Advanced Windows Security: Activating SEHOP
When you browse the Internet for security tips and suggestions, you will notice that they sound alike on the majority of sites. Use antivirus and a firewall, update your system all the time, don't click on links in emails, and so on.
Today I'm going to discuss a topic that you won't find in the majority of security tips for Windows. SEHOP, which stands for Structured Exception Handler Overwrite Protection, is a security feature that Microsoft integrated into Windows Vista and Windows Server 2008. It is enabled by default on Server 2008 but disabled in Vista. SEHOP was included in the next iteration of Windows client and server as well, again enabled on Server 2008 R2 and disabled on Windows 7.
The feature prevents attackers from exploiting certain software vulnerabilities to successfully attack a system. It is basically a mitigation technique to prevent successful exploits of vulnerable software on the PC. Even if you update your PC and software as soon as updates get released, you may still have vulnerable software on it when attackers find vulnerabilities that are not known yet for instance.
If you are interested to find out more about SEHOP, I suggest you check out an article on Microsoft's Technet website that explains the concept in detail.
Before I'm going to explain how you can enable SEHOP for all applications, it needs to be noted that there may be application incompatibilities. Microsoft notes that most programs should be compatible with SEHOP. Because of that, Microsoft has created options to enable or disable validation for processes individually and for all applications.
Activating SEHOP on Vista and Windows 7
Probably the easiest way to get started is to enable SEHOP for all applications and turn it off for applications that are not fully compatible (which you will notice when working with them in Windows).
A Fix It is available that you can run on your computer to enable SEHOP for all applications. You can download it directly from this link.
The Fix It tool creates a System Restore point before it enables SEHOP for all processes on the system. A restart of the PC is required afterwards before the changes take effect.
If you prefer to enable it in the Registry manually, you can do so as well:
- Use the Windows-r shortcut to bring up the runbox, type regedit in the box and hit enter afterwards. This loads the Windows Registry Editor.
- Browse to the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
- If you can't find DisableExceptionChainValidation under kernel create the key by right-clicking on kernel, selecting New > Dword, and entering DisableExceptionChainValidation as the name
- Double-click DisableExceptionChainValidation and set the value to 0 to enable it
- Exit the Registry Editor and restart the PC
To disable SEHOP again, you simply change the value from 0 to 1.
SEHOP for individual processes
If you are experiencing issues with select processes after enabling SEHOP, you may want to disable the security feature for those processes. For that, you again need to open the Registry Editor and navigate to the following key:
- If you are running a 32-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- If you are running a 64-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
If you do not know, you can either find out if you are running a 32-bit or 64-bit system, or simply try to locate the Wow6432Node key in the Registry. If it exists, you are running a 64-bit version of Windows.
Under that key you may find a list of processes, and it is here that you need to add the processes that you want to enable or disable SEHOP for.
- Right-click on the Image File Execution Options key and select New > Key from the options. Enter the process name exactly as it shows up on the system, i.e. iexplore.exe for Microsoft Internet Explorer.
- Right-click the process afterwards and select New > Dword from the context menu. Enter DisableExceptionChainValidation as the name of the new value
- Double-click DisableExceptionChainValidation and set it to 0 to enable SEHOP for the process, or to 1 to disable it.