Microsoft has tested Retpoline, a new mitigation method against Spectre variant 2 by Google, on Windows 10 Insider Builds for some time now. The company brought Retpoline to Windows 10 version 1809 by including it in the March 1 cumulative update KB4482887 for the version of Windows 10.
Tip: use the free InSpectre program for Windows check the vulnerability status.
Retpoline promises improved performance compared to the previous mitigation method used by Microsoft in its operating systems. Microsoft monitored the performance of Windows 10 systems and determined that Retpoline improved the launch time of Office applications by about 25% among other benefits.
When all relevant kernel-mode binaries are compiled with retpoline, we’ve measured ~25% speedup in Office app launch times and up to 1.5-2x improved throughput in the Diskspd (storage) and NTttcp (networking) benchmarks on Broadwell CPUs in our lab.
Retpoline is not enabled by default on production devices even though it is included in the March 1 update. Microsoft plans to roll out the mitigation over the course of the coming months.
Administrators who don't want to wait can enable Retpoline right away provided that the devices run Windows 10 version 1809 and have the latest cumulative update installed.
Microsoft employee Mehmet Iyigun describes the process on the Tech Community site. Note that it is recommended that you back up the system and data before you apply the change.
Windows 10 Clients
Note: Microsoft did not enclose the Registry key path with "". If you copy paste Microsoft's command you will receive an error.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400
Alternative: use the following Registry file to make the change with a double-click on it: Regpoline Windows 10 Client
Windows 10 Server
And here is the Registry file for Windows 10 Server versions: Windows 10 Server Regpoline
Note that you can make the changes in the Registry editor directly as well if you prefer to do so.
You may use the Get-SpeculationControlSettings PowerShell cmdlet to verify the status of Retpoline. BTIKernelRetpolineEnabled and BTIKernelImportOptimizationEnabled should be returned as True in the output.
Microsoft notes that Skylake and newer generations of Intel processors are not compatible with Retpoline; these will only return BTIKernelImportOptimizationEnabled as enabled when the command is run.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.