Current location - Quotes Website - Personality signature - A dialog box will appear when the computer is turned on.
A dialog box will appear when the computer is turned on.
Method 1: data execution prevention -Microsoft Windows.

To help protect your computer, Windows has closed this program.

Name: Windows Explorer

Publisher: Microsoft Corporation

[Close message]

Data execution prevention helps to resist virus attacks and other security threats. What should I do? "

=============================================================

Right-click the My Computer = & gtAttribute => Advanced tab.

On the performance point, set => data execution prevention selects the "................." radio box, and then adds Windows Explorer.

Attachment: A detailed description of the data execution blocking function in Windows XP SP2.

summary

Microsoft Windows XP Service Pack 2 uses the new data execution prevention (DEP) feature to disable code execution in data pages. When you try to run code in a marked data page, an exception occurs immediately and code execution is prohibited. This can prevent an attacker from using code to overflow the data buffer and then executing the code.

brief introduction

Data execution prevention (DEP) is a processor function supported by Microsoft Windows XP Service Pack 2 (SP2), which prohibits the execution of code in memory areas marked as data storage. This function is also called "Do not execute" and "Execute protection". When you try to run code in a marked data page, an exception occurs immediately and code execution is prohibited. This can prevent an attacker from using code to overflow the data buffer and then executing the code.

More information

Data execution prevention (DEP) helps to prevent damage caused by viruses and other security threats. Their attack method is to execute malicious code from a memory location that only Windows and other programs can use. This threat causes damage by taking over the memory locations that one or more programs are using, and then spreading and destroying other programs, files and even your email contact information.

Unlike firewalls or antivirus programs, DEP cannot prevent harmful programs from being installed on your computer. However, it will monitor your programs to determine whether they are safely using system memory. For this reason, DEP software will mark some memory locations as "non-executable" alone or together with compatible microprocessors. If a program tries to run code from a protected location, DEP will close the program and notify you. This operation will be performed even if the code is not malicious.

DEP on 64-bit Windows version

A 64-bit version of Windows on a 64-bit processor can run programs in 64-bit mode. Regardless of the processor structure, the 64-bit Windows version of kernel mode DEP is suitable for stack, page buffer pool and session pool.

DEP is enabled in Windows XP SP2 by default and cannot be disabled. 64-bit applications will not run from the stack or the default process heap. For applications that need to allocate executable memory, you can use VirtualAlloc () with a certain PAGE_EXECUTE* memory attribute to run.

DEP on 32-bit Windows version? User mode DEP

In the near future, many computers running Windows and Windows-compatible programs will use 32-bit processors running 32-bit Windows versions. However, new processors such as AMD Opteron and Athlon-64 support both 32-bit and 64-bit operating modes. (32-bit operation mode is old mode; While the 64-bit operation mode is the native mode. )

New processors that support 32-bit and 64-bit operating modes can run in 32-bit operating systems and 32-bit application environments, and they can also use DEP after the physical address extension (PAE) mode is enabled.

We will explore ways to disable or enable DEP for each 32-bit application separately. For 64-bit applications, DEP is enabled by default. DEP exception will cause the status code status _ access _ violation (0xc0000005) to appear on the Windows system. In most processes, this is an unhandled exception that will cause the process to terminate.

Kernel mode DEP

DEP works in the same way for user mode and kernel mode. In kernel mode, the memory area DEP cannot be enabled or disabled for each driver. By default, on 32-bit Windows versions, DEP only applies to stacks. On the 64-bit version of Windows, DEP is suitable for stack, page buffer pool and session pool. An access conflict in kernel mode will result in a bugcheck of 0x000000fc: tryed _ execute _ of _ nonexecute _ memory.

Compatibility problem

DEP compatibility problems may occur in applications and drivers. ? Application compatibility

Some application behaviors may be incompatible with DEP. There may be compatibility problems between DEP and applications that perform dynamic code generation (such as real-time code generation) and those that do not explicitly mark the generated code as execution rights.

An application that tries to violate DEP will get an exception and display the status code status _ access _ violation (0xc0000005). If the application needs executable memory, this property must be explicitly set in the corresponding memory by specifying PAGE_EXECUTE, PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY in the memory protection parameter of the virtual * memory allocation function.

For more information, please refer to the following MSDN articles:

/security/product info/xpsp 2/memory protection/exec _ imp . aspx

(/security/product info/xpsp 2/memory protection/exec _ imp . aspx)

Driver compatibility

The compatibility problem between driver and DEP mainly refers to the compatibility problem caused by PAE mode. DEP itself may have compatibility problems with drivers that execute code generation or drivers that use other methods to generate executable code in real time. Always enable DEP support for drivers loaded on 64-bit Windows versions. Although many drivers that create executable code may have been fixed in Windows XP SP2, there is no guarantee that all drivers have been updated.

However, since few drivers use these methods, DEP itself will not cause many driver compatibility problems. Most driver compatibility issues are related to running PAE mode on a 32-bit system. If PAE mode is enabled, some drivers may not load because the device may not be able to address 64 bits, or the driver may think that PAE mode requires more than 4 GB of RAM. These drivers think that when they are in PAE mode, they will always receive a 64-bit address and think that they (or their devices) cannot interpret the address.

Other drivers can directly modify the system page table entries to load in PAE mode, but this will lead to system instability. These drivers require 32-bit page table entries, but they receive 64-bit page table entries in PAE mode. The biggest compatibility problem between driver and PAE is related to direct memory access (DMA) transfer and mapping register allocation. Many DMA-enabled devices (usually 32-bit adapters) do not support 64-bit physical addressing. When the device operates in 32-bit mode, it can address all physical address spaces.

