2. NSIS Discussion
  3. DEP checking/enabling/disabling

Archive: DEP checking/enabling/disabling


ocueed
2nd May 2007 20:18 UTC

DEP checking/enabling/disabling
  Can anyone help me with issue. How I can check if DEP is enable, after that to disable it during the installation or something like that.

kichik
3rd May 2007 19:44 UTC

!define PF_NX_ENABLED 12

System::Call kernel32::IsProcessorFeaturePresent(i${PF_NX_ENABLED})i.r0

${If} $0 != 0
  DetailPrint "NX enabled"
${Else}
  DetailPrint "NX disabled"
${EndIf}

congtak
29th October 2007 01:24 UTC

in system->Advanced->Performance->Settings -> Data Execution Prevention.
There are two options :
- Turn on dep for essential windows programs and services only.
- Turn on dep for all programs and services except those I select:

How to check which one is currently selected using NSIS ?
I need my installer to change this setting to the first option. (dep for essential windows.. only).

Anders
29th October 2007 02:11 UTC

There are actually four DEP modes; AlwaysOn, AlwaysOff, OptIn, or OptOut.

I think the setting might be stored in boot.ini on XP (maybe in the registry aswell) and you could probably find out with bcdedit(or whatever its called) on Vista

congtak
29th October 2007 03:08 UTC

Thanks for the quick reply..
I'm quite new to installer & not very familiar with windows registry.
Where is the boot.ini located? & what's the name of the entry in the windows registry?

Anders
29th October 2007 03:30 UTC

I don't know if there is a registry entry, that was just a guess.

for boot.ini you probably have to so something like:
ReadEnvStr $0 SystemDrive
MessageBox mb_ok "$0\boot.ini"

on vista, I have no idea, just call BCDEdit with nsExec probably

You need to reboot to disable DEP I think, why not fix the code that has DEP issues instead?

congtak
29th October 2007 03:41 UTC

It's just that in the installer spec for the software says that DEP's setting could prevent the software from running the windows services installed. That's why i need to make sure the DEP is set to the one windows programs & services only.
I still have no idea which part of the software that depends on this setting :P..

Istaria
10th April 2012 23:45 UTC

Just thought I'd reply with what I wrote using the latest version of the Windows XP SP3 and higher check:

!define DEP_SYSTEM_POLICY_TYPE_ALWAYSOFF 0 ; disabled
!define DEP_SYSTEM_POLICY_TYPE_ALWAYSON 1 ; always on, ignore white list
!define DEP_SYSTEM_POLICY_TYPE_OPTIN 2 ; only windows components
!define DEP_SYSTEM_POLICY_TYPE_OPTOUT 3 ; on, use white list

; take note that XP SP3 and earlier do not have this function, and return result is "error"
System::Call kernel32::GetSystemDEPPolicy()i.r0
;MessageBox MB_OK "DEP is: $0"

StrCmp $0 "error" skipDEP
IntCmp $0 ${DEP_SYSTEM_POLICY_TYPE_ALWAYSOFF} skipDEP
IntCmp $0 ${DEP_SYSTEM_POLICY_TYPE_OPTIN} skipDEP

MessageBox MB_OK "DEP is currently enabled."

skipDEP:

Anders
11th April 2012 02:20 UTC

Originally posted by Istaria
; take note that XP SP3 and earlier do not have this function, and return result is "error"
I'm guessing there is some undocumented function that can be used on XP.SP2 and 2003 (See http://www.hanselman.com/blog/TheWee...gleChrome.aspx and http://www.uninformed.org/?v=2&a=4 for details about setting per process DEP on these systems)

Anders
11th April 2012 03:28 UTC

Might work, might crash (And would only be valid on XP.SP2 and 2003.SP1+ (x86))

System::Call '*2147353301(&i1.r7)'
DetailPrint Policy=$7

DO_Visser
12th April 2012 06:22 UTC

I found this script on the net which worked for me. Hope you can use it.
 

;Get The DataExecutionPrevention Setting.

>ReadRegDword $0 HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\NoExecuteState" "LastNoExecuteRadioButtonState"


>;Value              Description

>;----------------- ------------------------------------------------------------------

;0x000036BC(14012) DEP Is Enabled For Essential Windows Programs And Services Only.

;0x000036BD(14013) DEP Is Enabled For All Programs And Services Except Those Seleced.

;Blank             Setting Not Found, Add Program Anyway, Just To be Sure.


;Check If Data Execution Prevention Is Enabled.

${Select} $0

   ${Case} "14012"

       ;Do Not Alter Registry Without Systems Adminstrator Consent.

        ;Enable DEP.

        ;WriteRegDWord HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\NoExecuteState" "LastNoExecuteRadioButtonState" 0x000036BD

       ;Add Your .exe To The Data Execution Prevention List.

        ;WriteRegStr HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" "$EXE_DIR\$EXE_NAME" "DisableNXShowUI"

   ${Case} "14013"

       ;Add Your .exe To The Data Execution Prevention List.

       WriteRegStr HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" "$EXE_DIR\$EXE_NAME" "DisableNXShowUI"

   ${CaseElse}

        ;Add Your .exe To The Data Execution Prevention List In Case It Is Enabled Later On.

       WriteRegStr HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" "$EXE_DIR\$EXE_NAME" "DisableNXShowUI"

>${EndSelect}

Fork me on GitHub