How to Enable and Disable Kernel-mode Hardware-enforced Stack Protection

Enable & Disable Kernel-mode blog banner image

As technology evolves, with hackers perpetually sharpening their tools to breach our digital walls, understanding your computer’s built-in defenses is crucial. Kernel-mode hardware-enforced stack protection is one such mechanism. This article will look into the intricacies of this feature, as well as how to enable and disable kernel-mode hardware-enforced stack protection.

There are many ways to harden your endpoints.

Download this endpoint defense guide on everything you need to know about endpoint security.

What is kernel-mode hardware-enforced stack protection?

At the heart of your operating system lies the kernel, which you can consider to be the “brainstem” of your computer. The kernel oversees communication between your computer’s software and hardware. Now imagine adding a layer of thick armor around that brainstem—that’s where kernel-mode hardware-enforced stack protection comes in.

Kernel-mode hardware-enforced stack protection ensures that your software processes play by the rules and don’t accidentally (or maliciously) trample each other’s workspace in memory. 

Here’s what you need to know about this feature:

  • Main function is to secure software and protect against cyberattacks

Kernel-mode hardware-enforced stack protection is a security feature that prevents specific types of cyberattacks. It ensures that the control flow of software programs stays true to what it should be.

  • Guards against ROP, JOP, & other complex attacks

It guards against exploits like return-oriented programming (ROP) and jump-oriented programming (JOP), complex attack methodologies employed by adversaries to hijack a program’s execution flow.

  • Uses hardware assistants for support

Kernel-mode hardware-enforced stack protection makes use of hardware assistants, directly leveraging support from compatible CPUs to monitor and validate safe operation sequences for your software processes.

  • Requires compatible OS and CPU hardware to function

For maximum effectiveness, kernel-mode hardware-enforced stack protection requires not just supportive CPU hardware but also a compatible operating system.

Why is kernel-mode hardware-enforced stack protection important?

Now that you know what is kernel-mode hardware-enforced stack protection, you might be wondering, should I turn it on? The simple answer is likely yes, for several compelling reasons:

  1. Enhanced security against exploits: Kernel mode operates at the core level of your operating system, with full control over your system’s operations. By enabling this protection, you add a security layer that guards against common exploit techniques attackers use to inject malicious code through software vulnerabilities.
  2. Preventing unauthorized code execution: When malicious actors aim to hijack your software’s control flow, kernel-mode hardware-enforced stack protection effectively blocks their attempts to run unauthorized code. It works at the fundamental CPU level, deeper than anti-malware tools alone can penetrate.
  3. Maintaining system integrity: Protecting your computer’s operations is paramount. Enabling kernel-mode hardware-enforced stack protection ensures that every interaction with the kernel will maintain your system’s integrity.

How to Enable Kernel-mode Hardware-enforced Stack Protection

The first step to enable kernel-mode hardware-enforced stack protection in Windows is to make sure your system meets these requirements:

  • A 64-bit processor with Control-flow Enforcement Technology (Intel CET).
  • Windows 10 version 20H1, or Windows 11 version 22H2.

Once you’ve confirmed your system’s compatibility, make sure you have administrator privileges. Then, follow these steps to enable kernel-mode hardware-enforced stack protection:

  1. Search for “Turn Windows features on or off” in the Start Menu and click on it.
  2. Scroll down to find “Kernel Mode Hardware Enforced Stack Protection” and ensure its checkbox is selected.
  3. Click “OK.”
  4. After making the changes, restart your system to apply them.

Kernel-mode hardware-enforced stack protection will now operate silently in the background, providing an extra layer of security without hindering performance. If you can’t enable kernel-mode hardware-enforced stack protection Windows (perhaps due to outdated drivers or unsupported hardware configurations), jump to the later section on various troubleshooting methods.

Need help with troubleshooting?

Read this guide on “How to Repair Apps and Programs in Windows 10/11“.

How to disable kernel-mode hardware-enforced stack protection

You might need to temporarily or permanently disable kernel-mode hardware-enforced stack protection, especially if you’re encountering compatibility issues with certain applications or drivers. Be aware that by doing so, your computer will no longer perform integrity checks on the call stack, reducing the security of your system. That said, it can be justified in certain debugging scenarios or when using incompatible software.

Below are the steps needed to switch off kernel-mode hardware-enforced stack protection:

1) Open the Start Menu and type “Command Prompt.”

2) Right-click on it and select Run as administrator.

3) In the Command Prompt window, input the following command:

   bcdedit /set nx AlwaysOff

4) Press Enter and wait for the confirmation message stating that the operation was successful.

5) Restart your computer for the changes to take full effect.

After you perform this operation, Kernel Data Protection (KDP) technology will no longer safeguard critical parts of your system memory from being tampered with by malicious code.

To revert back to enabling kernel-mode hardware-enforced stack protection—which is strongly recommended once any testing or troubleshooting is complete—follow these same steps, but replace the AlwaysOff flag with AlwaysOn.

What to do if you can’t turn on kernel-mode hardware-enforced stack protection

If the steps above to enable kernel-mode hardware-enforced stack protection aren’t working for you, see the ideas below for some troubleshooting tips and tricks.

Use the Windows Registry

At times, flipping on kernel-mode hardware-enforced stack protection may require diving into the Windows Registry—the central hierarchy for Windows configurations. If direct activation options fail:

  1. Press the Windows key + R, type regedit, and hit Enter.
  2. Navigate to: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerKernel
  3. Here, look for a DWORD called DisableStackProtection.
  4. If it exists and is set to “1”, change its value to “0.”

Caution is key when tinkering with the Registry; you may want to create a backup before making any changes.

Turn on CPU virtualization in BIOS

Sometimes enabling kernel-mode hardware-enforced stack protection demands certain CPU virtualization capabilities to be active:

  • Restart your computer and enter BIOS setup (usually with the F2 or DEL key).
  • Find and navigate to the “CPU Configuration” setting or similar.
  • Search for settings named “VT-x,” “AMD-V,” or “SVM mode,” and ensure they are turned on.

Uninstall problem apps and extensions

Incompatible software might hinder kernel-mode hardware-enforced stack protection features from turning on. Check your installed applications list via the Control Panel or Settings, and identify any recent software installations that may coincide with the issue. Then uninstall these applications one by one, and attempt to enable kernel-mode hardware-enforced stack protection after each uninstallation.

Enable DEP

Data Execution Prevention (DEP), although a different security feature, plays a nice complement to kernel-mode hardware-enforced stack protection by preventing code execution from non-executable memory regions. To enable DEP:

  • Right-click “This PC,” select “Properties,” and then go to “Advanced system settings.”
  • Under “Performance,” click “Settings” and navigate to the “Data Execution Prevention” tab.
  • Choose “Turn on DEP for essential Windows programs and services only” or “Turn on DEP for all programs…”, depending on your needs.

After enabling DEP, try turning on kernel-mode hardware-enforced stack protection again.

Inspect and update drivers

Outdated or corrupt drivers may cause enabling kernel-mode hardware-enforced stack protection to fail. Here’s how you deal with them:

  • Open Device Manager (go to This PC >  Manage -> Device Manager).
  • Look through the devices, especially under the categories “Processor” and “System Devices.”
  • Right-click a device you suspect of causing issues, and select “Update driver.” You may also want to visit the device manufacturer’s website directly and download the driver.

Safeguarding your devices

Enabling kernel-mode hardware-enforced stack protection is a critical step for safeguarding your computer’s data and applications—but it’s just one action you can take to improve IT security.  If you need to oversee security on multiple devices across your organization, consider using a powerful, flexible, and robust endpoint management tool like NinjaOne. 

The NinjaOne endpoint management software helps IT departments control and monitor the devices being used within an organization. NinjaOne can do everything from software deployment and patch management to monitoring and alerting, helping you stay on top of all your devices.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).