Advanced Windows Security: Activating SEHOP
When you browse the Internet for security tips and suggestions, you will notice that they sound alike on the majority of sites. Use antivirus and a firewall, update your system all the time, don't click on links in emails, and so on.
Today I'm going to discuss a topic that you won't find in the majority of security tips for Windows. SEHOP, which stands for Structured Exception Handler Overwrite Protection, is a security feature that Microsoft integrated into Windows Vista and Windows Server 2008. It is enabled by default on Server 2008 but disabled in Vista. SEHOP was included in the next iteration of Windows client and server as well, again enabled on Server 2008 R2 and disabled on Windows 7.
The feature prevents attackers from exploiting certain software vulnerabilities to successfully attack a system. It is basically a mitigation technique to prevent successful exploits of vulnerable software on the PC. Even if you update your PC and software as soon as updates get released, you may still have vulnerable software on it when attackers find vulnerabilities that are not known yet for instance.
If you are interested to find out more about SEHOP, I suggest you check out an article on Microsoft's Technet website that explains the concept in detail.
Before I'm going to explain how you can enable SEHOP for all applications, it needs to be noted that there may be application incompatibilities. Microsoft notes that most programs should be compatible with SEHOP. Because of that, Microsoft has created options to enable or disable validation for processes individually and for all applications.
Activating SEHOP on Vista and Windows 7
Probably the easiest way to get started is to enable SEHOP for all applications and turn it off for applications that are not fully compatible (which you will notice when working with them in Windows).
A Fix It is available that you can run on your computer to enable SEHOP for all applications. You can download it directly from this link.
The Fix It tool creates a System Restore point before it enables SEHOP for all processes on the system. A restart of the PC is required afterwards before the changes take effect.
If you prefer to enable it in the Registry manually, you can do so as well:
- Use the Windows-r shortcut to bring up the runbox, type regedit in the box and hit enter afterwards. This loads the Windows Registry Editor.
- Browse to the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
- If you can't find DisableExceptionChainValidation under kernel create the key by right-clicking on kernel, selecting New > Dword, and entering DisableExceptionChainValidation as the name
- Double-click DisableExceptionChainValidation and set the value to 0 to enable it
- Exit the Registry Editor and restart the PC
To disable SEHOP again, you simply change the value from 0 to 1.
SEHOP for individual processes
If you are experiencing issues with select processes after enabling SEHOP, you may want to disable the security feature for those processes. For that, you again need to open the Registry Editor and navigate to the following key:
- If you are running a 32-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- If you are running a 64-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
If you do not know, you can either find out if you are running a 32-bit or 64-bit system, or simply try to locate the Wow6432Node key in the Registry. If it exists, you are running a 64-bit version of Windows.
Under that key you may find a list of processes, and it is here that you need to add the processes that you want to enable or disable SEHOP for.
- Right-click on the Image File Execution Options key and select New > Key from the options. Enter the process name exactly as it shows up on the system, i.e. iexplore.exe for Microsoft Internet Explorer.
- Right-click the process afterwards and select New > Dword from the context menu. Enter DisableExceptionChainValidation as the name of the new value
- Double-click DisableExceptionChainValidation and set it to 0 to enable SEHOP for the process, or to 1 to disable it.
what does a reg value of 3 in DisableExceptionChainValidation mean?
I have same question.
Also for 3 years using EMET on maximum s.m. ,I don’t have any problems (maybe because I have all dubious,risky services disabled…)
Although ,last few weeks :
When I paste with middle click into notepad (or any other m.c.pasting place ),pasted content multiplies itself without end almost stopping cursor-and notepad cant be closed normally, I must ctr+alt +delete to freeze over-copying.
Important is that other middle click actions (in browsers)work OK, also
pasting with right click menu is OK.
I checked 3 mouses -every one behaves the same.
I can’t google any sensible tip.
So far I still would like to avoid checking if it is becouse of EMET by removing EMET…
Comp is clean ,checked with 5 anti-softwares…
Enabling the Maximum Security Mode in EMET 3 caused all sorts of issues in various windows services. I saw some really weird event log errors that I could not find a single reference to on Google,
I tried rolling back to the restore point created before I installed EMET 3.
When that didn’t fix the issues I uninstalled version 2.1.
It turns out I needed to run “sfc /scannow” to fix a broken user profile.
Lastly I had to rebuild the search index to remove reference to that profile.
Because I’m stubborn, I’m going to reinstall EMET 3, but I’ll leave it set to the defaults.
So basically describing this attack-
It uses stack-based buffer overflow to execute malicious code by overwriting a program’s exception handler.
EMET version 3.0 comes with a “EMET notifier” that runs in the notification area, it informs of various problems by a pop up.
You can also motioner EMET logs from Event Viewer which is useful
Microsoft has a tool called the “Enhanced Mitigation Toolkit” that gives you a GUI to configure this stuff.
http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx
I’ve been using version 2.1 for quite a while and just installed the latest version.
Chris, thanks for posting. Can you share your experience in regards to issues with applications / processes?
I’ve usually had EMET at the default settings, which requires a program to specifically request SEHOP, DEP, and/or ASLR be used.
Internet Explorer crashed a lot -prior- to me installing EMET 2.1. EMET adds a profile that makes IE request all of the above.
Out of curiosity I just now switched on EMET’s “Maximum Security Mode”. This means that DEP is always on and an application has to request that SEHOP be turned -off-. I’ll have to reboot to activate that and I should run a backup first in case anything dire happens.
It’ll take a while to be certain that all my programs are compatible, but I’ve bookmarked this article and will let you know what happens.
Sounds great, thanks for the input Chris. Looking forward to your findings.
#corrections
“The feature prevents that attackers can not exploit certain software vulnerabilities to successfully attack a system. ”
Can’t even make out what that was meant to be! haha
Sorry, it is early in the morning. Corrected ;)