/noexecute

The /noexecute parameter enables, disables, and configures Data Execution Prevention (DEP), a set of hardware and software technologies designed to prevent harmful code from running in protected memory locations.

For more information about using the /noexecute parameter and the other parameters that affect DEP configuration, see Boot Parameters to Configure DEP and PAE.

Note   DEP is a highly effective security feature. Do not disable DEP unless you have no alternative.


    /noexecute={alwayson | optout | optin | alwaysoff}

   

Subparameters

Subparameter

alwayson

Enables DEP for the operating system and all processes, including the Windows kernel and drivers. All attempts to disable DEP are ignored.

optout

Enables DEP for the operating system and all processes, including the Windows kernel and drivers. However, administrators can disable DEP on selected executable files by using System in Control Panel.

optin

Enables DEP only for operating system components, including the Windows kernel and drivers. Administrators can enable DEP on selected executable files by using the Application Compatibility Toolkit (ACT).

alwaysoff

Disables DEP. Attempts to enable DEP selectively are ignored.

On Windows XP with SP2, this subparameter also disables Physical Address Extension (PAE). This subparameter does not disable PAE on Windows Server 2003 with SP1.

Comments

What is DEP?

Data Execution Prevention (DEP) consists of hardware and software methods. Software-enforced DEP, which protects only user-mode processes, must be supported by the operating system. Hardware-enforced DEP sets a bit in the page table entry that prevents code from being executed from a virtual memory page that should contain only data. Hardware-enforced DEP must be supported by the operating system and the processor on the computer. If the operating system supports DEP, but the processor does not, only software-enforced DEP is enabled on the system.

Operating System Support

DEP is supported in Windows Server 2003 with SP1, Windows XP with SP2, Windows Vista, and later versions of Windows.

The /noexecute parameter is supported only on Windows Server 2003 with SP1 and Windows XP with SP2. On Windows Vista and later versions of Windows, use the NX element in BCDEdit.

32-bit and 64-bit Support

The /noexecute parameter is effective only on 32-bit processes. It enables software-enforced DEP and, if the processor supports DEP, it also enables hardware-enforced DEP.

On 64-bit processes, DEP is enabled by default and cannot be disabled (equivalent to /noexecute=alwayson). For these processes, the /noexecute parameter is ignored. On a 64-bit operating system, the /noexecute parameter affects only 32-bit processes running on the system.

Default Values

On Windows XP with SP2, the installation program adds /noexecute=optin to the boot entry.

On Windows Server 2003 with SP1, the installation program adds /noexecute=optout to the boot entry.

However, on all operating systems that support DEP, if the /noexecute parameter is not present in the boot options, the system behaves as though the setting is /noexecute=optin.

DEP and PAE

On 32-bit operating systems, hardware-enforced DEP requires Physical Address Extension (PAE). Therefore, when DEP is enabled on a computer that supports hardware-enforced DEP, 32-bit versions of the Windows operating system automatically enable PAE and ignores /nopae.

On Windows XP with SP2, , when you disable DEP by using /noexecute=alwaysoff, Windows disables both DEP and PAE. This is the equivalent of using /noexecute=alwaysoff /nopae. To enable PAE without DEP on a system with hardware-enforced DEP, use /noexecute=alwaysoff /pae. This explicitly enables PAE while disabling DEP.

However, on Windows Server 2003 with SP1, when you disable DEP by using /noexecute=alwaysoff, Windows disables only DEP. PAE is still enabled and the system ignores explicit attempts to disable PAE, such as the /nopae parameter. To disable both DEP and PAE on Windows Server 2003 with SP1, use /execute.

For a table that describes these parameters and their effects, see Boot Parameters to Configure DEP and PAE.

Setting DEP in Control Panel

To set the /noexecute=optin or /noexecute=optout policies, or to disable DEP on a particular executable file, open Control Panel, and then double-click System. Click the Advanced tab and under Performance, click Settings, and then click the Data Execution Prevention tab. To make the new settings effective, you must restart the computer.

For more information about DEP, see Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies.

Example


multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=alwayson

Bootcfg command


bootcfg /raw "/noexecute=alwayson" /A /ID 1

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft