSTEM_POLICY_TYPE_OPTIN} skipDEP

MessageBox MB_OK "DEP is currently enabled."

skipDEP:


Originally posted by Istaria
; take note that XP SP3 and earlier do not have this function, and return result is "error"
I'm guessing there is some undocumented function that can be used on XP.SP2 and 2003 (See http://www.hanselman.com/blog/TheWee...gleChrome.aspx and http://www.uninformed.org/?v=2&a=4 for details about setting per process DEP on these systems)

Might work, might crash (And would only be valid on XP.SP2 and 2003.SP1+ (x86))

System::Call '*2147353301(&i1.r7)'
DetailPrint Policy=$7

I found this script on the net which worked for me. Hope you can use it.
 

;Get The DataExecutionPrevention Setting.

>ReadRegDword $0 HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\NoExecuteState" "LastNoExecuteRadioButtonState"

>;Value Description
>;----------------- ------------------------------------------------------------------
;0x000036BC(14012) DEP Is Enabled For Essential Windows Programs And Services Only.
;0x000036BD(14013) DEP Is Enabled For All Programs And Services Except Those Seleced.
;Blank Setting Not Found, Add Program Anyway, Just To be Sure.

;Check If Data Execution Prevention Is Enabled.
${Select} $0
${Case} "14012"
;Do Not Alter Registry Without Systems Adminstrator Consent.
;Enable DEP.
;WriteRegDWord HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\NoExecuteState" "LastNoExecuteRadioButtonState" 0x000036BD
;Add Your .exe To The Data Execution Prevention List.
;WriteRegStr HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" "$EXE_DIR\$EXE_NAME" "DisableNXShowUI"
${Case} "14013"
;Add Your .exe To The Data Execution Prevention List.
WriteRegStr HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" "$EXE_DIR\$EXE_NAME" "DisableNXShowUI"
${CaseElse}
;Add Your .exe To The Data Execution Prevention List In Case It Is Enabled Later On.
WriteRegStr HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" "$EXE_DIR\$EXE_NAME" "DisableNXShowUI"
>${EndSelect}