BIOS – Execution Prevention (enabled)

Checking F12 access to the BIOS on this Vista-Biz / Lenovo R61 laptop. After entering the BIOS, I find a section titled “Execution Prevention” – and typed out the contents of what item specific help says.

Item specific help – ENABLED: If your OS supports Data Execution Prevention, this setting can prevent virus/worm attacks that create memory buffer overflows by running code where only data is allowed.

DISABLED: = Normal state

Note: reset to disabled if your required applicaitions can’t run

MIGHT – BE; (technology) un-neccessary AND; reducing performance. Before DISABLING this feature, I have a need to create a LUA (Limited User Account) – and transfer/move the current working data-directory to that account, as this current account has Admin privileges, with all the UAC controlls still active, and using the OS-default group policy settings.

GOOGLED – data execution prevention

Key words from the BIOS – ‘running code where only data is allowed’ – (nice concept) – whats it mean for the end-user like me?


  • Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.
  • DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support.
  • Software-enforced DEP does not protect from execution of code in data pages, but instead from another type of attack (SEH overwrite).
    Hardware enforcement – Hardware-enforced DEP enables the NX bit on compatible CPUs, through the automatic use of PAE kernel in 32-bit Windows and the native support on 64-bit kernels. Windows Vista DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands as non-executable. This helps prevent buffer overflow attacks from succeeding. In Windows Vista, the DEP status for a process, that is, whether DEP is enabled or disabled for a particular process can be viewed on the Processes tab in the Windows Task Manager.


#1: –

[QUOTED TEXT; from #1:] – Unlike a firewall or antivirus program though, Data Execution Prevention DEP does NOT help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory SAFELY. To do this, DEP software works alone or with compatible processors to mark some memory locations as “non-executable”. If a program tries to run code – malicious or not – from a protected location, DEP closes the program and notifies you with an warning message.. [ENDs Quoted text]

#2: –

[#2: – QUOTED; pasted below] –
Good news is that you can disable or turn off Data Execution Prevention (DEP) globally in Windows Vista. To stop the DEP protection, launch an elevated command prompt shell with administrative priviledges and credentials (log on to Windows Vista with a user account with administrator rights, and then right click on Command Prompt icon and select “Run as Administrator, or turn off UAC). Then execute the following command:

bcdedit.exe /set {current} nx AlwaysOff

If you regret your decision and now wants to enable or turn back on the DEP protection for your Windows Vista, simply use the following command instead:

bcdedit.exe /set {current} nx AlwaysOn


About grdanson

Maintainer and Administrator
This entry was posted in A+ 3652A (Hardware & Windows), F-Keys, Vista-Biz and tagged . Bookmark the permalink.