Hi all, I'd like to Automatically exclude a program I'm packaging from DEP (data execution prevention). So far I've tried generating an sdb file with the ACT and applying it with secedit, and also trying "install" within the ACT itself. Although it says it's successful the program doesn't show up in the exclusion list. Also, secedit /configure /db database.sdb gets an error even though I've followed all the online instructions I found from msft.

this is supremely F***king annoying, has anybody else done this? ACT and secedit have got the be the most user unfriendly admin tools ever! Am I missing something? So far, the ACT seems pretty much completely worthless.
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
1
We always add a registry key to the package to be found in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\<path to exe>
Answered 01/27/2009 by: pgiesbergen
Orange Belt

Please log in to comment
0
Man, if this works by itself I'm gonna rate you good and if that is the case I wonder why all these technet articles have you jump thru hoops with the ACT....I shall see and post results to the thread.
Answered 01/27/2009 by: aogilmor
Ninth Degree Black Belt

Please log in to comment
0
OK tried looking in the registry and here's something weird, when I use ACT to "install" the database there is an entry that appears in the registry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\TNTAgent.exe (the name of the exe I'm trying to exclude from DEP) yet when I look at sysdm.cpl under advanced/performace/DEP it's still not excluded. Also, with your example how do you implement it? I tried putting it in an MSI, checked the values and it didn't get written...Man, I've probably been here too long, thanks, hopefully get this tomorrow.

Thanks!
Answered 01/27/2009 by: aogilmor
Ninth Degree Black Belt

Please log in to comment
0
Just add your application to the DEP exclusion list in sysdm.cpl, then add the regkey created through this,
HKLM\..\TNTAgent.exe with value DisableNXShowUI

That is really all you need to do. Hope it works!
Answered 01/28/2009 by: pgiesbergen
Orange Belt

Please log in to comment
2
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="DisableNXShowUI"

Copy the above into a .reg file and that will work for you.

P
Answered 01/28/2009 by: Inabus
Second Degree Green Belt

Please log in to comment
0
ORIGINAL: Inabus
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="DisableNXShowUI"

Copy the above into a .reg file and that will work for you.

OK update - here was the problem, I was testing a 32 bit app on an x64 system so it had to go here,
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags, and also in the above key for x86 platforms. Thanks all for your suggestions. I knew I wasn't crazy!!!![:)]
Answered 01/28/2009 by: aogilmor
Ninth Degree Black Belt

Please log in to comment
0
Hello - I have a strange problem with DEP and these registry values. My company has a home grown app, which is installed into two folders. One copy is under C:\Program Files\App\Prod\app.exe and the other is C:\Program Files\App\Devl\app.exe. The "app.exe" file name is identical in both the Prod and Devl folders. The app is basically the same except for the INI file it uses, which points it at a prod or development environment.

The problem is simply adding the registry values to exclude these two from DEP only works for the Devl app. the Prod app will not work, unless I go through the Control Pandel applet and re-add it manually. I do not see any typo or other difference between what we are trying to script in the install versus what happens when we manually re-add it to the DEP exception list.

This is what I am adding at install:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files\\App\\Prod\\App.exe"="DisableNXShowUI"
"C:\\Program Files\\App\\Devl\\App.exe"="DisableNXShowUI"

I am puzzled by the scenerio where manually re-adding it makes this work. That must mean there is a setting somewhere that I need to add, but, everywhere I read including this posting says its just as simple as adding these values. I cannot see what that would be though. Also, why would the Devl app work when Prod does not using this simple method? The app crashes with an exception error if DEP is active. I also have confirmed the DEP status is enabled for the Prod app using Process Explorer at run time.

Does anyone know what i am missing here or have ideas?

