How to Enable Kernel Mode Hardware-Enforced Stack Protection in Windows 11?

Kernel-Mode Hardware-Enforced Stack Protection

So, you are a Windows 11 user who wants to enable Kernel-Mode Hardware-Enforced Stack Protection but is unaware of the know-how? If you stumbled on this article while searching for the steps to accomplish the same, you can stop browsing any further, as this article is for you.

In this article, we will explore all that there is to know about Kernel-Mode Hardware-Enforced Stack Protection, as in – What is it? How do you enable and disable it? Are there any drawbacks? Etc. So why wait? Let’s start exploring the answers to all such queries!

What is the Kernel-Mode Hardware-Enforced Stack Protection Feature?

The Kernel-mode Hardware-enforced Stack Protection is a security feature that replaced the prior LSA protection feature in Windows Security and is available in Windows 11 22H2 as part of a Microsoft Defender update. It protects the system against “Stack Buffer Overflow” and other memory attacks by utilizing “Shadow Stacks.” (During these attacks, the malicious actor tries to trigger arbitrary code execution by overflowing the temporary memory storage (buffer) located on a stack.)

Shadow Stacks are hardware-based temporary stack that mirrors the standard stack used by the OS and cannot be modified by apps running in Windows. When a program’s function is called, the return address is stored in both the normal stack and the Shadow Stack.

When the function returns, the Hardware-enforced Stack Protection feature checks whether the return address from the primary stack and the one stored on the Shadow Stack are the same or not. If the return address differs, it indicates a potential – stack buffer overflow or a Return Oriented Programming attack. To prevent the execution of malicious code, Windows immediately terminates (end) the process.

How to Enable Kernel-Mode Hardware-Enforced Stack Protection Feature on Windows 11?

Enabling the Kernel-ModeHardware-enforced Stack Protection feature on Windows 11 is easy and can be done within minutes. Follow the steps mentioned below to accomplish the same:

  • Click Search, placed on the taskbar.
  • Type Windows Security and press Enter.
  • The Windows Security window will appear.
  • In the left pane, click Device security.
  • Click Core Isolation Details.
  • Under the Kernel-Mode Hardware-enforced Stack Protection section, toggle the switch to “On.”

Note: Before activating the Kernel-Mode Hardware-Enforced Stack Protection feature, Windows performs a check on all the device drivers that are loaded to ensure that none of them would conflict with this security feature.

If any conflicts are detected, you will be prompted to – “Update those Drivers” before attempting to enable the feature again. In case no conflicts are found, Windows will prompt you to – “Restart the Device” to activate this feature.

To disable the Kernel-Mode Hardware-Enforced Stack Protection feature, under the Kernel-Mode Hardware-enforced Stack Protection section, toggle the switch to “Off.”

What Are the Requirements For Device to Use the Hardware-enforced Stack Protection on Windows 11?

The Hardware-enforced Stack Protection feature requires Shadow Stack, available only on newer CPUs that support Intel’s Control-Flow Enforcement Technology (CET) technology. Therefore, to use the Hardware-enforced Stack Protection feature, you need a device with a CPU that supports CET technology, like – AMD Zen3, Intel Tiger Lake mobile, etc.

Kernel-Mode Hardware Enforced Stack Protection Feature is Turned Off & Can’t be Turned On

If you cannot enable the Kernel-Mode Hardware-enforced Stack Protection Feature (turned off and can’t be turned on), firstverify whether the CPU you use supports CET technology.

If it does, and you still cannot enable the feature, use the methods mentioned below one at a time and verify the result:

  • Use Registry
  • Turn on CPU Virtualization in BIOS
  • Uninstall the Troublesome Application(s)
  • Enable DEP
  • Inspect Conflicting Drivers and Update

Use Registry

Follow the steps mentioned below to enable the Kernel-ModeHardware-enforced Stack Protection feature using Registry:

Prerequisite: Create a backup of your Windows Registry.

  • Click Search, placed on the taskbar.
  • Type regedit and press Enter.
  • The Registry Editor window will appear.
  • In the left pane, expand the System option by clicking the black arrowhead (>).
  • Navigate to CurrentControlSet > Control > Session Manager > Memory Management.
  • In the right pane, look for the FeatureSettingsOverride DWORD value. If absent, create it manually. Right-click on an empty area.
  • From the list, select New.
  • Click on the DWORD (32-bit) Value option.
  • Name the newly created value as FeaureSettingsOverride.
  • Modify the FeatureSettingsOverride value by double-clicking on it.
  • A pop up window will appear.
  • Enter 9 as the Value data.
  • Press OK.
  • Close the Registry Editor window.
  • Restart the system.

Now, you will be able to toggle the switch to “On.”

Turn on CPU Virtualization in BIOS

For Kernel-mode Hardware-enforced Stack Protection to work, your CPU must be supported, and BIOS must include CPU virtualization. Or else you cannot turn it – “On.”

Follow the steps to turn on the CPU virtualization in BIOS:

  • Boot the device into UEFI or BIOS firmware.
  • Switch to the Advanced/Configuration/System Configuration tab.
  • Select the Enabled option using the Enter key.
  • Press the F10 key on your keyboard.
  • Click YES to confirm the changes.

Once the CPU virtualization is enabled, you can turn on the Kernel-mode Hardware-enforced Stack Protection feature.

Uninstall the Troublesome Application(s)

A few applications with anti-cheat systems, like – Bloodhunt, BattleEye, etc., are not compatible with the Kernel-mode Hardware-enforced Stack Protection feature and can prevent it from being enabled. So uninstall those and try enabling the feature again.

Follow the steps mentioned below to uninstall incompatible applications:

  • Click Search, placed on the taskbar.
  • Type Add or remove programs and press Enter.
  • The Apps > Apps & features window will appear.
  • Under the App list section, in the Search apps field, type the name of the incompatible application and press Enter.
  • Click three vertical dots on the right of the name of the incompatible application option.
  • From the list, select Uninstall.
  • Restart the system.

Enable DEP

DEP is a built-in security feature in Windows that prevents memory attacks. If you see a warning that Kernel-mode Hardware-enforced Stack Protection is off, it may be because DEP is disabled on your system. To turn on Kernel-mode Hardware-enforced Stack Protection, you need first to enable DEP.

Follow the steps mentioned below to enable Data Execution Prevention (DEP):

  • Click Search, placed on the taskbar.
  • Type Command Prompt and press Enter.
  • The Command Prompt window will appear.
  • Type bcdedit.exe /set {current} nx AlwaysOn command and press Enter.
  • Restart the device.
  • Try enabling the Kernel-mode Hardware-enforced Stack Protection feature.

Inspect Conflicting Drivers and Update

As stated earlier, you might not be able to enable the Kernel-mode Hardware-enforced Stack Protection feature because of conflicting drivers. So, update those drivers and try enabling the feature again.

Follow the steps mentioned below to inspect and update conflicting drivers:

  • Click Search, placed on the taskbar.
  • Type Windows Security and press Enter.
  • The Windows Security window will appear.
  • In the left pane, click Device security.
  • Click Core Isolation Details.
  • Click the Review incompatible drivers blue link.
  • The incompatible drivers list will appear.
  • Download & install the latest version of the incompatible drivers from the manufacturer’s or official site.
  • Restart the device and try enabling the feature again.

Conclusion

Enabling Kernel-mode Hardware-enforced Stack Protection on Windows can result in conflicts with drivers, which can ultimately lead to program crashes. The drivers responsible for anti-cheat and copyright protection in games such as Bloodhunt, PUBG, Valorant, and others are often affected and may frequently crash or stop working.

However, you shouldn’t disable the Kernel-mode Hardware-enforced Stack Protection feature because of this. The feature shields your device and data from malicious actors and cyber attacks such as Stack Buffer Overflow. Therefore, it is recommended to enable the feature if you have the – correct device configuration.

Get Code Signing Certificates

Related posts:

  1. How to Sign Driver Files with Kernel Mode Driver Certificate? [A Step-by-Step Guide]
  2. What is Kernel-Mode Code Signing Certificates [A Step-by-Step Guide]
  3. How to Integrate Key Vault Securely with Integrated CA DigiCert for Data Protection?
  4. How to Generate Your Code Signing Certificate Using Internet Explorer Mode in Microsoft Edge?

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.