An "Expert" (?) Opinion on Data Execution Prevention in SP2

No Execute (NX), aka Data Execution Prevention (DEP), is a new function in XP SP2. You'll find the Windows controls by right-clicking My Computer> Properties> Advanced> Performance section, Settings button> Data Execution Prevention tab. One of the possibilities there is that you can enter programs you DO NOT want interfered with by NX (DEP).

There's a bit of buzz on the forums about the possibility that this new security function can actually slow your computer down. There's a little buzz about the possibility that it might interfere with new game installations.

Here's my take on the whole thing, and it's a careful and sensible take:

NX (DEP) is a worthwhile extra layer of protection, even in the (diluted) software (emulation) version of it for processors that don't offer the hardware possibility, and the speed difference on today's machines is so nearly zero that most users can't tell the difference between ON and OFF in anything other than "Kill-'em-all" games. For those who play such games (I have no games at all on my business machines), exceptions can be entered in the control panel I just referred to.

With a P4 at anywhere over 2 GHz, speed is not really an issue in much of anything: we're usually talking milliseconds. I simply couldn't see any difference at all, when I edited the boot.ini file to the AlwaysOff wording and rebooted five times and tested it. I've put it back the way it was, on the grounds that it MIGHT make a difference in security, and it DOESN'T make a difference in speed of program opening, command execution, or boot/shutdown times for me.

I tried five boots and five sets of program openings and complex commands -- macros in Word, Compress All Folders in Eudora (I saved 'em first, and kept substituting the old ones for the packed ones), Delete the last Restore Point, Create a new Restore Point -- and just didn't perceive any difference in speed at all. My boots are all under five bar-passes, and my shutdowns are as fast as I'll ever need them to be.

So my "computing-consultant's view" is that it's a good idea to leave NX (DEP) in place, set the way SP2 set it in the <Root>\boot.ini file. You can read about it here, and you can easily edit the boot.ini file for yourself, and reboot and test various speeds for yourself.

I think that speed is not really an issue, on today's XP machines, but security is a major, major issue, and anything that helps me keep my machine lean, mean, clean, and business-ready is fine by me. I'm leaving DEP set ON (that's with this in boot.ini: /NoExecute=OptIn), for the POSSIBLE extra protection and the NEGLIGIBLE speed difference.

Leave it alone, I say.

 

Thanks for the insight, although I haven't experienced any slowdowns on my two computers that are running SP2.

 

I forgot to put the link in my post, after "You can read about it here ..."

http://support.microsoft.com/default.aspx?kbid=875352&product=windowsxpsp2

(You have to go way down the page to get to the instructions for disabling DEP completely.)

 

Great read, wiz.