0

How To Disable DEP with the Windows 10 Command Line

Posted by Jamie on January 4, 2019

Data Execution Prevention (DEP) is built into Windows 10 and adds an extra layer of security that stops malware from running in memory. It is enabled by default and is designed to recognize and terminate unauthorized scripts from running in reserved areas of computer memory. This is a popular attack vector for malware so Microsoft added DEP to stop it.

Data Execution Prevention was introduced in Windows 7 in a concerted effort by Microsoft to close some of the many security holes that plagued the operating system. It is a great theory but if you have ever seen the message ‘This program has been blocked for your protection’, you know it doesn’t always work as advertised. It is always better to be too paranoid than not paranoid enough but when it gets in the way of computer performance, it becomes a nuisance.

Disable Data Execution Prevention

There are a lot of reasons why you should never disable Data Execution Prevention (DEP). Rather than bury the headline, first I’ll show you how to do it and then talk about why you shouldn’t do it.

  1. Open a CMD window as an Admin.
  2. Type ‘bcdedit.exe /set {current} nx AlwaysOff’ and hit Enter.

You should see ‘The operation completed successfully’ underneath once complete. DEP is now off on your computer. If you want to enable DEP again, type ‘bcdedit.exe /set {current} nx AlwaysOn’ and hit Enter. You should see the same successful notification underneath the command if it worked.

If you see an error like in the image above that reads ‘The Value is protected by Secure Boot Policy and cannot be modified or deleted’, it means you have Secure Boot enabled in your BIOS/UEFI. To disable DEP you will need to reboot your computer into the BIOS/UEFI, find the Secure Boot setting and turn it off. Boot into Windows and repeat the above steps to disable DEP.

You can control a little of how DEP works from the Windows GUI.

  1. Open Control Panel.
  2. Navigate to System and Security and System.
  3. Select Advanced system Settings from the left menu.
  4. Select the Data Execution Prevention tab.

Here you can choose whether to enable DEP just for Windows and its associated apps or for all programs on your computer. You can select a whitelist too where you can select to exclude a particular program from DEP. This window is of limited use outside of a corporate environment but it is there if you want to experiment.

Why you should not disable DEP

While the initial versions of DEP did cause problems, newer versions in Windows 8 and Windows 10 are much, much better. DEP mostly works in the background now and doesn’t interfere in how you use your computer. There are a couple of reasons why you should not disable DEP.

An essential protection against the unseen

The main reason to leave DEP running is that it provides almost invisible protection against invisible attackers. If a virus or malware gets through your security software and DEP is off, there is no way to know something is working on your computer. The malware can run scripts and performs its tasks without interference and that can be devastating.

DEP now recognizes most new games and programs and won’t trouble you with errors or alerts. It is one of those Windows features that does actually provide value for users.

With more viruses and malware than ever floating around the internet, any extra layer of protection is a good thing. If it gives the odd error now and again, that is a small price to pay. Plus, if it doesn’t like a particular program you can always whitelist it using the method I described above. As long as you’re sure the program is safe you should be fine.

It may not be DEP giving the error

Some violation errors are nothing to do with Data Execution Prevention at all. It could be User Account Control, Local Policy, Group Policy, Windows Defender, your antivirus or malware software or something completely different. There is a habit among IT Techs to blame DEP for any access or memory violation but it isn’t always true. It is sometimes, but not always.

You can also experiment by disabling UAC, temporarily pausing your security software or by running the program with Admin privileges. If it works after doing that, it wasn’t DEP at all.

Data Execution Prevention was added to Windows as an extra layer of protection. I may not be a fan of some of Microsoft’s decisions when it comes to ’protecting us’ but DEP is one that works. Unless you really have to disable DEP, I really would leave it running.

Leave a Reply

Your email address will not be published. Required fields are marked *