locked
default windows 8.1 OS settings for DEP SEHOP and ASLR RRS feed

  • Question

  • my understanding is that in windows 8.1 DEP and ASLR are set to 'opt-in' by default in the OS. what about SEHOP? i can't find any info on it & the posts i've found for the registry path for mitigation options don't seem to be correct.

    i think i'd like to just have DEP, ASLR and SEHOP set to 'opt-in' in the OS. But, i'm also wondering if there is there any benefit to installing EMET if i'm only going to have these 3 system wide mitigations set?

    thanks

    Saturday, April 18, 2015 4:57 AM

All replies

  • I'm not sure about the default value for SEHOP but the registry entry for Windows 8+ is reported to be:
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions, per the 0xdabbad00 whitepaper http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf, see pages 5 and 15 for the bit values (0x000000f0 is the mask for SEHOP with the f value being one of: off=6, optIn=2, optOut=1, alwaysOn=5).  The whitepaper states that system-wide SEHOP is not enabled by default for Windows 8 but doesn't specifically mention 8.1.

    The biggest bang for the buck in my opinion is in the per-application settings (specific mitigations for programs like IE, Adobe Reader, Java, and several others), which you can import by clicking the Import menu option and choosing Recommended Software.xml and then Popular Software.xml, then clicking the Apps menu option to see the per-application list.

    Monday, April 20, 2015 1:31 PM
  • thanks for the reply - unfortunately, this is one of the registry paths i've already tried - there is no 'mitigationoptions' in 'kernal' - 'RNG' is the only folder listed & 'obcaseinsensitive' is the only entry in 'kernal' with a value set.

    right - i saw the reference to Win8 - i'd assume this wasn't changed for 8.1, but thought i'd ask anyway

    i agree, but i'm setting this up for another user who won't be able to debug conflicts so no per-application settings for them. 

    i guess i could just install emet - set DEP, ASLR, SEHOP to 'opt-in' and then, since i don't think there's a need for it, uninstall emet - this should leave the values set 'opt-in' as i understand.

    Tuesday, April 21, 2015 5:59 AM