Article ID

:

316739

Last Review

:

November 1, 2006

Revision

:

14.2

This article was previously published under Q316739

SUMMARY

You can use the /userva=xxxx switch for more precise tuning of user and kernel virtual memory space in the Windows Server 2003 family. Use this new switch with the /3GB switch in the Boot.ini file to tune the User-mode space to a value between 2 and 3 gigabytes (GB), with the difference (3,072 less xxxx) being returned to Kernel mode. Note that xxxx is expressed in megabytes (MB).

The following sample Boot.ini file demonstrates how to use the new switch to tune a computer to allocate 2,900 MB of User-mode virtual memory and 1,196 MB of Kernel-mode virtual memory. This increases the available kernel space by 172 MB:

[Boot Loader]
Timeout=30
Default=multi(0)disk(0)rdisk(0)partition(2)\WINNT
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows Server 2003" /fastdetect /3GB /Userva=2900

MORE INFORMATION

The /userva=xxxx switch is designed to allow for more precise tuning of User-mode address space for program manufacturers who require more than 2 GB of User-mode space but do not require all the space that is provided by the /3GB tuning switch alone.

Note Using only the /3GB switch allocates 1 GB to the kernel and 3 GB to the User-mode space.

Using this switch reduces the memory available in the following system pools:

•

Nonpaged Pool

•

Paged Pool

•

System Page Table Entries (PTEs)

If the memory reduction in the pools is too great in a specific server installation, the server or the applications may generate an error or appear to stop responding.

In Windows Server 2003, you can add a small amount of the additional 1 GB back to the operating system. By decreasing the amount of User-mode space that is typically allocated by the /3GB switch, Windows Server 2003 increases the available kernel memory address space. This additional Kernel-mode address space is held in reserve and is used as additional address space for PTEs if the system runs out of free PTE space. This address space is not allocated to PTEs until the system runs low on PTE space.

In order to accurately see PTE space, use the !VM command in the debugger.

Note In Microsoft Windows XP and in Windows Server 2003, you can use this command interactively with the current debuggers that are available on the Microsoft download site.

Note Microsoft Product Support Services strongly recommends using a range of memory for the /userva=xxxx switch that is within the range of 2900 to 3030. This range is wide enough to provide a pool of system PTEs that is large enough for all currently observed issues. Typically, a value of 2800 for the xxxx placeholder will provide close to the maximum available number of system PTEs possible. Values observered in production for the 2800 setting are usually in the 50,000 - 70,000 free system pages, more than enough for all installations. If the value is less that 24,000, you should reduce this value in 64 MB steps until values larger than 24,000 to 26,000 are observed. Smaller numbers in the userva switch result in larger allocations of system pages. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

894067 (http://support.microsoft.com/kb/894067/) The Performance tool does not accurately show the available Free System Page Table entries in Windows Server 2003

To make sure of program stability and Windows stability, program manufacturers must test their programs thoroughly by using the described tuning techniques and must provide the /userva=xxxx number for their programs. To help in this testing, manufacturers can use the System Monitor tool to monitor virtual address consumption. To do this, add the Virtual Bytes counter for the program's process to obtain an accurate reading of the virtual space.

Note Microsoft Product Support Services (PSS) does not support arbitrary /userva settings; customers should add this setting to the Boot.ini file only per a manufacturer's recommendation.

For more information about the /3GB switch, click the following article numbers to view the articles in the Microsoft Knowledge Base:

171793 (http://support.microsoft.com/kb/171793/) Information on application use of 4GT RAM tuning

189293 (http://support.microsoft.com/kb/189293/) Enabling 4GT RAM tuning when you use Windows NT Server Enterprise Edition

Windows Server 2003 no longer limits the System Paged Pool to 160 MB on computers that have lots of memory. Because the Paged Pool is not limited, you may be able to free additional Kernel-mode address space to use as PTE space when the computer is running with the /3GB switch by limiting the size of the System Paged Pool.

Article ID

:

319043

Last Review

:

September 27, 2005

Revision

:

2.1

This article was previously published under Q319043

SYMPTOMS

If you use the /3GB switch in the Boot.ini file to support a program that can use more than 2 GB of virtual address space, a driver may not be loaded when Windows starts. This is more likely to occur with video adapter drivers. This is especially likely to occur if the hardware device contains a lot of onboard random access memory (RAM) that is used as a buffer.

Back to the top

CAUSE

This problem occurs because the driver is trying to reserve a large block of contiguous virtual memory addresses in the kernel address space to map the device's buffer. When you are use the /3GB switch, the memory that is available to the kernel is halved. The kernel might not be able to allocate a large enough block of memory to satisfy the driver's request.

Back to the top

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 (http://support.microsoft.com/kb/322389/EN-US/) How to Obtain the Latest Windows XP Service Pack

The English version of this fix should have the following file attributes or later:

   Date         Time   Version      Size      File name
   -------------------------------------------------------
   10-Jun-2002  15:44  5.1.2600.48  1,836 KB  Ntoskrnl.exe
   10-Jun-2002  15:44  5.1.2600.48  1,804 KB  Ntkrnlmp.exe
   10-Jun-2002  15:44  5.1.2600.48  1,858 KB  Ntkrnlpa.exe
   10-Jun-2002  15:44  5.1.2600.48  1,831 KB  Ntkrpamp.exe
                                

After you install this hotfix, you can use the new /USERVA memory-management switch. You can use this switch to tune the memory that is allocated above 2 GB to User mode and taken from the kernel. By doing this, you can find a number that permits the driver to be loaded.

For example, using the /USERVA=2800 switch in the Boot.ini file configures a User mode virtual address space of 2800 MB and a Kernel mode virtual address space of 1196 MB.

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1.

Back to the top

REFERENCES

For more information about using the /USERVA switch, see the following Microsoft Knowledge Base article:

316739 (http://support.microsoft.com/kb/316739/EN-US/) How to Use the /USERVA Switch in the Boot.ini File to Tune /3GB Configurations

Back to the top

Article ID

:

839490

Last Review

:

August 29, 2007

Revision

:

3.0

SYMPTOMS

If you use the /3GB switch in the Boot.ini file on a Microsoft Windows XP Professional-based workstation, and the workstation is configured with certain graphics adapters, Windows may exhaust the memory that is available for kernel services. Therefore, Windows disk services may fail with unrecoverable file system corruption, and you may receive "Delayed Write Disk" error messages that are similar to the following:

Delayed Write Failed

Unable to write file file name

The problem may occur shortly after Windows is started.

Back to the top

CAUSE

The problem may occur if the graphics adapter on your Windows XP Professional-based workstation consumes many system page table entries (PTE), and sufficient memory addresses are not available for the Windows kernel.

Back to the top

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 (http://support.microsoft.com/kb/322389/EN-US/) How to obtain the latest Windows XP service pack

Back to the top

Hotfix information

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451 (http://go.microsoft.com/?linkid=6294451)

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   04-May-2004  19:13  5.1.2600.1524   1,912,320  Ntkrnlmp.exe     
   04-May-2004  19:13  5.1.2600.1524   1,968,128  Ntkrnlpa.exe     
   04-May-2004  19:13  5.1.2600.1524   1,940,480  Ntkrpamp.exe     
   04-May-2004  21:07  5.1.2600.1524   2,064,256  Ntoskrnl.exe     

Note This hotfix resolves the problem of data corruption that may occur if you use the /3GB switch on a Windows XP Professional-based workstation that is configured with a graphics adapter that consumes many system page table entries. However, the hotfix does not resolve performance issues that are caused by a graphics adapter driver. To resolve performance issues that are caused by a graphics adapter driver, contact the manufacturer of the graphics adapter to determine if updated drivers are available.

For information about how to contact manufacturer of the graphics adapter, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 (http://support.microsoft.com/kb/65416/) Hardware and Software Third-Party Vendor Contact List, A-K

60781 (http://support.microsoft.com/kb/60781/) Hardware and Software Third-Party Vendor Contact List, L-P

60782 (http://support.microsoft.com/kb/60782/) Hardware and Software Third-Party Vendor Contact List, Q-Z

Back to the top

WORKAROUND

You may be able to work around this problem by using the /USERVA=2944 Boot.ini option to reduce the available user memory address space.

For additional information about the /USERVA switch, click the following article number to view the article in the Microsoft Knowledge Base:

316739 (http://support.microsoft.com/kb/316739/) How to use the /USERVA switch in the Boot.ini file to tune /3GB configurations

Note This setting should produce over 90 KB of free system PTES. This should be enough to satisfy any operating system, database and backup usage.
Important Microsoft Product Support Services strongly recommends using a range of memory for the /USERVA switch that lies within the range of 2900-3030. This range is wide enough to provide a large enough pool of system page table entries for all currently observed issues.

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows XP Service Pack 2.

Back to the top

MORE INFORMATION

For more information about the standard terminology that is used to describe Microsoft software updates, click the following article number to view the article in the Microsoft Knowledge Base:

824684 (http://support.microsoft.com/kb/824684/) Description of the standard terminology that is used to describe Microsoft software updates

Memory Support and Windows Operating Systems

Updated: February 9, 2005

Operating systems based on Microsoft Windows NT technologies have always provided applications with a flat 32-bit virtual address space that describes 4 gigabytes (GB) of virtual memory. The address space is usually split so that 2 GB of address space is directly accessible to the application and the other 2 GB is only accessible to the Windows executive software.

The 32-bit versions of the Windows 2000 Advanced Server and Windows NT Server 4.0, Enterprise Edition, operating systems were the first versions of Windows to provide applications with a 3-GB flat virtual address space, with the kernel and executive components using only 1 GB. In response to customer requests, Microsoft has expanded the availability of this support to the 32-bit version of Windows XP Professional and all 32-bit versions of Windows Server 2003.

Windows 2000 Memory Support. With Windows 2000 Professional and Server, the maximum amount of memory that can be supported is 4 GB (identical to Windows NT 4.0, as described later in this section). However, Windows 2000 Advanced Server supports 8 GB of physical RAM and Windows 2000 Datacenter Server supports 32 GB of physical RAM using the PAE feature of the IA-32 processor family, beginning with Intel Pentium Pro and later.

Windows XP Professional and Windows Server 2003 Memory Support. The maximum amount of memory that can be supported on Windows XP Professional and Windows Server 2003 is also 4 GB. However, Windows Server 2003, Enterprise Edition supports 32 GB of physical RAM and Windows Server 2003, Datacenter Edition supports 64 GB of physical RAM using the PAE feature.

The virtual address space of processes and applications is still limited to 2 GB unless the /3GB switch is used in the Boot.ini file. When the physical RAM in the system exceeds 16 GB and the /3GB switch is used, the operating system will ignore the additional RAM until the /3GB switch is removed. This is because of the increased size of the kernel required to support more Page Table Entries. The assumption is made that the administrator would rather not lose the /3GB functionality silently and automatically; therefore, this requires the administrator to explicitly change this setting.

The /3GB switch allocates 3 GB of virtual address space to an application that uses IMAGE_FILE_LARGE_ADDRESS_AWARE in the process header. This switch allows applications to address 1 GB of additional virtual address space above 2 GB.

The virtual address space of processes and applications is still limited to 2 GB, unless the /3GB switch is used in the Boot.ini file. The following example shows how to add the /3GB parameter in the Boot.ini file to enable application memory tuning:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINNT="????" /3GB

Note: "????" in the previous example can be the programmatic name of any of the following operating system versions:

Windows XP Professional
Windows Server 2003
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows NT Server 4.0, Enterprise Edition

Windows NT 4.0 Memory Support. With Microsoft Windows NT 4.0 Workstation and Server operating systems, the maximum amount of physical memory supported is 4 GB. The maximum amount of virtual memory is 2 GB.

With Windows NT 4.0 Server, Enterprise Edition, the /3GB switch was first added to Boot.ini.

Application Memory Tuning. This capability allows memory-intensive applications to utilize up to 50 percent more virtual memory on Intel-based computers. Application memory tuning provides more of the computer's virtual memory to applications by providing less virtual memory to the operating system.

Application Changes. No APIs are required to support application memory tuning. However, it would be ineffective to automatically provide every application with a 3-GB address space.

Executables that can use the 3-GB address space are required to have the bit IMAGE_FILE_LARGE_ADDRESS_AWARE set in their image header. If you are the developer of the executable, you can specify a linker flag (/LARGEADDRESSAWARE).

To set this bit, you must use Microsoft Visual Studio Version 6.0 or later and the Editbin.exe utility, which has the ability to modify the image header (/LARGEADDRESSAWARE) flag. For more information on setting this flag, see the Microsoft Visual Studio documentation.

Some manufacturers preconfigure their applications to use application memory tuning, making it unnecessary for you to make this change. For more information, see your application documentation and contact your application vendor to determine whether they support Large Address Awareness or whether you can enable it in their application.

Physical Address Extension. PAE is an Intel-provided memory address extension that enables support of up to 64 GB of physical memory for applications running on most 32-bit (IA-32) Intel Pentium Pro and later platforms. Support for PAE is provided under Windows 2000 and 32-bit versions of Windows XP and Windows Server 2003. 64-bit versions of Windows do not support PAE.

PAE allows the most recent IA-32 processors to expand the number of bits that can be used to address physical memory from 32 bits to 36 bits through support in the host operating system for applications using the Address Windowing Extensions (AWE) application programming interface (API). More information about the AWE API can be found at the MSDN Library.

Код статьи

:

833721

Последнее изменение :

:

11 декабря 2007 г.

Редакция

:

6.1

Аннотация

Добавляя параметры в файл Boot.ini, можно изменять параметры загрузки Microsoft Windows XP и Microsoft Windows Server 2003.

Дополнительные сведения см. в следующей статье базы знаний Майкрософт:

102873 (http://support.microsoft.com/kb/102873/) Файл BOOT.INI и принятые имена ARC-путей, а также их использование

Перейти к началу страницы

Дополнительная информация

В файл Boot.ini можно добавить следующие параметры.

Примечание. Если не указано обратное, то рассматриваемые параметры используются в Windows XP и Windows Server 2003.

Перейти к началу страницы

/basevideo

Параметр /basevideo предписывает использовать режим VGA с разрешением 640x480 и 16 цветами, а также драйвер видеокарты, совместимый со всеми видеоадаптерами. Данный параметр позволяет выполнить загрузку, если было установлено ошибочное значение для разрешения или частоты обновления. Рекомендуется использовать данный параметр вместе с параметром /sos. Если после установки нового драйвера видеокарты система не загружается, используйте параметр /basevideo, чтобы выполнить загрузку и удалить данный драйвер, обновить его или установить прежний драйвер.

Перейти к началу страницы

/baudrate=number

Данный параметр задает скорость порта отладки, используемого при отладке ядра. Например, введите /baudrate=9600. Если к порту подключен модем, то по умолчанию устанавливается скорость 9600 килобит в секунду, а если применяется нуль-модемный кабель, то — 115 200 килобит в секунду. Скорость 9600 килобит/сек является стандартной скоростью для удаленной отладки с использованием модема. Если в файле Boot.ini указан параметр /baudrate, то автоматически включается и параметр /debug.

Дополнительные сведения о настройке модема см. в следующей статье базы знаний Майкрософт:

148954 (http://support.microsoft.com/kb/148954/) Установка сеанса удаленной отладки с помощью модема (Эта ссылка может указывать на содержимое полностью или частично на английском языке)

Дополнительные сведения о настройке нуль-модема см. в следующей статье базы знаний Майкрософт:

151981 (http://support.microsoft.com/kb/151981/) Установка сеанса удаленной отладки с помощью нуль-модемного кабеля (Эта ссылка может указывать на содержимое полностью или частично на английском языке)

Перейти к началу страницы

/crashdebug

Предписывает при загрузке операционной системы загружать отладчик ядра. Данный параметр остается неактивным, пока не появится сообщение о неустранимой ошибке. Параметр /crashdebug используется при эпизодическом возникновении ошибок в ядре. Если указан данный параметр, то в обычном режиме Windows продолжает использовать последовательный порт. В случае возникновения сбоя этот порт преобразуется в порт отладки и включится режим удаленной отладки.

Дополнительные сведения см. в следующей статье базы знаний Майкрософт:

151981 (http://support.microsoft.com/kb/151981/) Установка сеанса удаленной отладки с помощью нуль-модемного кабеля (Эта ссылка может указывать на содержимое полностью или частично на английском языке)

Перейти к началу страницы

/debug

Предписывает при загрузке операционной системы запускать отладчик ядра. Этот параметр может быть активирован в любой момент из удаленного отладчика, расположенного на компьютере, который подключен к последовательному порту локального компьютера. В отличие от параметра /crashdebug, при использовании параметра /debug последовательный порт всегда работает как порт отладки. Используйте этот режим, если в работе системы регулярно возникают ошибки.

Дополнительные сведения об удаленной отладке см. в следующей статье базы знаний Майкрософт:

121543 (http://support.microsoft.com/kb/121543/) Подготовка компьютера к удаленной отладке (Эта ссылка может указывать на содержимое полностью или частично на английском языке)

Перейти к началу страницы

/debugport=comnumber

Данный параметр указывает порт соединения для использования в качестве порта отладки, где number является портом соединения, например COM1, который необходимо использовать. По умолчанию параметр /debugport использует порт COM2, если он существует, и, в противном случае, порт COM1. Если в файле Boot.ini указан параметр /debugport, то автоматически будет использован параметр /debug.

Дополнительные сведения см. в следующей статье базы знаний Майкрософт:

151981 (http://support.microsoft.com/kb/151981/) Установка сеанса удаленной отладки с помощью нуль-модемного кабеля (Эта ссылка может указывать на содержимое полностью или частично на английском языке)

Перейти к началу страницы

/maxmem=число

Данный параметр задает объем оперативной памяти (в байтах), который операционная система может использовать. Например, чтобы Windows использовала менее 64 МБ памяти, используйте параметр /maxmem=64.

Однако параметр /maxmem не учитывает возможность «дыр» в памяти. Поэтому вместо него рекомендуется использовать параметр /burnmemory, который учитывает "дыры" в памяти.

Если, например, используется параметр /Maxmem=64 и для загрузки системы требуется 64 МБ памяти, то из-за «дыры» фактический объем памяти может быть меньше 64 МБ. В этом случае Windows не загрузится.

Дополнительные сведения см. в следующей статье базы знаний Майкрософт:

108393 (http://support.microsoft.com/kb/108393/) Использование параметра MAXMEM в файле Boot.ini (Эта ссылка может указывать на содержимое полностью или частично на английском языке)

Перейти к началу страницы

/noguiboot

Данный параметр отключает отображение индикатора загрузки Windows (индикатор загрузки появляется до экрана входа в систему).

Перейти к началу страницы

/nodebug

Данный параметр отключает отладку. Это может вызвать появление неустранимой ошибки, если выполняемая программа содержит жестко запрограммированную точку останова.

Перейти к началу страницы

/numproc=number

Данный параметр определяет, сколько процессоров доступно Windows после загрузки. С помощью этого параметра можно предписать многопроцессорной системе использовать количество процессоров (number), указанное вами. Параметр полезен при устранении неполадок, вызванных сбоями в работе процессоров.

Перейти к началу страницы

/pcilock

На компьютерах с процессорами x86 данный параметр отключает в операционной системе функцию распределения ресурсов между устройствами, подключенными к шине PCI (Peripheral Connect Interface). В этом случае конфигурация устройств выполняется системой BIOS.

Перейти к началу страницы

/fastdetect:comnumber

Данный параметр отключает для указанного порта процедуру поиска мыши, выполняемую файлом Ntdetect.com. Используйте данный параметр, если на этапе загрузки к последовательному порту подключено какое-либо оборудование, кроме мыши. Например, введите /fastdetect:comnumber, где number является номером последовательного порта. Чтобы отключить поиск мыши для нескольких портов, укажите их номера через запятую. Если для параметра /fastdetect не указаны номера портов, поиск мыши будет отключен для всех портов.

Примечание. В предыдущих версиях Windows (включая Windows NT 4.0) данный параметр назывался /noserialmice.

Дополнительные сведения см. в следующей статье базы знаний Майкрософт:

131976 (http://support.microsoft.com/kb/131976/) Как отключить обнаружение устройств на последовательных портах (Эта ссылка может указывать на содержимое полностью или частично на английском языке)

Article ID

:

875352

Last Review

:

September 26, 2006

Revision

:

14.3

SUMMARY

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.

Back to the top

INTRODUCTION

This article describes the DEP feature in Windows XP SP2 and in Microsoft Windows Server 2003 with Service Pack 1 (SP1) and discusses the following topics:

•

Hardware-enforced DEP

•

Software-enforced DEP

•

Benefits

•

System-wide configuration of DEP

•

Per-program DEP configuration

Back to the top

MORE INFORMATION

Hardware-enforced DEP

Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. A class of attacks exists that tries to insert and run code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception.

Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE) to mark the memory page.

Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However, processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with the appropriate attribute set.

Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP.

Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following:

•

The no-execute page-protection (NX) processor feature as defined by AMD.

•

The Execute Disable Bit (XD) feature as defined by Intel.

To use these processor features, the processor must be running in Physical Address Extension (PAE) mode. However, Windows will automatically enable PAE mode to support DEP. Users do not have to separately enable PAE by using the /PAE boot switch.

Note Because 64-bit kernels are Address Windowing Extensions (AWE) aware, there is not a separate PAE kernel in 64-bit versions of Windows.
For more information about PAE and AWE in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

283037 (http://support.microsoft.com/kb/283037/) Large memory support is available in Windows Server 2003 and in Windows 2000

Back to the top

Software-enforced DEP

An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

Back to the top

Benefits

The primary benefit of DEP is that it helps prevent code execution from data pages, such as the default heap pages, various stack pages, and memory pool pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. If the exception is unhandled, the process will be stopped. Execution of code from protected memory in kernel mode causes a Stop error.

