Windows 8 and Later Fail to Properly Apply ASLR, Here's How to Fix

Babel-17

Veteran
Edit: I'm not sure what's up with the fix. I applied it through the .reg file and all was well for a day until I went to use Steam and play some games. Chaos ensued, Steam is acting like it was the first install and installing DirectX and all the rest. Call of Juarez: Gunslinger wouldn't launch, and DOOM launched but in FUBAR mode. Though I was able to discern what buttons to click on to set it right. I undid the registry change, rebooted, and now COJ: Gunslinger launched. A previous reinstall and reboot did nothing. The plot thickens as when I went into Windows Defender Settings Menu and I set both settings to enabled, and the problem returned after the reboot. Bottom up has a default of on. I went with that, rebooted, and now COJ: Gunslinger is working again. Bizarre, and I throw my hands up in surrender. I say avoid all of this, but keep it in mind.


I saw this posted at slashdot, read the higher ranked comments, looked at the article, and thought I'd check. Son of a gun, I didn't have it set the way they advise. I didn't even know those setting were there.

https://it.slashdot.org/story/17/11/17/207239/windows-8-and-later-fail-to-properly-apply-aslr

https://www.bleepingcomputer.com/ne...fail-to-properly-apply-aslr-heres-how-to-fix/

Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless.

Address Space Layout Randomization (ASLR) is a computer security technique that randomizes the memory address where application code is executed.

ASLR made its debut in OpenBSD, in 2003, and since that time it's been added to all major operating systems, including Linux, Android, macOS, and Windows.

Microsoft added ASLR in Windows with the release of Vista, in 2006. In order to enable the feature, users had to install Microsoft EMET and use its GUI to enable ASLR in system-wide and/or application-specific states.

With the release of the Windows 10, ASLR was added to the Windows Defender Exploit Guard, and users can now enable it via the Windows Defender Security Center (under App & browser control and then Exploit protection settings).

WindowsASLRSettings.png

You have to click on that highlighted blue icon, and then click on Exploit protection settings in order to see the above options. Much ado about nothing, or what?

Edit: The fix might also involve editing the registry, so let’s put a pin in this. I can’t say to just go for it when it comes to regedit.
 
Last edited:
Interesting that the feature is there as a toggleable option, but it is disabled by default and quite cleverly hidden away too. Any specific downsides, like incompatibilities or such?

Seems counterproductive, in this day and age of app/OS exploits and all.

Turned it on, we'll see what happens (if anything :p) after I restart this thing, whenever I get around to... Thanks for making this post!
 
Interesting that the feature is there as a toggleable option, but it is disabled by default and quite cleverly hidden away too. Any specific downsides, like incompatibilities or such?

Seems counterproductive, in this day and age of app/OS exploits and all.

Turned it on, we'll see what happens (if anything :p) after I restart this thing, whenever I get around to... Thanks for making this post!

What's really weird is that apparently turning it on isn't enough. You need to edit the registry to make it system wide and bottom-up.

https://www.kb.cert.org/vuls/id/817544

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:

Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR

To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8 or newer system, the following registry value should be imported:


  • Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
    "MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

Note that importing this registry value will overwrite any existing system-wide mitigations specified by this registry value. The bottom-up ASLR setting specifically is the second 01 in the binary string, while the mandatory ASLR setting is the first 01. Also note that in the past, enabling system-wide mandatory ASLR could cause problems if older AMD/ATI video card drivers are in use. This issue was addressed in the Catalyst 12.6 drivers released in June, 2012.
 
Interesting that the feature is there as a toggleable option, but it is disabled by default and quite cleverly hidden away too. Any specific downsides, like incompatibilities or such?

Seems counterproductive, in this day and age of app/OS exploits and all.

Turned it on, we'll see what happens (if anything :p) after I restart this thing, whenever I get around to... Thanks for making this post!

I just edited the OP. I put it up top.
 
What's really weird is that apparently turning it on isn't enough. You need to edit the registry to make it system wide and bottom-up.
Well, in my Win10 version (should be autumn creator's patch), I have separate combo boxes for both mandatory rando and bottom-up. Either these do not work at all and just pretend to do what they say they do (?), or editing the registry is actually not necessary? :D

They're well hidden though. I'd love to hear MS's rationalization for making the more secure options so hard to find AND defaulting off. Hopefully, just hopefully, the genuine, never-to-be-uttered-publically explanation does not involve making the NSA's work easier when penetrating peoples' PCs with malware... :p
 
I must be something wrong as i dont have that section at all in my Win10 Pro system. I dont know if its Falls Creator or not.
 
i dont have that section at all in my Win10 Pro system.
Open New Control Panel (the shitty, confusing, bad one), and go to Updates and Security section (guessing button labels; running swedish windows here....). Next click Windows Defender in the left frame, then "Open Windows Defender Security Center" button in right frame. Click App and Web Browser button; 2nd rightmost one. (No idea why this option is sorted in under this heading...) Scroll to the bottom of this new page; click the blue text link which says "Settings for vulnerability protection" or somesuch.

Here you should find these options.

Really loving microsoft for how easily found and accessible these toggles are... ;)
 
I'm trying... :LOL:

This is so easy... :runaway:

upload_2017-11-19_12-30-0.png

upload_2017-11-19_12-30-11.png

upload_2017-11-19_12-33-6.png
 
I'm not sure if it's because I have NOD32 AV installed or not. *shrug*
 
@BRiT

You can't scroll further down past "Smartscreen for windows store apps" on the "Apps & browser control" page? That's where you should find the link to memory randomization settings. If you have nothing there then something seems borked...

Windows defender shouldn't be involved with these settings, as they're involved with core functionality of windows OS itself, but trust MS to fuck with people because why not (and for using 3rd party antivirus just because it isn't MS's offering.)
 
Could someone explain what this is and why I'd want it before I jump through all these hoops, in little words please that a very stupid person could understand. ;)
 
@Grall there's nothing more on those screens. I even maximized it full-screen to 1920x1200. It's definitely borked on my side. I might need to do a fresh install at some point.
 
I have Nod32 AV installed. I wouldn't think having an AV installed means ASLR wouldn't be usable, unless that disables Defender advanced settings. I want both.
 
Apparently installing 3rd party AV disables ransomware protection which was added in the latest Win10 major patch, so maybe pretty much everything under the Win Defender banner gets disabled if you have 3rd party AV...
 
Apparently installing 3rd party AV disables ransomware protection which was added in the latest Win10 major patch, so maybe pretty much everything under the Win Defender banner gets disabled if you have 3rd party AV...

I figured it out. It showed up after I updated to Windows Fall Update, build 1709 or later. I dont know why build 1703 wouldnt have had it.
 
I figured it out. It showed up after I updated to Windows Fall Update, build 1709 or later. I dont know why build 1703 wouldnt have had it.

My server is still on 1703 and that has the options from the screenshots earlier in this thread. I'm only using defender.
 
My server is still on 1703 and that has the options from the screenshots earlier in this thread. I'm only using defender.

Well shit. There goes my previous theory. Maybe my setup was just hosed and an upgrade to Windows Fall Creators Update fixed it. I still have NOD32 installed and I now have the options available. :???:
 
Back
Top