SetProcessMitigationPolicy function

Sets the mitigation policy for the calling process.

Syntax


BOOL WINAPI SetProcessMitigationPolicy(
  _In_ PROCESS_MITIGATION_POLICY MitigationPolicy,
  _In_ PVOID                     lpBuffer,
  _In_ SIZE_T                    dwLength
);

Parameters

MitigationPolicy [in]

The mitigation policy to apply. This parameter can be one of the following values.

ValueMeaning
ProcessDEPPolicy

The data execution prevention (DEP) policy of the process.

The lpBuffer parameter points to a PROCESS_MITIGATION_DEP_POLICY structure that specifies the DEP policy flags.

ProcessASLRPolicy

The Address Space Layout Randomization (ASLR) policy of the process.

The lpBuffer parameter points to a PROCESS_MITIGATION_ASLR_POLICY structure that specifies the ASLR policy flags.

ProcessDynamicCodePolicy

The dynamic code policy of the process. When turned on, the process cannot generate dynamic code or modify existing executable code.

The lpBuffer parameter points to a PROCESS_MITIGATION_DYNAMIC_CODE_POLICY structure that specifies the dynamic code policy flags.

ProcessStrictHandleCheckPolicy

The process will receive a fatal error if it manipulates a handle that is not valid.

The lpBuffer parameter points to a PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY structure that specifies the handle check policy flags.

ProcessSystemCallDisablePolicy

Disables the ability to use NTUser/GDI functions at the lowest layer.

The lpBuffer parameter points to a PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY structure that specifies the system call disable policy flags.

ProcessMitigationOptionsMask

Returns the mask of valid bits for all the mitigation options on the system. An application can set many mitigation options without querying the operating system for mitigation options by combining bitwise with the mask to exclude all non-supported bits at once.

The lpBuffer parameter points to a ULONG64 bit vector for the mask.

ProcessExtensionPointDisablePolicy

The lpBuffer parameter points to a PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY structure that specifies the extension point disable policy flags.

ProcessControlFlowGuardPolicy

The Control Flow Guard (CFG) policy of the process.

The lpBuffer parameter points to a PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY structure that specifies the CFG policy flags.

Note  This value is not currently supported.
 
ProcessSignaturePolicy

The policy of a process that can restrict image loading to those images that are either signed by Microsoft, by the Windows Store, or by Microsoft, the Windows Store and the Windows Hardware Quality Labs (WHQL).

he lpBuffer parameter points to a PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY structure that specifies the signature policy flags.

ProcessFontDisablePolicy

The policy regarding font loading for the process. When turned on, the process cannot load non-system fonts.

The lpBuffer parameter points to a PROCESS_MITIGATION_FONT_DISABLE_POLICY structure that specifies the policy flags for font loading.

ProcessImageLoadPolicy

The policy regarding image loading for the process, which determines the types of executable images that are allowed to be mapped into the process. When turned on, images cannot be loaded from some locations, such a remote devices or files that have the low mandatory label.

The lpBuffer parameter points to a PROCESS_MITIGATION_IMAGE_LOAD_POLICY structure that specifies the policy flags for image loading.

 

lpBuffer [in]

If the MitigationPolicy parameter is ProcessDEPPolicy, this parameter points to a PROCESS_MITIGATION_DEP_POLICY structure that specifies the DEP policy flags.

If the MitigationPolicy parameter is ProcessASLRPolicy, this parameter points to a PROCESS_MITIGATION_ASLR_POLICY structure that specifies the ASLR policy flags.

If the MitigationPolicy parameter is ProcessImageLoadPolicy, this parameter points to a PROCESS_MITIGATION_IMAGE_LOAD_POLICY structure that receives the policy flags for image loading.

If the MitigationPolicy parameter is ProcessStrictHandleCheckPolicy, this parameter points to a PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY structure that specifies the handle check policy flags.

If the MitigationPolicy parameter is ProcessSystemCallDisablePolicy, this parameter points to a PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY structure that specifies the system call disable policy flags.

If the MitigationPolicy parameter is ProcessMitigationOptionsMask, this parameter points to a ULONG64 bit vector for the mask.

If the MitigationPolicy parameter is ProcessExtensionPointDisablePolicy, this parameter points to a PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY structure that specifies the extension point disable policy flags.

If the MitigationPolicy parameter is ProcessControlFlowGuardPolicy, this parameter points to a PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY structure that specifies the CFG policy flags.

If the MitigationPolicy parameter is ProcessSignaturePolicy, this parameter points to a PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY structure that specifies the signature policy flags.

If the MitigationPolicy parameter is ProcessFontDisablePolicy, this parameter points to a PROCESS_MITIGATION_FONT_DISABLE_POLICY structure that specifies the policy flags for font loading.

If the MitigationPolicy parameter is ProcessImageLoadPolicy, this parameter points to a PROCESS_MITIGATION_IMAGE_LOAD_POLICY structure that specifies the policy flags for image loading.

dwLength [in]

The size of lpBuffer, in bytes.

Return value

If the function succeeds, it returns TRUE. If the function fails, it returns FALSE. To retrieve error values defined for this function, call GetLastError.

Remarks

Setting mitigation policy for a process helps prevent an attacker from exploiting security vulnerabilities. Use the SetProcessMitigationPolicy function to enable or disable security mitigation programmatically.

For maximum effectiveness, mitigation policies should be applied during process initialization. For example, setting the ASLR policy that enables forced relocation of images is effective only if it is applied before all of the images in a process have been loaded.

ASLR mitigation policies cannot be made less restrictive after they have been applied.

To compile an application that uses this function, set _WIN32_WINNT >= 0x0602. For more information, see Using the Windows Headers.

Requirements

Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]

Header

Processthreadsapi.h

Library

Kernel32.lib

DLL

Kernel32.dll

 

 

Show: