Understanding Get-SpeculationControlSettings PowerShell script output


Summary


To help customers verify the status of speculative execution side channel mitigations, Microsoft has published a PowerShell script that customers can run on their systems. This topic explains how to run the script and what the output means.

Advisories adv180002adv180012, and adv180018 cover five vulnerabilities:

  • CVE-2017-5715 (branch target injection)
  • CVE-2017-5753 (bounds check bypass)
  • CVE-2017-5754 (rogue data cache load)
  • CVE-2018-3639 (speculative store bypass)
  • CVE-2018-3620 (L1 terminal fault – OS)

Protection for CVE-2017-5753 (bounds check) does not require additional registry settings or firmware updates.This topic provides details on the PowerShell script that helps determine the state of the mitigations for CVE-2017-5715, CVE-2017-5754, CVE-2018-3639, and CVE-2018-3620 which require additional registry settings and, in some cases, firmware updates.

More information


Install and run the script by running the following commands:

PowerShell verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)

Install the PowerShell module

PS> Install-Module SpeculationControl

Run the PowerShell module to validate the protections are enabled

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

PowerShell verification using a download from TechNet (earlier OS versions/earlier WMF versions)

Install the PowerShell module from TechNet ScriptCenter

  1. Go to https://aka.ms/SpeculationControlPS.
  2. Download SpeculationControl.zip to a local folder.
  3. Extract the contents to a local folder, for example C:\ADV180002

Run the PowerShell module to validate that the protections are enabled

Start PowerShell, and then (using the example above), copy and run the following commands:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> CD C:\ADV180002\SpeculationControl

PS> Import-Module.\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser


The output of this PowerShell script will resemble the following. Enabled protections appear in the output as “True.”

PS C:\> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Windows OS support for PCID optimization is enabled: False

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass mitigation is present: False
Windows OS support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is enabled system-wide: False

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True



BTIHardwarePresent: False
BTIWindowsSupportPresent: True
BTIWindowsSupportEnabled: False
BTIDisabledBySystemPolicy: True
BTIDisabledByNoHardwareSupport: True
KVAShadowRequired: True
KVAShadowWindowsSupportPresent: False
KVAShadowWindowsSupportEnabled: False
KVAShadowPcidEnabled: False
SSBDWindowsSupportPresent: True
SSBDHardwareVulnerablePresent: True
SSBDHardwarePresent: True
SSBDWindowsSupportEnabledSystemWide: False
L1TFHardwareVulnerable: True
L1TFWindowsSupportPresent: True
L1TFWindowsSupportEnabled: True
L1TFInvalidPteBit: 45
L1DFlushSupported: False

 

The final output grid maps to the output of the preceding lines. This appears because PowerShell prints the object that is returned by a function. The following table explains each line.

Output

Explanation

Speculation control settings for CVE-2017-5715 [branch target injection]

This section provides system status for variant 2, CVE-2017-5715 , branch target injection.

Hardware support for branch target injection mitigation is present

Maps to BTIHardwarePresent. This line tells you if hardware features are present to support the branch target injection mitigation. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by CPU manufacturers. If this line isTrue, the required hardware features are present. If the line isFalse, the required hardware features are not present, and therefore the branch target injection mitigation cannot be enabled.

NoteBTIHardwarePresent will beTruein guest VMs if the OEM update has been applied to the host andguidanceis followed.

Windows OS support for branch target injection mitigation is present

Maps to BTIWindowsSupportPresent. This line tells you if Windows operating system support is present for the branch target injection mitigation. If it isTrue, the operating system supports enabling the branch target injection mitigation (and therefore has installed the January 2018 update). If it isFalse, the January 2018 update has not been installed on the system, and the branch target injection mitigation cannot be enabled.

NoteIf a guest VM cannot detect the host hardware update, BTIWindowsSupportEnabled will always beFalse.