DEP can help block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP, execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage of exception-handling mechanisms in Windows.

Back to the top

System-wide configuration of DEP

DEP configuration for the system is controlled through switches in the Boot.ini file. If you are logged on as an administrator, you can now easily configure DEP settings by using the System dialog box in Control Panel.

Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP.

Configuration

Description

OptIn

This setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that "opt-in." With this option, only Windows system binaries are covered by DEP by default.

OptOut

DEP is enabled by default for all processes. You can manually create a list of specific programs that do not have DEP applied by using the System dialog box in Control Panel. Information technology (IT) professionals can use the Application Compatibility Toolkit to "opt-out" one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect.

AlwaysOn

This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied.

AlwaysOff

This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the Boot.ini file.

Hardware-enforced and software-enforced DEP are configured in the same manner. If the system-wide DEP policy is set to OptIn, the same Windows core binaries and programs will be protected by both hardware-enforced and software-enforced DEP. If the system cannot use hardware-enforced DEP, the Windows core binaries and programs will be protected only by software-enforced DEP.

Similarly, if the system-wide DEP policy is set to OptOut, programs that have been exempted from DEP protection will be exempted from both hardware-enforced and software-enforced DEP.

The Boot.ini file settings are as follows:

/noexecute=policy_level

Note policy_level is defined as AlwaysOn, AlwaysOff, OptIn, or OptOut.

Existing /noexecute settings in the Boot.ini file are not changed when Windows XP SP2 is installed. These settings are also not changed if a Windows operating system image is moved across computers with or without hardware-enforced DEP support.

During installation of Windows XP SP2 and Windows Server 2003 SP1 or later versions, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation. If the /noexecute=policy_level setting is not present in the Boot.ini file for a version of Windows that supports DEP, the behavior is the same as if the /noexecute=OptIn setting was included.

If you are logged on as an administrator, you can manually configure DEP to switch between the OptIn and OptOut policies by using the Data Execution Prevention tab in System Properties. The following procedure describes how to manually configure DEP on the computer:

1.

Click Start, click Run, type sysdm.cpl, and then click OK.

2.

On the Advanced tab, under Performance, click Settings.

3.

On the Data Execution Prevention tab, use one of the following procedures:

•

Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.

•

Click Turn on DEP for all programs and services except those I select to select the OptOut policy, and then click Add to add the programs that you do not want to use the DEP feature.

4.

Click OK two times.

IT professionals can control system-wide DEP configuration by using a variety of methods. The Boot.ini file can be modified directly with scripting mechanisms or with the Bootcfg.exe tool that is included in Windows XP SP2.

To configure DEP to switch to the AlwaysOn policy by using the Boot.ini file, follow these steps:

1.

Click Start, right-click My Computer, and then click Properties.

2.

Click the Advanced tab, and then click Settings under the Startup and Recovery field.

3.

In the System startup field, click Edit. The Boot.ini file opens in Notepad.

4.

In Notepad, click Find on the Edit menu.

5.

In the Find what box, type /noexecute, and then click Find Next.

6.

In the Find dialog box, click Cancel.

7.

Replace policy_level with AlwaysOn.

WARNING Make sure that you enter the text accurately. The Boot.ini file switch should now read:

/noexecute=AlwaysOn

8.

In Notepad, click Save on the File menu.

9.

Click OK two times.

10.

Restart the computer.

For unattended installations of Windows XP SP2 or later versions, you can use the Unattend.txt file to pre-populate a specific DEP configuration. You can use the OSLoadOptionsVar entry in the [Data] section of the Unattend.txt file to specify a system-wide DEP configuration.

Back to the top

Per-program DEP configuration

For the purposes of program compatibility, you can selectively disable DEP for individual 32-bit programs when DEP is set to the OptOut policy level. To do this, use the Data Execution Prevention tab in System Properties to selectively disable DEP for a program. For IT professionals, a new program compatibility fix that is named DisableNX is included with Windows XP SP2. The DisableNX compatibility fix disables Data Execution Prevention for the program that the fix is applied to.

The DisableNX compatibility fix can be applied to a program by using the Application Compatibility Toolkit. For more information about Windows application compatibility, see Windows Application Compatibility on the following Microsoft Web site:

http://technet.microsoft.com/en-us/windowsvista/aa905066.aspx (http://technet.microsoft.com/en-us/windowsvista/aa905066.aspx)

Back to the top

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

912923 (http://support.microsoft.com/kb/912923/) How to determine that hardware DEP is available and configured on your computer