Thanks
Answered 03/16/2009 by: bspies
Senior Yellow Belt

Please log in to comment
0
I am not sure why one would be added and another not. Are they identical eXE files? If so maybe windows does some bit checking and sees identical files and doens't add it. Definitely adding the reg key worked for me though.
Answered 03/16/2009 by: aogilmor
Ninth Degree Black Belt

Please log in to comment
0
yall gotta help me - i'm new to this forum but registered because no where else on the web does anyone address the issue i'm having:

I've got all our boot.ini files set with /noexecute=optout, and there's one app that doesn't work with DEP (ISIS Pro scanning software). So i added it as an exclusion via a regedit:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\DocuWare\\ISIS PRO.exe"="DisableNXShowUI"

and pushed the registry change via GPO. This ADDED the exe name to the exceptions list (Sys Properties, Performance Options, DEP tab) with a little check in the box and everything. Only problem is, the software does NOT behave as though it is excluded from DEP: I have even used Process Explorer (MS Sysinternals) to verify that despite being added to the exceptions list, ISIS Pro is running with DEP enabled.

You know how we fix it? Log into each machine as an admin, UNCHECK the box (apply), and RECHECK the box (apply again).

any clue as to why the registry setting that worked for so many others is giving me the bird? I'm baffled that the system seems to think this exception has been made, yet behavior does not reflect registry/system settings.

Thanks for the responses.

~Baffled Sys Admin
Answered 03/14/2010 by: UpAndComing
Yellow Belt

Please log in to comment
0
My guess would be either that a required reboot hasn't yet taken place or that there is some other setting which occurs when you re-check the check-box. ProcMon will sort the latter for you.
Answered 03/15/2010 by: VBScab
Red Belt

Please log in to comment
0
the script is a startup/shutdown script, so the rebooting's taking place (though i've tried it as a login/logoff script with reboots in between as well). my script is just a batch with the following:

regedit /s "\\serverdc1\NETLOGON\ISIS_DEP.reg"

i used process explorer to identify all registry keys involved with checking the exceptions box. The only two are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\DocuWare\\ISIS PRO.exe"="DisableNXShowUI"

and

HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache

but I was not too sure about exporting the Application compatibility Cache from my PC and importing it to all PCs, as the Reg_Binary data was a very long string of hex that seemed specific to my PC.

this has something to do with the regedit via batch file via GPO - if i double click the "ISIS_DEP.reg" file, the values get added to the registry AND the behavior reflects the change, but when I use regedit in a batch file in a GPO the registry changes but the behavior does not.

help!
Answered 03/15/2010 by: UpAndComing
Yellow Belt

Please log in to comment
0
I have the same problem here.
used the registry key mentioned earlier to add MSIE to the exclusion list. When using it I see it appear in the list of the control panel.
Rebooted, tried it, but it doesn't work.

After unchecking and checking it, it works. But I want it automated :(
Answered 03/18/2010 by: pkaak
Yellow Belt

Please log in to comment
0
After unchecking and checking it, it works. But I want it automated :(

It won't work if you copy the file and then set its registry.

You have to set the registry and then copy the file. Even then, it's still not something you can rely on!
Answered 04/19/2010 by: barmak
Yellow Belt

Please log in to comment
0

It won't work if you copy the file and then set its registry.

You have to set the registry and then copy the file. Even then, it's still not something you can rely on!


barmak, you mean one has to create the registry value first , like
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\
"C:\Program Files\myapp\myapp.exe"="DisableNXShowUI"
, and to copy app.exe to C:\Program Files\myapp\ only after that ? Does the sequence really matter ?
If yes, how to proceed when updating the app - if I just replace app.exe with a newer version, will DisableNXShowUI be still in effect for the new exe?

Another question is, should I care what's supported by the OS, or the OS will just ignore what doesn't apply? I mean, DisableNXShowUI makes no sense on XP SP1 - but if it's present, I guess the OS will ignore it.
Answered 04/25/2010 by: peternn
Yellow Belt

Please log in to comment
0
peternn,

Yes, that's what I meant.

For upgrades it should be okay if you follow that sequence. Admittedly it sounds like superstition, but it does work better.

I don't have XP SP1, I would guess the extra key gets ignored and won't cause problems.
Answered 04/27/2010 by: barmak
Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity