Hi all, I'd like to Automatically exclude a program I'm packaging from DEP (data execution prevention). So far I've tried generating an sdb file with the ACT and applying it with secedit, and also trying "install" within the ACT itself. Although it says it's successful the program doesn't show up in the exclusion list. Also, secedit /configure /db database.sdb gets an error even though I've followed all the online instructions I found from msft.
this is supremely F***king annoying, has anybody else done this? ACT and secedit have got the be the most user unfriendly admin tools ever! Am I missing something? So far, the ACT seems pretty much completely worthless.
Automatically exclude program from DEP
0 Comments
[ - ] Hide Comments
Answers
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
peternn,
Yes, that's what I meant.
For upgrades it should be okay if you follow that sequence. Admittedly it sounds like superstition, but it does work better.
I don't have XP SP1, I would guess the extra key gets ignored and won't cause problems.
It won't work if you copy the file and then set its registry.
You have to set the registry and then copy the file. Even then, it's still not something you can rely on!
I have the same problem here.
used the registry key mentioned earlier to add MSIE to the exclusion list. When using it I see it appear in the list of the control panel.
Rebooted, tried it, but it doesn't work.
After unchecking and checking it, it works. But I want it automated :(
the script is a startup/shutdown script, so the rebooting's taking place (though i've tried it as a login/logoff script with reboots in between as well). my script is just a batch with the following:
regedit /s "\\serverdc1\NETLOGON\ISIS_DEP.reg"
i used process explorer to identify all registry keys involved with checking the exceptions box. The only two are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\DocuWare\\ISIS PRO.exe"="DisableNXShowUI"
and
HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache
but I was not too sure about exporting the Application compatibility Cache from my PC and importing it to all PCs, as the Reg_Binary data was a very long string of hex that seemed specific to my PC.
this has something to do with the regedit via batch file via GPO - if i double click the "ISIS_DEP.reg" file, the values get added to the registry AND the behavior reflects the change, but when I use regedit in a batch file in a GPO the registry changes but the behavior does not.
help!
My guess would be either that a required reboot hasn't yet taken place or that there is some other setting which occurs when you re-check the check-box. ProcMon will sort the latter for you.
yall gotta help me - i'm new to this forum but registered because no where else on the web does anyone address the issue i'm having:
I've got all our boot.ini files set with /noexecute=optout, and there's one app that doesn't work with DEP (ISIS Pro scanning software). So i added it as an exclusion via a regedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\DocuWare\\ISIS PRO.exe"="DisableNXShowUI"
and pushed the registry change via GPO. This ADDED the exe name to the exceptions list (Sys Properties, Performance Options, DEP tab) with a little check in the box and everything. Only problem is, the software does NOT behave as though it is excluded from DEP: I have even used Process Explorer (MS Sysinternals) to verify that despite being added to the exceptions list, ISIS Pro is running with DEP enabled.
You know how we fix it? Log into each machine as an admin, UNCHECK the box (apply), and RECHECK the box (apply again).
any clue as to why the registry setting that worked for so many others is giving me the bird? I'm baffled that the system seems to think this exception has been made, yet behavior does not reflect registry/system settings.
Thanks for the responses.
~Baffled Sys Admin
I am not sure why one would be added and another not. Are they identical eXE files? If so maybe windows does some bit checking and sees identical files and doens't add it. Definitely adding the reg key worked for me though.
Hello - I have a strange problem with DEP and these registry values. My company has a home grown app, which is installed into two folders. One copy is under C:\Program Files\App\Prod\app.exe and the other is C:\Program Files\App\Devl\app.exe. The "app.exe" file name is identical in both the Prod and Devl folders. The app is basically the same except for the INI file it uses, which points it at a prod or development environment.
The problem is simply adding the registry values to exclude these two from DEP only works for the Devl app. the Prod app will not work, unless I go through the Control Pandel applet and re-add it manually. I do not see any typo or other difference between what we are trying to script in the install versus what happens when we manually re-add it to the DEP exception list.
This is what I am adding at install:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files\\App\\Prod\\App.exe"="DisableNXShowUI"
"C:\\Program Files\\App\\Devl\\App.exe"="DisableNXShowUI"
I am puzzled by the scenerio where manually re-adding it makes this work. That must mean there is a setting somewhere that I need to add, but, everywhere I read including this posting says its just as simple as adding these values. I cannot see what that would be though. Also, why would the Devl app work when Prod does not using this simple method? The app crashes with an exception error if DEP is active. I also have confirmed the DEP status is enabled for the Prod app using Process Explorer at run time.
Does anyone know what i am missing here or have ideas?
Thanks
ORIGINAL: Inabus
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="DisableNXShowUI"
Copy the above into a .reg file and that will work for you.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="DisableNXShowUI"
Copy the above into a .reg file and that will work for you.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="DisableNXShowUI"
Copy the above into a .reg file and that will work for you.
P
Just add your application to the DEP exclusion list in sysdm.cpl, then add the regkey created through this,
HKLM\..\TNTAgent.exe with value DisableNXShowUI
That is really all you need to do. Hope it works!
OK tried looking in the registry and here's something weird, when I use ACT to "install" the database there is an entry that appears in the registry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\TNTAgent.exe (the name of the exe I'm trying to exclude from DEP) yet when I look at sysdm.cpl under advanced/performace/DEP it's still not excluded. Also, with your example how do you implement it? I tried putting it in an MSI, checked the values and it didn't get written...Man, I've probably been here too long, thanks, hopefully get this tomorrow.
Thanks!
Man, if this works by itself I'm gonna rate you good and if that is the case I wonder why all these technet articles have you jump thru hoops with the ACT....I shall see and post results to the thread.
We always add a registry key to the package to be found in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\<path to exe>
Answer this question
or Comment on this question for clarity
Comments
Please log in to comment