Windows Security: The Complete Guide to App and Browser Control

This time in our Windows Security tutorial series, we'll be looking at "App and Browser Control."

This section acts as a gatekeeper for files, apps, and websites you download from the internet.Virus and threat protectionIf " is a knight who defeats invading enemies, then this function is a "gatekeeper who keeps suspicious people out of the castle."

In particular, we will provide a detailed explanation of the powerful new feature "Smart App Control" added in Windows 11 22H2 and later.

1. Smart App Control

This is a very powerful security feature introduced in Windows 11 (version 22H2 and later).

Uses Microsoft cloud AI to prevent untrusted and unsigned apps from running.Force Block international success.

Setting status (3 modes)

This feature has three states:

• on:This is the strongest protection state. Untrusted apps will not be able to run at all. This provides the strongest security, but it may prevent homebrew tools and minor free software from running.
• Evaluation (Evaluation Mode):This is the period when Windows is learning about your usage. During this mode, the feature runs in the background but does not interfere with the user. It will only be automatically switched on if the AI ​​determines that it is safe to turn on (it will not affect compatibility). Conversely, if you frequently use unsigned apps, it will automatically be switched off.
• off:The feature is disabled, just like in previous versions of Windows.

[Important] Smart App Control (SAC) on/off restrictions

Previous specifications (without update): Basically, once you turn this feature off, you can turn off Windows.Clean install(Initialization) cannot be turned back on. This is because turning it back on after a suspicious app has infiltrated the system does not provide sufficient security.

Latest changes (after applying KB5074105): However, the update released on January 29, 2026 KB5074105 (Preview) or later This restriction is relaxed in environments where SAC is installed, allowing you to turn SAC on and off without initializing it.

*Please note: The feature will be enabled gradually. This change is being rolled out gradually by Microsoft. Therefore, even after installing the update, you may not be able to change the settings immediately. In that case, please wait a while until the function is enabled.

2. Reputation-Based Protection

The previously existing feature called "SmartScreen" is managed here.Basically, everything is "on"We recommend that you leave it as is.

Main setting items

• Check apps and files: When I try to run a file I downloaded from the web, I get the message "Windows protected your PCYou may see a blue screen that says "This is the function you are using."
• SmartScreen in Microsoft Edge: When you try to open a malicious site (such as a phishing site) in the Edge browser, a red warning screen will appear and the site will be blocked.
• Protection against phishing: When you enter a password, it will determine whether the site or app is unsafe and warn you.
• Potentially unwanted app blocking (PUA): Although it is not a virus, it prevents the installation of unwanted applications (adware) that display advertisements or change your browser's search engine without your permission.
• Block apps: Prevents the installation itself.
• Block downloads: Prevents downloads in Edge.
• SmartScreen for Microsoft Store apps: Checks the safety of store apps when accessing web content.

I want to read it together

[Windows 10/11] What is Microsoft Defender SmartScreen? A comprehensive guide from how to set it up to the risks of disabling it Have you ever felt uneasy when your browser displayed warning messages like "This website may not be secure" or "This file is not safe to download"?

Phishing Protection (Detailed)

The information that will be protected will mainly include the "Microsoft account password" that you use to sign in to Windows.

The meaning of each check item is as follows:

① Warn you about malicious apps and sites

• Recommendation: on
• function: It warns you when you try to enter your password on a phishing site (such as a fake login screen) or a dangerous app. This is basic protection.

② Warn against password reuse

• Default: off
• Recommendation: Optional (turn it on if you want to be more security conscious)
• function: If you try to enter the same password you use to log in to a website (such as Amazon or a social networking site) using the same password you use to log in to Windows, you will be warned that "it is dangerous to reuse passwords."
• merit: This prevents damage caused by reusing passwords (list-based attacks).

3. Warn about insecure password storage

• Default: off
• Recommendation: on
• function: If you enter your password as is (in plain text) into editor software such as "Notepad" or "Word", you will receive a warning.
• merit: This will help prevent dangerous habits such as writing down your passwords on a notepad and sticking it on your desktop.

[Verification] Conditions for warnings and points to note

This function may not work if you simply turn it on. Three conditionsOnly when all are met, the warning screen "Storing your passwords in this app is not secure" will be displayed.

1. Signing in with "Password" is required This is the biggest pitfall.This feature will not work if you sign in to Windows with a PIN code or Windows Hello (fingerprint/face recognition).Because Windows does not have the "current password" in memory, it is not possible to verify it.

2. It is judged the moment you type it. It is not when you press the "Save" button. Enter the password string on the keyboard in a notepad or similar,The moment you type the last character(e.g., if your password is 1234 Then,4 (Warning appears the moment you press

3. Password entry after the end of the login process is also not included. When switching to "Enhanced Session" in a virtual machine connection such as Hyper-V, you may be asked to enter a password.If the first sign-in when starting the PC was a PINEntering a password here will not enable the warning feature. If you want to test the feature, you will need to sign out and log back in with your password.

④ Automatically collect website or app content when additional analysis is required to identify security threats

• Recommendation: on
• function: If an unknown threat is found, information about the website or app will be sent to Microsoft to help analyze it, helping to protect you and Windows users worldwide.

3. Exploit protection

This is the Advanced Memory Protection feature (the successor to the former EMET), which has been integrated as a standard OS feature since Windows 10. By strictly managing how the "memory" used by applications is handled, it prevents viruses from exploiting vulnerabilities (security holes) and executing malicious code.

[Most important] Promises before changing settings

The settings in this section are very sensitive. If you change them carelessly,Old apps may not start or Windows may become unstable.There are risks.

If for any reason you need to change the settingsBe sure to back up your current (good) configuration.

*[Important] Risks of changing settings and how to restore them

Detailed explanation of each item (system settings)

Basically, it is best to leave everything set to "Use defaults (On)." We will explain what each function protects and how.

1. Control Flow Guard (CFG)

• role: Monitor the "flow" of code that a program executes.
• structure: If an application attempts to jump to a memory location that it should not have called (for example, if it is directed by an attacker), this will be detected and the app will be forcibly stopped.

2. Data Execution Prevention (DEP)

• role: Prevents programs from running in memory "data storage."
• structure: There are two memory areas: one for programs and one for storing data. Attackers often try to sneak malicious code into the data area and execute it. DEP prevents this by prohibiting execution in the data area.

3. Force image randomization (mandatory ASLR)

• role: Forces the program placement to be scattered.
• structure: Even for older apps that do not support ASLR (Address Space Layout Randomization), the memory location is forcibly randomized, preventing attackers from identifying the "location of the attack target."
• note: The default setting is often "off." Forcing it on can have a significant impact on compatibility, and older software may stop working.

4. Randomize virtual memory allocation (bottom-up ASLR)

• role: Randomizes the location of virtual memory allocation.
• structure: When a program uses memory, it normally uses it from the lowest address (bottom), but by randomly shifting the starting position, it makes attacks more difficult to predict.

5. High-Entropy ASLR

• role: Increase the number of randomization patterns.
• structure: For 64-bit processes (apps), the number of digits (entropy) of memory layout randomization is increased, making it more difficult to guess.

6. Examining Exception Chains (SEHOP)

• role: Prevents error handling hijacking.
• structure: It prevents a technique (SEH overwrite) that exploits an "exception handler" mechanism that is activated when a program encounters an error, to execute attack code.

7. Verify the integrity of the heap

• role: Detects heap memory corruption.
• structure: It checks whether the memory area (heap) that a program dynamically uses has been illegally rewritten by an attacker. If corruption is found, it terminates the process before the damage can spread.

Program settings (individual settings)

"System Settings" applies to the entire PC, while thisOnly specific apps (exe files)This is the rule that applies to.

Customization: You can disable CFG for specific apps using the "Add and customize" option, but this should never be used by anyone other than developers or for troubleshooting purposes.

Apps in the list: spoolsv.exe Important Windows system files such as these are pre-registered, and optimal protection rules (different from the system settings) are applied to each.

Items only available in program settings (edit screen)

These features are too restrictive to be turned on Windows-wide (system settings), and are only used for tighter lockdown of specific apps or for developer testing.

1. Functions that strongly restrict operation

This prevents attacks by restricting the behavior of the app itself. If this option is enabled for a typical app, it is likely to cause the app to stop working properly.

• Arbitrary Code Guard (ACG)
  • function: Prohibits the generation or modification of new program code during execution.
  • note: Modern web browsers generate code on the fly (JIT compilation) to speed things up, so turning this on will cause the browser to stop working.
• Disallow child processes
  • function: This will prevent the app from launching other programs (such as cmd.exe or PowerShell) without permission.
    • 
  • merit: Even if an app is hijacked, this will prevent other attack tools from being launched from it.
• Disable Win32k system calls
  • function: It completely blocks apps from accessing graphics-related functions in the Windows kernel.

2. Function to prevent intrusion from outside

Restricts the loading of external files and fonts.

• Block low integrity/remote images
  • function: Prevents loading files from untrusted locations or from other computers on the network.
• Block untrusted fonts
  • function: Prevents the loading of fonts (such as web fonts) that are not installed in the Windows font folder. This is effective against attacks that exploit vulnerabilities in font analysis functions.
• Code Integrity Guard
  • function: Prevents the loading of any programs (DLLs) that are not trusted and digitally signed by Microsoft.
• Disable extension points
  • function: It prevents the use of old mechanisms (extension mechanisms) such as "hooks" that allow external programs to infiltrate the app.

3. Advanced memory protection (e.g., ROP protection)

Specialized functionality that detects and prevents advanced memory exploitation attacks (such as ROP gadgets).

• Export Address Filter (EAF) / Import Address Filter (IAF)
  • function: It detects and blocks attackers' attempts to find the location of functions in memory (memory scanning).
• Simulate execution (SimExec) / Validate API calls (CallerCheck)
  • function: When a program issues an important command (API), it strictly checks whether it has been called in accordance with the "legitimate procedure."
• Verify stack integrity (StackPivot)
  • function: It verifies whether the "stack" in memory (a place where processes are stacked) has been switched to another location by an attacker.
• Hardware-enforced stack protection
  • function: It uses the features of the corresponding CPU (such as Intel CET) to prevent program runaway at the hardware level.

Is this the same as "Kernel-mode Hardware-Enforced Stack Protection" in Core Isolation?

The technology is the same, but the switches are different. The settings under Core Isolation are for protecting the Windows system itself (kernel). On the other hand, the settings under Exploit Protection are for protecting each application. Turning one on does not automatically turn the other on. They operate independently.

Hardware-enforced stack protection　　

The "Exploit protection" explained this time is各アプリThis is a feature to protect the Windows system itself (kernel). We previously explained in detail in this article about "Kernel-Mode Hardware-Enforced Stack Protection," which protects the Windows system itself (kernel).

If you would like to check the settings, please see here.

I want to read it together

What is "Kernel Mode Hardware Enforced Stack Protection" in Windows 11? This page explains the "Kernel Mode Hardware-Enforced Stack Protection" feature, the conditions for using it, and the disadvantages of turning it on.

[Caution] The correct answer is basically "don't touch"

It's safest to leave this at the default setting.

If you change the settings carelessly,Old apps and games suddenly stop working, or the system becomes unstable.This can cause problems.

Unless you have special circumstances that require you to turn off this feature to run a specific corporate system or an older app, there is no need to change the settings.

[Important] Risks of changing settings and how to restore them

This feature (Exploit protection) can cause problems such as apps not working if you change it carelessly.It is strongly recommended to leave it at the default setting. international success.

If you need to change the settings, please prepare for restoration using the following method.

1. How to restore "System Settings"

Since the system settings have few items,The safest way to do this is to manually restore itEven if you create a backup file (XML), the "default values" of the system settings may not be reflected correctly, so please refer to the list below (initial values) and manually restore them.

▼ System setting initial value (default)

• Control Flow Guard (CFG): Use the default value (on)
• Data Execution Prevention (DEP): Use the default value (on)
• Force image randomization (mandatory ASLR): Use the default value (off) ※This is the only place that is off
• Randomize virtual memory allocations (bottom-up ASLR): Use the default value (on)
• High-entropy ASLR: Use the default value (on)
• Verify the exception chain (SEHOP): Use the default value (on)
• Verify heap integrity: Use the default value (on)

2. How to reset the "Program Settings"

The "Program Settings" tab contains application settings that Windows has optimized in advance. It is impossible to restore these settings manually. If you want to customize this,Backup in XML file is required.

Backup Procedure:

1. Click Export Settings and save the XML file.

Restore steps (using PowerShell): There is no "Import" button on this screen. To restore, you must run the following command with administrator privileges:

1.Start buttonRight-click > Terminal (Administrator).

2. Type the following command and press Enter:

Set-ProcessMitigation -PolicyFilePath "C:\保存したXMLファイルのパス\ファイル名.xml"

3. After executing the command, restart your PC for the settings to take effect.

Summary

"App and Browser Control" may seem like it has a lot of options, but the main points that average users should pay attention to are simple.

1. Reputation-based protection: Check all the checkboxes.
2. Smart App Control: If you can use it, leave it as "On" or "Evaluation". (Free software lovers can leave it as "Off".)
3. Exploit protection: BasicallyDo not touch.

This alone provides ample protection against web threats.