Windows OS support for branch target injection mitigation is enabled

Maps to BTIWindowsSupportEnabled. This line tells you if Windows operating system support is enabled for the branch target injection mitigation. If it isTrue, hardware support and OS support for the branch target injection mitigation is enabled for the device, thus protecting againstCVE-2017-5715. If it isFalse, one of the following conditions is the true:

  • Hardware support is not present.
  • OS support is not present.
  • The mitigation has been disabled by system policy.

Windows OS support for branch target injection mitigation is disabled by system policy

Maps to BTIDisabledBySystemPolicy. This line tells you if the branch target injection mitigation has been disabled by system policy (such as an administrator-defined policy). System policy refers to the registry controls as documented inKB 4072698. If it isTrue, the system policy is responsible for disabling the mitigation. If it isFalse, the mitigation is disabled by a different cause.

Windows OS support for branch target injection mitigation is disabled by absence of hardware support

Maps to BTIDisabledByNoHardwareSupport. This line tells you if the branch target injection mitigation has been disabled due to the absence of hardware support. If it isTrue, the absence of hardware support is responsible for disabling the mitigation. If it isFalse, the mitigation is disabled by a different cause.

NoteIf a guest VM cannot detect the host hardware update, BTIDisabledByNoHardwareSupport will always beTrue.

Speculation control settings for CVE-2017-5754 [rogue data cache load]

This section provides summary system status for variant 3,CVE-2017-5754, rogue data cache load. The mitigation for this is known as kernel Virtual Address (VA) shadow or the rogue data cache load mitigation.

Hardware requires kernel VA shadowing

Maps to KVAShadowRequired. This line tells you if the hardware is vulnerable toCVE-2017-5754. If it isTrue, the hardware is believed to be vulnerable to CVE-2017-5754. If it isFalse, the hardware is known to not be vulnerable to CVE-2017-5754.

Windows OS support for kernel VA shadow is present

Maps to KVAShadowWindowsSupportPresent. This line tells you if Windows operating system support for the kernel VA shadow feature is present. If it isTrue,the January 2018 update is installed on the device, and kernel VA shadow is supported. If it isFalse, the January 2018 update is not installed, and kernel VA shadow support does not exist.

Windows OS support for kernel VA shadow is enabled

Maps to KVAShadowWindowsSupportEnabled. This line tells you if the kernel VA shadow feature has been enabled. If it isTrue, the hardware is believed to be vulnerable toCVE-2017-5754, Windows operating system support is present, and the feature has been enabled. The Kernel VA shadow feature is currently enabled by default on client versions of Windows and is disabled by default on versions of Windows Server. If it isFalse, either Windows operating system support is not present, or the feature has not been enabled.

Windows OS support for PCID performance optimization is enabled

NotePCID is not required for security. It only indicates if a performance improvement is enabled. PCID is not supported with Windows Server 2008 R2

Maps to KVAShadowPcidEnabled. This line tells you if an additional performance optimization has been enabled for kernel VA shadow. If it isTrue,kernel VA shadow is enabled, hardware support for PCID is present, and PCID optimization for kernel VA shadow has been enabled. If it isFalse, either the hardware or the OS may not support PCID. It is not a security weakness for the PCID optimization to not be enabled.

Windows OS support for Speculative Store Bypass Disable is present

Maps to SSBDWindowsSupportPresent. This line tells you if Windows operating system support for Speculative Store Bypass Disable is present. If it is True , the January 2018 update is installed on the device, and kernel VA shadow is supported. If it is False , the January 2018 update is not installed, and kernel VA shadow support does not exist.

Hardware requires Speculative Store Bypass Disable

Maps to SSBDHardwareVulnerablePresent. This line tells you if the hardware is vulnerable to CVE-2018-3639 . If it is True , the hardware is believed to be vulnerable to CVE-2018-3639. If it is False , the hardware is known to not be vulnerable to CVE-2018-3639.

Hardware support for Speculative Store Bypass Disable is present

Maps to SSBDHardwarePresent. This line tells you if hardware features are present to support Speculative Store Bypass Disable. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by Intel. If this line is True , the required hardware features are present. If the line is False , the required hardware features are not present, and therefore Speculative Store Bypass Disable cannot be turned on.

