Hardware-enforced DEP must be enabled in the BIOS.
On some computers, you can disable processor support for hardware-enforced DEP
in the BIOS. You must not disable this support. Depending on your computer
manufacturer, the option to disable this support may be labeled "Data
Execution Prevention," "XD," "Execute Disable," or
"NX."
How to confirm that hardware DEP is working in Windows
To confirm that hardware DEP is working in Windows, use one of the following methods.
Method 1: Use the Wmic command-line tool
You can use the Wmic command-line tool to examine the DEP settings. To determine whether hardware-enforced DEP is available, follow these steps:
|
Click Start, click Run, type cmd in the Open box, and then click OK. |
|
|
At the command prompt, type the following command, and then press ENTER: wmic OS Get DataExecutionPrevention_Available If the output is "TRUE," hardware-enforced DEP is available. |
To determine the current DEP support policy, follow these ste 626t1913g ps.
|
Click Start, click Run, type cmd in the Open box, and then click OK. |
|
|
At the command prompt, type the following command, and then press ENTER: wmic OS Get DataExecutionPrevention_SupportPolicy The value returned will be 0, 1, 2 or 3. This value corresponds to one of the DEP support policies that are described in the following table. |
|
DataExecutionPrevention_SupportPolicy property value |
Policy Level |
Description |
|
OptIn (default configuration) |
Only Windows system components and services have DEP applied |
|
|
OptOut |
DEP is enabled for all processes. Administrators can manually create a list of specific applications which do not have DEP applied |
|
|
AlwaysOn |
DEP is enabled for all processes |
|
|
AlwaysOff |
DEP is not enabled for any processes |
Note To verify that Windows is running with hardware DEP enabled, examine the DataExecutionPrevention_Drivers property of the Win32_OperatingSystem class. In some system configurations, hardware DEP may be disabled by using the /nopae or /execute switches in the Boot.ini file. To examine this property, type the following command at a command prompt:
wmic OS Get DataExecutionPrevention_Drivers
Method 2: Use the graphical user interface
To use the graphical user interface to determine whether DEP is available, follow these steps:
|
Click Start, click Run, type wbemtest in the Open box, and then click OK. |
|
|
In the Windows Management Instrumentation Tester dialog box, click Connect. |
|
|
In the box at the top of the Connect dialog box, type root\cimv2, and then click Connect. |
|
|
Click Enum Instances. |
|
|
In the Class Info dialog box, type Win32_OperatingSystem in the Enter superclass name box, and then click OK. |
|
|
In the Query
Result dialog box, double-click the top item. |
|
|
|
In the Object editor dialog box, locate the DataExecutionPrevention_Available property in the Properties area. |
|
Double-click DataExecutionPrevention_Available. |
|
|
In the Property Editor dialog box, note the value in the Value box. |
If the value is TRUE, hardware DEP is available.
Notes
|
To determine the mode in which DEP is running, examine the DataExecutionPrevention_SupportPolicy property of the Win32_OperatingSystem class. The table at the end of Method 1 describes each support policy value. |
|
|
To verify that hardware DEP is enabled in Windows, examine the DataExecutionPrevention_Drivers property of the Win32_OperatingSystem class. In some system configurations, hardware DEP may be disabled by using the /nopae or /execute switches in the Boot.ini file. |
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Alrite now we knows that PAE has such capabilities, and the next question that you might be asking is, how to enable it? Well for those who are familar with BCD (Boot Configurations Data) in Windows Vista, you would have an options to enable the PAE easily by follow the steps below :
1. Click on the start menu, and type CMD.
2. Right click on the Command Prompt, and Run as Administrator.
3. Type "BCDEdit /set PAE forceenable" in the command prompt.
That's it. This should enable the PAE after machine was reboot.
PAE-mode-induced driver compatibility issues
Driver compatibility issues that are related to Data Execution Prevention (DEP) are typically physical address extension (PAE) mode-induced compatibility issues.
Note PAE is required only on computers that have processors that support hardware-enforced DEP.
DEP may cause compatibility issues with any driver that performs code generation or that uses other techniques to generate executable code in real time. Many drivers that experienced these issues have been fixed. Because DEP is always on for drivers that are on 64-bit versions of Windows, these drivers typically experienced compatibility issues. However, there is no guarantee that all drivers have been updated to fix PAE-mode-induced compatibility issues. However, there are few drivers that use these techniques. DEP alone does not typically cause driver compatibility issues.
The primary driver compatibility issues that you may experience occur when you run PAE mode on 32-bit computers. PAE mode enables processors to use more than 4 GB of memory. The primary difference between PAE memory paging schemes and non-PAE memory paging schemes is the additional level of paging that is required in PAE mode. PAE mode requires three levels of paging instead of two levels of paging.
Some drivers might not load if PAE mode is enabled because the device might be unable to perform 64-bit addressing. Or, the drivers might be written with the assumption that PAE mode requires more than 4 GB of memory. Such drivers are written with the expectation that the drivers will always receive 64-bit addresses in PAE mode and that the driver or the device cannot interpret the address.
Other drivers might load in PAE mode but cause system instability by directly modifying system page table entries (PTE). These drivers expect 32-bit page table entries but receive 64-bit PTEs in PAE mode instead.
The most common PAE compatibility issue for drivers involves direct memory access (DMA) transfers and map register allocation. Many devices that support DMA, typically 32-bit adapters, cannot perform 64-bit physical addressing. When these devices run in 32-bit mode, the devices can address all physical address space. In PAE mode, data can be present at a physical address that is larger than 4 GB. To enable devices that have these constraints to function in this scenario, Microsoft Windows 2000 Server and later versions of Windows provide double-buffering for the DMA transaction. Windows 2000 Server and later versions of Windows do this by providing a 32-bit address that is indicated by a map register. The device can perform the DMA transaction to the 32-bit address. The kernel copies the memory to the 64-bit address that is provided to the driver. When the computer runs with PAE mode disabled, drivers for 32-bit devices do not require that system memory be allocated to their map registers. This means that double-buffering is not required because all devices and all drivers are contained within the 32-bit address space. Tests of drivers for 32-bit devices on 64-bit processor-based computers have demonstrated that DMA-capable drivers that are client tested typically expect unlimited map registers.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
|
