Questions

What does "/noexecute=optin" mean in boot.ini file?

Tags:
+
0 Votes
Locked

What does "/noexecute=optin" mean in boot.ini file?

dhart131
/noexecute=optin is part of a line in a boot.ini file and I am wondering what it does.
  • +
    1 Votes
    seanferd

    "The /noexecute parameter enables Data Execution Prevention (DEP), a set of hardware and software technologies designed to prevent harmful code from running in protected memory locations."

    +
    0 Votes
    dhart131

    thank you

    +
    1 Votes
    TobiF

    Out of four possible states for data execution prevention, this is the second weakest.

    DEP, Data execution prevention is hardware control, where the processor will not allow execution of some bytes, if they are in a location that was marked as DATA, rather than EXECUTABLE.

    Whenever you read about a security patch for a "buffer overun", know that DEP could have helped to prevent this problem.

    Unfortunately, many computer programs are poorly written and mix data and program instructions in such a way that one can't use this good security measure. (As far as I know, however, 64bit versions of windows enforce DEP to be on at all times.)

    On 32-bit windows platforms, there are 4 possible policies that can be declared. They are, from weakest to strongest:
    /NOEXECUTE=ALWAYSOFF
    /NOEXECUTE=OPTIN
    /NOEXECUTE=OPTOUT
    /NOEXECUTE=ALWAYSON

    The default value is opt-in, where DEP will be applied only for those computer programs, which declare that DEP should be used.
    Opt-out enables DEP, but allows the program to opt-out.
    The other two options are self explanatory, I hope.

    On my computer, I changed long time ago to OPTOUT, and (knock on wood), haven't noticed any misbehaving programs. This means that I managed to raise the security a lot.

    Hope this helps.

    +
    0 Votes
    dhart131

    Thanks for satisfying my curiousity. I was trying to figure out if it had anything to do with my safe mode login Post. Now I now it does not.

  • +
    1 Votes
    seanferd

    "The /noexecute parameter enables Data Execution Prevention (DEP), a set of hardware and software technologies designed to prevent harmful code from running in protected memory locations."

    +
    0 Votes
    dhart131

    thank you

    +
    1 Votes
    TobiF

    Out of four possible states for data execution prevention, this is the second weakest.

    DEP, Data execution prevention is hardware control, where the processor will not allow execution of some bytes, if they are in a location that was marked as DATA, rather than EXECUTABLE.

    Whenever you read about a security patch for a "buffer overun", know that DEP could have helped to prevent this problem.

    Unfortunately, many computer programs are poorly written and mix data and program instructions in such a way that one can't use this good security measure. (As far as I know, however, 64bit versions of windows enforce DEP to be on at all times.)

    On 32-bit windows platforms, there are 4 possible policies that can be declared. They are, from weakest to strongest:
    /NOEXECUTE=ALWAYSOFF
    /NOEXECUTE=OPTIN
    /NOEXECUTE=OPTOUT
    /NOEXECUTE=ALWAYSON

    The default value is opt-in, where DEP will be applied only for those computer programs, which declare that DEP should be used.
    Opt-out enables DEP, but allows the program to opt-out.
    The other two options are self explanatory, I hope.

    On my computer, I changed long time ago to OPTOUT, and (knock on wood), haven't noticed any misbehaving programs. This means that I managed to raise the security a lot.

    Hope this helps.

    +
    0 Votes
    dhart131

    Thanks for satisfying my curiousity. I was trying to figure out if it had anything to do with my safe mode login Post. Now I now it does not.