Privacy and Security Enable or Disable Kernel-mode Hardware-enforced Stack Protection in Windows 11


  • Staff
Windows_Security_banner.png

This tutorial will show you how to enable or disable Kernel-mode Hardware-enforced Stack Protection for all users in Windows 11.

Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment.

Hardware-enforced Stack Protection offers robust protection against Return Oriented Programming (ROP) exploits since it maintains a record of the intended execution flow of a program.

The Kernel Mode Hardware Enforced Stack Protection security feature is applicable to Windows 11, version 22H2 and above, and provides additional security enhancement for kernel code.

For code running in kernel mode, the CPU confirms requested return addresses with a second copy of the address stored in the shadow stack to prevent attackers from substituting an address that runs malicious code instead.

Kernel-mode Hardware-enforced Stack Protection requires:
  • CPU: Intel Tiger Lake (11th Gen) and beyond supports Control-Flow Enforcement Technology (CET), or AMD Zen 3 Ryzen and beyond that supports AMD shadow stacks.
  • CPU virtualization turned on
  • Memory Integrity turned on.
Reference:

KB5026372 Build 22621.1702 adds more drivers to the database of drivers that are not compatible with Kernel-mode Hardware-enforced Stack Protection. A device uses this database when you enable the Kernel-mode Hardware-enforced Stack Protection security feature in the Windows Security UI and it loads the drivers.

You must be signed in as an administrator to enable or disable Kernel-mode Hardware-enforced Stack Protection protection.


Not all drivers are compatible with the Kernel Mode Hardware Enforced Stack Protection security feature.




Contents

  • Option One: Turn On or Off Kernel-mode Hardware-enforced Stack Protection in Windows Security
  • Option Two: Turn On or Off Kernel-mode Hardware-enforced Stack Protection using REG file




Option One

Turn On or Off Kernel-mode Hardware-enforced Stack Protection in Windows Security


1 Open Windows Security.

2 Click/tap on Device security on the left side, and click/tap on the Core isolation details link on the right side. (see screenshot below)

Kernel_Mode_Hardware_Enforced_Stack_Protection-1.png

3 Turn on (default) or off Kernel-mode Hardware-enforced Stack Protection for what you want. (see screenshots below)

The Kernel-mode Hardware-enforced Stack Protection setting will be grayed out and disabled if Memory Integrity is turned off.


4 If prompted by UAC, click/tap on Yes to approve.

5 Restart the computer to apply.

Kernel_Mode_Hardware_Enforced_Stack_Protection-2.png
Kernel_Mode_Hardware_Enforced_Stack_Protection-3.png





Option Two

Turn On or Off Kernel-mode Hardware-enforced Stack Protection using REG file


1 Do step 2 (on) or step 3 (off) below for what you want.

2 Turn On Kernel-mode Hardware-enforced Stack Protection

This is the default setting.

This will also turn on the required Memory Integrity feature.


A) Click/tap on the Download button below to download the REG file below, and go to step 4 below.​

Enable_Kernel_Mode_Hardware_Enforced_Stack_Protection.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks]
"Enabled"=dword:00000001
"WasEnabledBy"=dword:00000002

3 Turn Off Kernel-mode Hardware-enforced Stack Protection

A) Click/tap on the Download button below to download the REG file below, and go to step 4 below.​

Disable_Kernel_Mode_Hardware_Enforced_Stack_Protection.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks]
"Enabled"=dword:00000000
"WasEnabledBy"=-

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 81
  • Disable_Kernel_Mode_Hardware_Enforced_Stack_Protection.reg
    734 bytes · Views: 82
  • Enable_Kernel_Mode_Hardware_Enforced_Stack_Protection.reg
    1 KB · Views: 75
Last edited:
Hey Shawn I just posted this in 12 Forume´s too:

I'm betting for Win12 the "supported" CPUs will need to be:
  • CPU: Intel Tiger Lake (11th Gen) and beyond supports Control-Flow Enforcement Technology (CET), or AMD Zen 3 Ryzen and beyond that supports AMD shadow stacks.

Because of the new Kernel-mode Hardware-enforced Stack Protection they added to Win11 but on older supported CPUs that doesn't show up(like my 9900K).

Of course, I still think an MPU(Memory Protection Unit will be required too.
Stuff like this is why I did not do a 13900K build, because I'm waiting to see what CPU requirements will be needed to get maximal protection with upcoming Win12(I actually only do a new system build when security is improved ;-) )
 

My Computer

System One

  • OS
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
    Computer type
    PC/Desktop
    Manufacturer/Model
    ۞ΞЖ†ԘΜΞ۞
    CPU
    Intel Core i9 9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> Samsung 860 Pro 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    Phanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 2x120 Phantek& Halo front, and 1x140 Phanteks
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome;
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as an added layer between browser & OS
    Other Info
    Router: FRITZ!Box 7590 AX V2
    Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
    Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR

Latest Support Threads

Back
Top Bottom