In PAE mode, data can be located in a physical address larger than 4 GB. In this case, in order to make devices with these restrictions work normally, Windows XP SP2 provides double buffering for DMA transactions by providing a 32-bit address indicated by a mapping register. Devices can perform DMA transactions on 32-bit addresses, and the kernel copies memory to 64-bit addresses provided for drivers.

When the system is running with PAE disabled, the drivers of 32-bit devices don't need real memory at all to support their mapping registers. This means that double buffering is not needed because all devices and drivers are contained in the 32-bit address space. According to the test of 32-bit device drivers on x86-based and x64-based computers, most drivers that have been tested by clients and support DMA need unlimited mapping registers.

To limit compatibility issues, Windows XP SP2 changed the Hardware Abstraction Layer (HAL) to simulate the behavior of 32-bit HAL DMA. The modified HAL allows the system to have unlimited mapping registers when running in PAE mode. In addition, the kernel memory manager ignores any physical address larger than 4 GB.

Due to these changes to HAL and memory manager, we expect that device driver compatibility problems on systems running Windows XP SP2 and supporting DEP will be minimized.

Developer review

Applications that need executable memory areas must use the PAGE_EXECUTE, PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY properties when allocating memory. In addition, applications cannot be executed from the default process heap or stack.

Most applications that perform operations that are incompatible with DEP must be updated to remain compatible with DEP. If an application allocates executable memory from a private heap, it must ensure that the execution flag is set in the heap memory. Applications can use the VirtualAlloc application programming interface (API) to allocate memory with appropriate protection settings.

If the application does not allocate executable memory from the private heap, it must be modified to allocate executable memory from the private heap. The application must use the VirtualAlloc API to create this heap and at least specify the EXECUTE flag for this memory. Any generated code must be placed in the executable heap.

After generating executable code, we recommend that you set memory protection for your application to prevent write access to the heap through the VirtualProtect API. This measure will provide more protection for the executable area in the process address space.

Configuration and troubleshooting

Symptoms related to data execution prevention support include access conflicts in applications that try to execute from memory when DEP is enabled. In this case, a dialog box will appear indicating that the application has an error due to DEP. This dialog box contains a message similar to the following:

data execution prevention

Windows Security detected a problem and closed the program.

Name: application name

Publisher: The publisher of the application.

Data execution prevention helps defend against viruses and other security threats. How does it work?

(Followed by "Advanced" and "OK" buttons. )

If DEP is the cause of an application error, it is recommended that you contact the application vendor to determine whether an update is available so that the application can run normally when DEP is enabled. To solve these problems, we recommend that you install this update.

After clicking OK, a standard Windows error report prompt will appear, and you will be given the option to send an error report. You can also see what information has been collected by clicking here.

Click the "Click here" link on the error report interface, and the detailed information interface will appear. In the "Error Signature" section of the data, you can check whether this error is identified as "Event Type: BEX". BEX represents a DEP-related error.

This interface also provides other information, which mainly comes from some abnormal parameters: parameter data.

1 application name

2 application version

3 application timestamp

4 module name

5 module version

6 module timestamp

7 module offset

8 Exception code (c0000005= access violation, c0000409= buffer overflow)

On the initial interface, you can also click Advanced to access DEP configuration settings. You can use these settings to add exceptions for applications with errors.

The data execution prevention dialog box provides the following three options:? Enable DEP for all programs (recommended)

Turn off DEP (not recommended)

Help protect all programs except:

By choosing one of these options, you can exclude one or more applications or configure DEP settings for the whole computer. If you set the "turn off DEP" option, the switch will be added to the boot.ini configuration file of the currently running Windows installation. The boot.ini switch is as follows:? /no execute- This is the default switch. Enable DEP.

/execute- it disables DEP.

Note: It is recommended that you do not disable DEP globally. This will leave the computer in an unsafe state.

You can also access these DEP settings in the system properties.

If your application is not updated, please follow these steps to access and configure DEP configuration settings: 1. When an error occurs in the application, click Advanced.

2. In the data execution prevention dialog box, select Help protect all programs except.

3. Click the check box next to the application, and then click Apply.

4. At this time, a prompt will appear telling you that you must restart the system. Click "OK".

Click OK again, and then restart the system.

You can also perform this procedure in the system properties: 1. Click Start, and then click Control Panel.

2. In the classic view, double-click the system.

Click the Advanced tab, click Performance, and then click Settings.

4. In the Performance Options dialog box, click the data execution prevention tab.

5. Select Enable DEP for all programs and services except those I selected: and then click Add.

6. In the Open dialog box, locate and select the application, and then click Open.

Click Apply, and then click OK. A prompt will appear informing you that you must restart the system for the settings to take effect. Click "OK".

Method 2: WinXP SP2 has data execution prevention (DEP) function. To achieve this function, it needs to be used with processors supporting DEP function, such as AMD Athlon64 and Intel Pentium4 processor with the letter "J" in the serial number.

DEP function can effectively prevent unauthorized programs from accessing protected memory areas. Once this memory access occurs, the program will be forced to close by Windows, thus achieving the purpose of protecting system security.

However, for early applications, DEP function may have compatibility problems, which may lead to problems such as application failure or system crash. At this point, if you want to continue to use the application normally, you can turn off the DEP function of Win XP SP2. The operation method is as follows:

Open the suitcase. INI file and edit it. Change "/noexecute=optin" to "/execute" and restart the system after saving. At this point, the DEP function in the system has been turned off.

For example, the Boot.ini file looks like this:

[Boot loader]

Timeout =30

Default = multiple (0) disks (0)rdisk(0) partition (1)\WINDOWS

[operating system]

Multiple (0) disks (0)rdisk(0) partition (1) \ Windows = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect.

After modification, the last line becomes:

Multiple (0) disks (0)rdisk(0) partition (1) \ Windows = "Microsoft Windows XP Home Edition" /execute /fastdetect.