Boot ini, added command?

Hi All: Poking around my computer trying to find a way to get Windows splash screen to load at start up, (A long time vexing problem) in msconfig, found the following on the Boot ini line after fast detect:

"/NoExecute=OptOut "

I don't remeber seeing that there previously, although, with my memory, it could have been there since day one.

Anyhow, does it belong there and/or anybody know why it is there and what it does? Attaching a thumbnail.

Any and all replies are appreciated as always.

Take care,

Martin

 

A detailed explanation of DEP:
http://support.microsoft.com/kb/875352
SUMMARY
Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.

Comments
DEP (and the /noexecute parameter) are supported on Microsoft Windows XP with Service Pack 2 (SP2), Microsoft Windows 2003 with Service Pack 1 (SP1), and later versions of Windows.

On Windows XP with SP2 and later versions of the Windows client operating system, the default value is /noexecute=optin. On Windows Server 2003 with SP1 and later versions of the Windows Server operating system, the default value is /noexecute=optout.

When DEP is enabled (/noexecute=alwayson | optout | optin) on a computer with a processor that supports hardware-enforced DEP, 32-bit versions of Windows automatically enable physical address extension (PAE) (See /pae). When DEP is disabled, Windows automatically disables PAE. To enable PAE without DEP, the boot options must explicitly enable PAE and disable DEP (/noexecute alwaysoff /pae).

To set the /noexecute=optin or /noexecute=optout policies, or to disable DEP on a particular executable file, use System in Control Panel. Click the Advanced tab, in the Performance section, click Settings, and then click the Data Execution Prevention tab. The options that you set on the tab are effective when you restart the computer.
----------------------------------------------------------------------
Some past windowsbbs references:
http://www.google.com/search?num=30...2005-17,GGLD:en&q=site:www.windowsbbs.com+dep
----------------------------------------------------------------------
Google search has lots of references for switch use and changing such when using certain devices (seems to be mostly graphic board related and a known problem with specific ones/brand) or running certain programs. I'm sure Microsoft searches of "sp2" or "DEP" would also be filled with in depth explanations or workarounds for this added security feature. I didn't spend to much time on this, as you can see. I figured you can take it from here, if your truly interested.
---------------------------------------------------------------------

 

Hi Ann: Thanks for the response, I had read about the DEP previously and was aware it was on this machine, but didn't know about the boot.ini entry, or forgot about it.

My processor does not support Hardware DEP. I guess what I have there is the default setting, and after reading all the fine print you quoted as well as going to the MSFT site and reading all about it there, it is still confusing to me with the "Opt In ", "Opt Out" settings.

I have the setting to run on all programs and processes, so, what have I opted out of?

Thanks again

Martin

 

The OptOut switch turns off DEP. The OptIn switch turns it on. It would appear you aren't using it.

 

Hey Zander: Well, I guess something is amiss here. I have DEP turned on for everything except exceptions I enter. If the boot.ini should read opt in, and mine reads opt out, what gives? Attaching screen shot.

Take Care,

Martin

 

Hey Martin,

I checked mine - OptIn.

Also ticked is the first option, DEP for essential Windows programs and services. This is the defualt settings of SP2.

if you un-tick the 2nd option - DEP for all and tick the first, essential, what happens?

Regards - Charles

 

From what I understand about the OptOut switch, it turns DEP off completely regardless of your settings in windows. OptIn uses those settings, OptOut, it's off.

 

Hey Charles: here it is, but I don't get it. If I enable it for all programs and services,=OptOut, but enable only MSFT,=OptIn. That makes no sense to me.
But then again, it is Windows, so why should it make sense.

Also, I notice there is no option to turn it off completely.

Still don't know what I am opting out of.

Take care,

Martin

 

It sort of reverse logic.

/NoExecute=OptIn turns DEP protection for essential programs and services.

/NoExecute=OptOut turns DEF ON for ALL programs.

The default value, since SP2, is /NoExecute=OptIn

The logic being that you're opting in or out of letting Windows control the action. With the OptOut setting, you're in control and can exclude certain programs and services as you so choose.

I wouldn't change that unless I had some specific problem or had knowledge that my hardware (processor) was fully supportive of DEP in all instances. XP will tell you if your hardware supports DEP via a message in the Control Panel > System > Advanced Tab > Performance > Settings > Data Execution Prevention Tab > (down on the bottom is the message)

Martin Your posted data of the Boot.ini file flies in the face of your GUI setting that your image post reveals and must have been manually edited??? I suggest you change it to the default setting, /NoExecute=OptIn. Either do it manually or try checking the other option in the GUI and then changing it back, applying it each time just to jack the system around for exercise. Any change will be reflected in the boot.ini file. Disregard this if you have changed the setting during this thread term.

 

That's what I thought would happen

Regards - Charles

 

As I understand it and in a nutshell, you are not disabling DEP by either of these switches but are either setting it for
=optin*limited essential Windows operating system programs and services.
=optout*All programs and services except those (with compatibility issues) that you have manually over ridden by making a list or adding to a list via that setting accessed as you have shown by your attachment.

As noted and in agreement with suferdude (and because I'm lazy, lately) I prefer to leave this as is and let it fall into the category of "if it ain't broke don't fix it ". In other words if the defaults aren't causing a problem, leave them alone but if you are having DEP compatibility problems
See this for pictures and step by steps:
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx

Scatter brained disclaimer:
The following is info overloading or provides more info than you asked for (I have a habit of doing this). I hope it makes sense. This was glued together from several running notepads and various links, done in small time spurts. This may have resulted in a loss of my train of thoughts and will be reflected in the text. I'm sure I'm going to look at this tomorrow, when I can no longer edit it, be embarrassed and hate every word. I will be left wondering "what ever possessed me?" Oh well... "in for a penny, in for a pound" and here it comes:

Regarding your query for disabling:
I believe that DEP also has two other option switches. (To be used only if you are having DEP issues and have exhausted all other recommended remedies. See bolded text further done for the recommended remedies.)
/noexecute=AlwaysOn
/noexecute=AlwaysOff This totally disables DEP but if you have a PAE capable system additional steps must be taken to ensure Physical Address Extension (PAE) is used. Having an older system with limited ram in the mg range (p3 with 258mg ram) and not the 4gig range this refers to, I have not spent any time trying to understand this or even confirm whether it applies to all regardless of os/ram specs. I had a good PAE link but I lost it. You may wish to "Google it" if interested.

Data execution prevention (DEP) marks all memory locations in a process as non-executable unless the location explicitly contains executable code. The primary benefit of data execution prevention is that it prevents code execution from data pages such as the default heap, various stacks and memory pools. If a program tries to run code from a protected location, DEP closes the program and notifies you.
!NOTE!: This action occurs even if the code is not malicious.

As with all things, there's good to go with the bad. Windows updates or changes definitely fall under the above description:
Some application behaviors are expected to be incompatible with data execution prevention (DEP). Examples of incompatible applications that might have compatibility issues with data execution prevention:
*applications which perform dynamic code generation (such as Just-In-Time code generation)
*and ones that do not explicitly mark generated code with Execute permission.

Some drivers may also be affected by DEP. Issues related to Physical Address Extension (PAE), code generation or other techniques to generate executable code in real time, direct modification of system page table entries (PTEs), direct memory access (DMA) transfers and map register allocation are of particular concern.

The preferred method for resolving DEP problems is to obtain updates for affected applications and drivers. Alternatively, the System Control Panel may be used to exclude individual applications from DEP checks (Control Panel->System->Advanced->Performance Options->Data Execution Prevention). As a last resort, DEP can be disabled system-wide using the
/NOEXECUTE flag in BOOT.INI.

I also noticed a link and made a note of the application known as "DisableNX compatibility fix ". I have not followed the link or checked it out but am including it for those that have compatibility DEP issues. This may be worth a look-see. Dunno?

Per-program DEP configuration
For the purposes of program compatibility, you can selectively disable DEP for individual 32-bit programs when DEP is set to the OptOut policy level. To do this, use the Data Execution Prevention tab in System Properties to selectively disable DEP for a program.

For IT professionals, a new program compatibility fix that is named "DisableNX" is included with Windows XP SP2. The "DisableNX compatibility fix" disables Data Execution Prevention for the program that the fix is applied to.

The DisableNX compatibility fix can be applied to a program by using the Application Compatibility Toolkit. For more information about Windows application compatibility, see Windows Application Compatibility on the following Microsoft Web site:
http://www.microsoft.com/windows/appcompatibility/default.mspx

Additionally, Google your error. A groups google can be quite helpful when trying to figure out if there is a known fix or a less known work around for a problem.

 

Hi All, and thanks for all the interest. Simple question=complicated answers.

My DEP setting as "Opt In" was set in system by me through a misunderstanding of what the darn thing was trying to explain to me. After all the input, I now have a smattering of understanding, but won't try to explain it again as all have made it very clear.

I'will go back to systems which is currently set to "OptIn" and reset for all programs and services and accept that "OptOut" means I have DEP operating on all except excepted programs. Whew!

Take care,

Martin

 

It's perfectly clear that if you choose to opt out you must elect to deselect and anything you accept will be excepted if you so select that selection . Selecting to except is not hard to deselect either since that would mean selecting to opt in and then you'd not need to except anything although you would have to accept what Windows selected and you'd not be able to deselect or except anything.

Now, that should clarify it for you Martin.

The bottom line is - leave it set at /NoExecute=OptIn since Windows does that by default when SP2 is loaded. Change it if you know you need to but be prepared for brain damage at the very least.

Keep in mind that this system was produced by people that designated the Start Button as the path to shut down the computer.

 

Well, I guess I have egg on my face. My mistake. For some reason I had it in my head as I stated it but Aries post woke me up. I knew there was a switch that turns it off. That's the way I have mine but never thought to look at my boot.ini. I had it in my head that it was the OptOut switch. Sorry for the confusion I caused. Now, I have to go hide in a corner somewhere. Not the first time and probably won't be the last.

 

Hey Zander: No harm done. Besides, I always found that sitting in the corner was good for the soul, especially if I get to pick the corner and take a bottle of St Paulie Girl with me.

Dude, did you really have to explain it again? Can we just leave it alone now? I know now that opting in means I have opted out (or something like that) and vice versa. Hmm.... After reading your last post, maybe I'll have that bottle of beer anyhow.

Take care,

Martin