This is the Trace Id: 5be17ed04e76f567ec19418a17aabc15
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

SEHOP per-process opt-in support in Windows 7

Security Research & Defense
/ By swiat /

In a previous blog post we discussed the technical details of Structured Exception Handler Overwrite Protection (SEHOP) which is an exploit mitigation feature that was first introduced in Windows Vista SP1 and Windows Server 2008 RTM. SEHOP prevents attackers from being able to use the Structured Exception Handler (SEH) overwrite exploitation technique when attempting to exploit certain types of software vulnerabilities. SEHOP is enabled by default system-wide on Windows Server 2008 and disabled by default on Windows Vista. These are also the defaults settings in Windows Server 2008 R2 (enabled) and Windows 7 (disabled).

Although some applications have had compatibility problems with SEHOP, the vast majority of applications work without issue. In order to make it possible for compatible applications to take advantage of SEHOP, we have added support in Windows 7 that allows SEHOP to be enabled or disabled on a per-process basis. This setting will override the system default policy when it is used. SEHOP can be enabled for a process by setting the new DisableExceptionChainValidation Image File Execution Option (IFEO) to 0 (or disabled by setting it to 1). For example, SEHOP can be enabled for Internet Explorer on Windows 7 by applying the following registry script*:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

“DisableExceptionChainValidation”=dword:00000000

Users running Windows Vista SP1+ or Windows 7 who would like to enable SEHOP for all applications (which we strongly recommend) can do so by installing the following FixIt:

clip_image002

Enable SEHOP for all applications

If enabling SEHOP for all applications leads to a problem with a specific application, the new IFEO in Windows 7 and Windows Server 2008 R2 can be used to disable SEHOP for just the affected process as described above. Alternatively, you can disable SEHOP for all applications by following the steps described in KB956607. If you cannot enable SEHOP for all applications we strongly recommend enabling SEHOP for all internet facing applications, such as your preferred browser and mail client.

Matt Miller, MSEC Science

* If you are running a 64-bit version of Windows, you will need to set the IFEO under the Wow6432Node portion of the registry which corresponds to the registry hive used by 32-bit applications (e.g. HKLM\Software\Wow6432Node\…)

*Postings are provided “AS IS” with no warranties, and confers no rights.*

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads