Enabling or Disabling Kernel-mode Hardware-enforced Stack Protection on Windows 11

|

|

The article provides a guide on activating or deactivating Kernel-mode Hardware-enforced Stack Protection in Windows 11. This security feature, under Core Isolation, shields fundamental Windows processes from malicious software. Its usage only applies to chipsets that support Intel’s Control-flow Enforcement Technology (CET) or AMD shadow stacks. Instructions are provided on how to enable or disable…

This article explains enabling or disabling Kernel-mode Hardware-enforce Stack Protection in Windows 11.

Windows has lots of security features one can enable to enhance the system’s protection against malware and viruses. One such feature is Core Isolation. Core Isolation is a security feature that protects critical Windows core processes from malicious software such as ransomware.

Another component of Core Isolation is Hardware-enforced Stack Protection. Hardware-enforced Stack Protection provides additional security enhancement for kernel code.

This feature will only work on chipsets supporting hardware, Intel’s Control-flow Enforcement Technology (CET), or AMD shadow stacks.

Here’s how to enable or disable it on Windows 11.

Enable or disable Kernel-mode Hardware-enforced Stack Protection

As described above, you can enable Core Isolation and Hardware-enforced Stack Protection to provide additional security enhancement for kernel code in Windows 11.

This will only work on chipsets supporting hardware, Intel’s Control-flow Enforcement Technology (CET), or AMD shadow stacks.

You must also turn on CPU virtualization and Memory Integrity to use these security features.

Here’s how to turn it on or off.

First, open the Windows Security app.

You can do that by clicking on the Start menu and searching for “Windows Security.” Then, under Best match, click on the Windows Security app.

Windows 11 Windows Security app search on start menu
windows security app search on the start menu

In the Windows Security app, on the “Security at a glance page,” click the Device security link or icon.

Windows 11 Windows Security Device security
Windows 11 Windows security app settings button

On the Windows Security -> Device security page, under Core Isolation, click the Core Isolation details link.

Windows 11 core isolation details link
Windows 11 manages providers’ links in Windows security

On the Windows Security -> Device security -> Core Isolation settings page, under Kernel-mode Hardware-enforced Stack Protection, toggle the button to turn the On or Off position to enable or disable Kernel-mode Hardware-enforced Stack Protection for your device.

Windows 11 kernel-mode hardware-enforced stack protection

When you turn on or off this security feature, you must restart your computer for the changes to take effect.

Turn on or off Kernel-mode Hardware-enforced Stack Protection via Windows Registry Editor

Another way users can turn on or off Kernel-mode Hardware-enforced stack protection in Windows 11 is to use the Windows Registry Editor.

First, open the Windows Registry, and navigate to the folder key below. The registry settings below will first enable Core Isolation.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity

If you don’t see the HypervisorEnforcedCodeIntegrity folder key, right-click on the Scenarios key, then create the subkey (HypervisorEnforcedCodeIntegrity) folders.

windows registry advanced key

Right-click the HypervisorEnforcedCodeIntegrity folder key’s right pane and select New -> DWORD (32-bit) Value. Next, type a new key named Enabled.

Double-click the new key item name (Enabled) and make sure the Base option is Decimal, and then update the Value data:

  • Type 1 to enable Core Isolation.
  • Type 0 to disable Core Isolation.

You first need to enable Core Isolation before using Kernel-mode Hardware-enforced protection. Turning on the value above will do that.

Next, browse the registry key below to turn on Kernel-mode Hardware-enforced protection.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks

If you don’t see the KernelShadowStacks folder key, right-click on the Scenarios key, then create the subkey (KernelShadowStacks) folders.

windows registry advanced key

Right-click the KernelShadowStacks folder key’s right pane and select New -> DWORD (32-bit) Value. Next, type a new key named Enabled.

Double-click the new key item name (Enabled) and make sure the Base option is Decimal, and then update the Value data:

  • Type 1 to enable Kernel-mode Hardware-enforced protection.
  • Type 0 to disable Kernel-mode Hardware-enforced protection.

Also, create a New -> DWORD (32-bit) Value in the same folder and name it WasEnabledBy.

Double-click the new key item name (WasEnabledBy) and make sure the Base option is Decimal, and then update the Value data:

  • Type 2 to let memory integrity UI behave normally (Not grayed out).

Turning on Core Isolation and Kernel-mode Hardware-enforced protection above will enhance your device protection.

Save your changes and restart your computer.

That should do it!

Conclusion:

This post showed you how to enable or disable Kernel-mode hardware-enforced stack protection in Windows 11. If you find any errors above or have something to add, please use the comments form below.

Like this:



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.