Note SSBDHardwarePresent will be True in guest VMs if the OEM update has been applied to the host.

 

Windows OS support for Speculative Store Bypass Disable is turned on

Maps to SSBDWindowsSupportEnabledSystemWide. This line tells you if Speculative Store Bypass Disable has been turned on in the Windows operating system. If it is True , hardware support and OS support for Speculative Store Bypass Disable is on for the device preventing a Speculative Store Bypass from occurring, thus eliminating the security risk completely. If it is False , one of the following conditions is true:

  • Hardware support is not present.
  • OS support is not present.
  • Speculative Store Bypass Disable has not been turned on via registry keys. See the following articles for instructions on how to turn on:

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Windows Server guidance to protect against speculative execution side-channel vulnerabilities

 

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

This section provides summary system status for L1TF (operating system) referred to by CVE-2018-3620. This mitigation ensures that safe page frame bits are used for not present or invalid page table entries.

Note, this section does not provide a summary of the mitigation status for L1TF (VMM) referred to by CVE-2018-3646.

Hardware is vulnerable to L1 terminal fault: True Maps to L1TFHardwareVulnerable. This line tells you if the hardware is vulnerable to L1 Terminal Fault (L1TF, CVE-2018-3620). If it is True, the hardware is believed to be vulnerable to CVE-2018-3620. If it is False, the hardware is known to not be vulnerable to CVE-2018-3620.
Windows OS support for L1 terminal fault mitigation is present: True Maps to L1TFWindowsSupportPresent. This line tells you if Windows operating system support for the L1 Terminal Fault (L1TF) operating system mitigation is present. If it is True, the August 2018 update is installed on the device, and the mitigation for CVE-2018-3620 is present. If it is False, the August 2018 update is not installed, and the mitigation for CVE-2018-3620 is not present.
Windows OS support for L1 terminal fault mitigation is enabled: True Maps to L1TFWindowsSupportEnabled. This line tells you if the Windows operating system mitigation for L1 Terminal Fault (L1TF, CVE-2018-3620) is enabled. If it is True, the hardware is believed to be vulnerable to CVE-2018-3620, Windows operating system support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled.

The following output is expected for a computer with all mitigations enabled, along with what is needed to satisfy each condition.

BTIHardwarePresent: True -> apply OEM BIOS/firmware update
BTIWindowsSupportPresent: True -> install January 2018 update
BTIWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance .
BTIDisabledBySystemPolicy: False -> ensure not disabled by policy.
BTIDisabledByNoHardwareSupport: False -> ensure OEM BIOS/firmware update is applied.
KVAShadowRequired: True or False -> no action, this is a function of the CPU the computer uses


If KVAShadowRequired is True
KVAShadowWindowsSupportPresent: True -> install January 2018 update
KVAShadowWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance .
KVAShadowPcidEnabled: True or False -> no action , this is a function of the CPU the computer uses

If SSBDHardwareVulnerablePresent is True
SSBDWindowsSupportPresent: True -> install Windows updates as documented in adv180012
SSBDHardwarePresent: True -> install BIOS/firmware update with support for SSBD from your device OEM

SSBDWindowsSupportEnabledSystemWide: True -> follow recommended actions to turn on SSBD

If L1TFHardwareVulnerable is True
L1TFWindowsSupportPresent: True -> install Windows updates as documented in adv180018
L1TFWindowsSupportEnabled: True -> follow actions outlined in adv180018 for Windows Server or Client as appropriate to enable the mitigation

The following table maps the output to the registry keys that are covered in Windows Server guidance to protect against speculative execution side-channel vulnerabilities .

Registry key

Mapping

FeatureSettingsOverride – Bit 0

Maps to - Branch target injection - BTIWindowsSupportEnabled

FeatureSettingsOverride – Bit 1

Maps to - Rogue data cache load - VAShadowWindowsSupportEnabled