MENU
Solve your Windows problems. Support a comfortable PC life.

What is "Kernel Mode Hardware Enforced Stack Protection" in Windows 11?

Ads

This page introduces the "Kernel Mode Hardware Enforced Stack Protection" feature, the conditions for using it, and the disadvantages of turning it on.

table of contents

What is "Kernel Mode Hardware Enforced Stack Protection"?

"Kernel-Mode Hardware-Enforced Stack Protection" is part of the Windows 11 security feature called "Core Isolation," and is a very powerful defense system that prevents malicious software from taking over your PC.

This "core separation" involves the "メモリ整合性" which work together to protect the heart of the OS.

Purpose: Protect the memory stack from hijacking

The purpose of this feature is to protect a very important memory area called the "memory stack" that is used when a program is running.

[Terminology] What is a memory stack? This is a special memory area that temporarily stores important information for controlling the flow of processing, such as the return address of a function, when a program is executed.

How it works: Double-checking with the "shadow stack"

When this feature is enabled, the PC's CPU prepares another stack called the "shadow stack" in addition to the normal stack, and constantly compares and collates the contents of these two stacks while the program is running.

If an attacker exploits a vulnerability in a program and attempts to execute malicious code by illegally rewriting the contents of the normal stack (such as the return address), a discrepancy will arise with the shadow stack, and the CPU will detect the abnormality and prevent the attack.

This is similar to the mechanism used to prevent fraud in bank transactions, where two people, a person in charge and a person in charge, check (double-check) the same document.

Attacks that can be prevented: Buffer overflow attacks, etc.

This mechanism is particularly effective against classic and powerful cyber attacks known as "buffer overflow attacks."

[Terminology] What is a buffer overflow attack? This is an attack method in which an unexpected amount of data is sent to a data storage area (buffer) prepared by a program, causing memory to overflow and malicious code to be written and executed there.

Attention! How to check if Windows 11 "Local Security Authority Protection" is enabled

Conditions for using the "Kernel Mode Hardware-Enforced Stack Protection" feature

"Kernel Mode Hardware Enforced Stack Protection" may require BIOS configuration and may not be available on unsupported CPUs.

Prerequisites

  • Windows 11 May 2022 Update or later
  • Windows Security app version 1000.25330.0.9000 or later
  • Hardware that supports Intel Control-Flow Enforcement Technology (CET) or AMD Shadow Stacks.
    • For Intel, 11th Generation Intel Core Mobile processors and AMD Zen 3 Core (or later).
  • Virtualization-based security (VBS) and hypervisor-enforced code integrity (HVCI) are enabled.
ecosystem

To use the "Kernel Mode Hardware-Enforced Stack Protection" feature, you need a relatively new CPU, and you cannot turn it "On" in the settings in the following cases:

  • You have an outdated anti-cheat program (for games) installed
  • Old keyboard and mouse drivers installed
  • Certain apps or incompatible drivers are installed

If so, click "Check for incompatible drivers and services" to check.

Kernel-mode hardware-enforced stack protection
Kernel-mode hardware-enforced stack protection

Incompatible drivers and services are displayed, and removing them will allow you to use the "Kernel Mode Hardware-Enforced Stack Protection" feature.

Incompatible drivers and services
Incompatible drivers and services

In addition, メモリ整合性must be set to "On".

Windows Security > Device Security > Core Isolation Details
Windows Security > Device Security > Core Isolation Details

If memory integrity is not enabled, the "Kernel-mode Hardware-Enforced Stack Protection" feature cannot be used.

Disadvantages of turning on "Kernel Mode Hardware Enforced Stack Protection"

The disadvantage of turning on "Kernel Mode Hardware Enforced Stack Protection" is that certain applications may not function properly.

You will no longer be able to install or load certain drivers, for example, printers that have worked fine up until now.devicemay become stuck.

In my environment, I have confirmed that I am unable to launch Epic Games' Fortnite.

Even if you are able to turn on Kernel Mode Hardware Enforced Stack Protection after installing Fortnite, you will not be able to launch Fortnite.

Program Compatibility Assistant
Program Compatibility Assistant

The Epic Games anti-cheat program will also be unable to load.

As such, you should be aware that this has the disadvantage of causing certain apps and devices to stop working.

"Kernel Mode Hardware-Enforced Stack Protection" is a feature recommended for businesses, so there is no need to turn it on for personal PCs.

Windows Windows Bug Information troubleshooting System Issues Security
If you found this article helpful, please share it on social media.

Person who wrote this article

wenbang's avatar wenbang

Driven by questions arising from my daily PC use and the desire to "do more," I have been pursuing self-study in Windows since around 2008. I am sharing the "aha!" techniques and solutions I discovered through trial and error with the sole purpose of helping you in your PC life.

View profile

Comment:

To comment

[About submissions]
We welcome any questions or information regarding the content of the article.
However, please note that content unrelated to the purpose of the article, criticism of specific individuals or organizations, offensive language,Inappropriate wordsComments containing the above may be deleted or made private without notice at the discretion of the administrator.
Please note that spam may be automatically deleted by anti-spam measures.

CAPTCHA


table of contents