Disable Data Execution Prevention and Understanding Why

Disable Data Execution Prevention and Understanding Why

4 Minutes Read Updated on May 21, 2025

How to Disable Data Execution Prevention

To establish the recommended configuration via GP, set the following UI path to

Disabled:

Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsFile ExplorerTurn off Data Execution Prevention for Explorer

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

OR 

Use the following procedure to turn DEP off or on:

DEP is turned on by default, but if necessary to turn it off (or back on), this can be done using the Windows Security app. It is recommended to leave it turned on for full protection.

  1. Tap the Windows key or Start button.
  2.  Type Windows Security and select the Windows Security app that appears at the top of the search results.
  3. Select App & browser control and then Exploit protection.
  4. Data Execution Prevention can be found on the System settings tab.

Default value 

Disabled. (Data Execution Prevention will block certain types of malware from exploiting Explorer.)

Recommended setting 

The recommended state for this setting is: Disabled.

What is data execution prevention 

Data Execution Prevention (DEP) is a Windows security feature that protects systems by preventing code from executing in memory areas designated for data storage. By ensuring only authorized programs can run in specific memory regions, DEP helps block malicious software, such as viruses, from executing harmful code. It operates at both hardware and software levels, monitoring memory usage to prevent exploits like buffer overflow attacks.

DEP offers several benefits, including reducing the risk of malware infections, improving system stability by preventing crashes caused by faulty programs, and enhancing overall security. While most modern applications are DEP-compatible, older or poorly optimized ones may require exceptions or specific configurations. DEP can be managed globally or on a per-application basis, allowing IT administrators to maintain security without disrupting critical services.

How does DEP work

Data Execution Prevention (DEP) works by preventing code from running in certain regions of a computer’s memory that are intended only for storing data. This is a key defense against attacks like buffer overflows, where malicious code is injected into memory regions reserved for data and then executed.

Software

Software-enforced DEP operates within the Windows operating system and monitors how applications use memory. It ensures processes comply with memory protection policies by using mechanisms like Safe Structured Exception Handling (SafeSEH) to prevent malicious code from exploiting exception handling mechanisms. While software-enforced DEP adds an extra layer of security, it’s generally less effective than hardware-enforced DEP. It helps block unsafe memory usage patterns and can stop poorly written or malicious applications from executing code in areas designated for data storage.


Hardware

Hardware-enforced DEP relies on the processor to mark specific memory pages as non-executable, ensuring that no code can run from those regions. This method utilizes the CPU’s No-Execute (NX) bit to mark memory areas intended for data storage as non-executable. It’s the most secure form of DEP and is supported by most modern processors. If a program attempts to run code in these regions, the CPU blocks it, effectively preventing malicious or unauthorized code from executing. Hardware-based DEP is enabled by default on modern processors, providing a robust layer of protection against memory-based attacks.

DEP compatibility considerations  

While DEP is a powerful security feature that enhances system protection, there are a few considerations. Some older, less compatible applications may not function correctly with DEP enabled, requiring exceptions to be made for specific programs. Additionally, while DEP is generally effective, advanced attackers may find ways to bypass its protections. Whilst the performance impact of DEP is typically minimal, it’s important to monitor for any issues.

Data Execution Prevention Best Practices 

Data Execution Prevention (DEP) is a crucial security feature that helps safeguard a Windows system from malicious attacks by preventing unauthorized code execution in protected memory areas. Understanding and configuring DEP properly can significantly improve a system’s security and reduce the risk of malware infections.

Server hardening is closely connected to DEP, focusing on minimizing potential vulnerabilities. Server hardening involves tightening the security of the operating system by disabling unnecessary services, closing open ports, and enforcing strict security policies, including DEP. This layered approach strengthens the overall security posture, making it harder for attackers to exploit weaknesses, ensuring the stability and integrity of critical systems.

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

How Best to Configure Audit Detailed File Share 

How Best to Configure Audit Detailed File Share 

August 21, 2024

What is Audit Detailed File Share When enabled, the Windows security setting audit detailed file…

Essential Guide to Australian Secured Configuration Regulations

Essential Guide to Australian Secured Configuration Regulations

July 18, 2024

Australia’s Secured Configuration Regulations Australia’s cybersecurity regulatory landscape is multifaceted, with a blend of federal…

Configuring SSH For Enhanced Security

Configuring SSH For Enhanced Security

September 3, 2021

Secure Shell (SSH) is a network protocol used to connect devices over the internet via…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article