How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems

Article ID: 956607 - View products that this article applies to.
Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows
(http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs)
.
Expand all | Collapse all

On This Page

Introduction

Windows Vista Service Pack 1, Windows 7, Windows Server 2008 and Windows Server 2008 R2 now include support for Structured Exception Handling Overwrite Protection (SEHOP). This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems.

This article helps you enable this feature.

To have us enable this feature for you, go to the "Enable it for me" section. If you would rather enable this feature yourself, go to the "Let me enable it myself" section.

Note If you are running Windows 7 or Windows Server 2008 R2, go to the " Let me enable it myself" section because the automatic wizard for Windows 7 and for Windows Server 2008 R2 is not available yet.
Back to the top | Give Feedback

Enable it for me

To enable this feature automatically, click the Fix this problem link. Then, click Run in the File Download dialog box, and follow the steps in this wizard.

Fix this problem
Microsoft Fix it 50096


Notes
  • This wizard only applies to Windows Vista Service Pack 1 and Windows Server 2008.
  • This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.
We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me" blog
(http://blogs.technet.com/fixit4me/)
, or send us an e-mail
(mailto:fixit4me@microsoft.com?Subject=KB956607 - Enable Structured Exception Handling Overwrite Protection)
message.
Back to the top | Give Feedback

Let me enable it myself

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows
By default, SEHOP is enabled in Windows Server 2008 R2 and in Windows Server 2008. By default, SEHOP is disabled in Windows 7 and in Windows Vista. To enable SEHOP manually, follow these steps:
  1. Click Start, click Run, type regedit, and then press ENTER.
  2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
    Note If you cannot find the DisableExceptionChainValidation registry entry under the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\
    subkey, follow these steps to create it:
    1. Right-click kernel, point to New, and then click DWORD Value.
    2. Type DisableExceptionChainValidation, and then press ENTER.
  3. Double-click DisableExceptionChainValidation.
  4. Change the value of the DisableExceptionChainValidation registry entry to 0 to enable it, and then click OK.

    Note A value of 1 disables the registry entry. A value of 0 enables it.
  5. Exit Registry Editor.

Known Issues

After you enable SEHOP, existing versions of Cygwin, Skype, and Armadillo-protected applications may not work correctly.

Note To resolve this issue, contact the software vendor for an update.
Back to the top | Give Feedback

References

Preventing the exploitation of SEH overwrites

For more information about a technique that you can use to help prevent the exploitation of SEH overwrites, visit the following Uninformed Web site:
http://www.uninformed.org/?v=5&a=2&t=txt
(http://www.uninformed.org/?v=5&a=2&t=txt)
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Back to the top | Give Feedback
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.
Back to the top | Give Feedback

Properties

Article ID: 956607 - Last Review: June 10, 2011 - Revision: 3.1
APPLIES TO
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Service Pack 1, when used with:
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business
    • Windows Vista Business 64-bit Edition
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Web Server 2008 R2
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Starter
  • Windows 7 Ultimate
Keywords: 
kbfixme kbmsifixme kbexpertiseinter kbbug kbsecvulnerability kbsecbulletin kbsecurity kbexpertisebeginner KB956607
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top