XP SP2’s Data Execution Prevention and Performance Hits

Did you notice a severe performance decrease after having installed Windows XP SP2? You’re not alone. Unfortunately, I lack the time for an in-depth performance comparison of XP with and without SP2. So I just ran the demo benchmark of 3DMark2001, once with SP2’s new Data Execution Prevention (DEP) enabled, once disabled (I rebooted my box before running each test).

3DMark2001 results on my box (higher values are better; the absolute values don’t matter here unless you’re interested in the absolute 3DMark2001 performance of a Toshiba Portégé M200 with 768 MB of RAM):

XP SP2 with DEP disabled (AlwaysOff): 4601
XP SP2 with DEP enabled (OptOut OptIn, i.e. the default setting for SP2): 3299

Oh my! I did expect a performance decrease, but not such a big one! And it’s even a 3D benchmark (“normal” application benchmarks might even show worse results for DEP)! So, according to these measurements (don’t quote these measured results please; they’re statistically not significant as I haven’t measured a series of test-runs, only one run per test), enabling DEP (enabled by default after installing XP SP2) results in almost 30% lower 3DMark2001 performance! It’s your choice whether the improved security of your box is worth this huge performance hit. For a server it might be (it’s still alarming though), but for my M200 TabletPC, it definitely isn’t. If you like to disable it too, here’s how to do it:

1. disable write-protection of c:\boot.ini (see the properties dialog)
2. in c:\boot.ini, replace “/NoExecute=OptIn” by “/NoExecute=AlwaysOff” using a text editor (e.g. notepad)

Further details about how to enable/disable DEP on a per-application basis are explained on this page at microsoft.com.

PS. Note that a similar execution protection for Linux, Ingo Molnar’s exec-shield, affords a performance decrease of a few percents only. I really wonder how MS managed to burn that many clock cycles..


24 Replies to “XP SP2’s Data Execution Prevention and Performance Hits”

  1. Matt, it’s the default setting indeed. Citing http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx

    During installation of Windows XP SP2, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation. If the /noexecute=policy_level setting is not present in the boot entry for a version of Windows which supports DEP, the behavior is the same as if the /noexecute=OptIn option was included.

  2. Are you using software only DEP or hardware + software DEP when you lost 30% performance.

    What 3D graphics card are you using?

  3. Brian,

    I don’t know whether an Intel Pentium M CPU (Centrino) is ready for HW DEP. I suppose it isn’t. Regarding my 3D graphics card: It’s a Nvidia Geforce FX Go 5200 / 32 MB.

  4. Well I ran 3dMark03 on my desktop. Specs are as follows
    AMD Athlon 3200+
    Abit NF7-S
    1GB PC3200 RAM
    eVGA 6800 GT 420Mhz/1000Mhz

    XP SP2 with DEP disabled (/noexecute=AlwaysOff) = 11160
    XP SP2 with DEP default (noexecute=OptIn) = 11149

    Something else was amiss in your testing because here there is no performance degradation to the extent you describe.

  5. Dani, my processor is an AMD Athlon XP 3200+. It does not have hardware support for DEP/NX bit. Same as your Pentium M chip. As such it should be executing the same protection code as your Pentium M. One thing that does differentiate our machines is the fact that your processor has automatic speed throttling, which may be the culprit here. 30% drop is rather severe for Microsoft to impose, considering that DEP is turned on by default in Windows Server 2003, which is an enterprise level OS. Those customers would scream bloody murder at that kind of performance degradation.

    By the way, in the nutshell software DEP is a check that ntdll does so when it dispatches an exception to a handler to see if the handler’s memory page is marked as executable. If it is not marked correctly, it will crash. This is to mitigate stack smashing and inserting your own exception handler which is remarkably easy to do. One has to be especially creative to lose 30% perf on a check that executes only when an exception is being handled, unless the host code is extremely poorly written.

  6. Thanks for the details, Max!

    That’s astonishing and I honestly can’t explain the differences. I agree that an almost 30% impact is a huge performance loss indeed (about the 10-fold of what I expected).

    Speed throttling can’t be the reason as power management was disabled and the TabletPC plugged for running the benchmarks – with equal conditions for both test runs. Remember however, that my measurements aren’t statistically significant as I only made one test run each (there aren’t any confidence intervals etc.).

  7. Just been searching my c drive for this file boot.ini and it doesnt seem to exsist. Although i managed to edit a file via dos, for boot.ini i didnt see any mention of “/NoExecute=OptIn”

    nor can i find anything which relates to this in control panel… any info on where i can locate this DEP? I have noticed significant decrease in file and program execution and other problems since installing SP2 and i’d like to find the cause, be it DEP or not.

  8. Martin,

    c:\boot.ini is both hidden and write-protected by default. To see it in your explorer, you first need to choose “extras -> folder options”, then select the second tab (named “display” or “view” or similar), then select the radio button “hidden files and folders -> (x) display all files and folders”.

    If you open c:\ in explorer, you should now see boot.ini. Select it. In the properties dialog of boot.ini, deselect “write-protected”. Then edit boot.ini using your favorite text editor (notepad.exe for example). There you’ll see “/NoExecute=OptIn”.

  9. Well, i’ve tried following oyur instructions, but the only thing i can do to show all folders is

    Open My computer, click on tool>options>folder options>view select show all hidden files and folders and ok it, when i do this no boot.ini file shows on c:\

    If i open edit.exe the only shown file it can find called boot.ini is in windows/system32 folder. And it does not show anything remotely to do with Dep..

    Is there no command or option which allows me access? Something like the screenshot in the third post?

    If i run search if doesnt find any files, not even the boot.ini… regardless of my using *.ini or boot.ini or anything…

  10. Martin,

    do you see any other hidden files (those icons are a bit lighter than the others) in c:\ after following the procedure? If so, but you still don’t see any boot.ini, then I your SP2 installation might be broken. The same applies if you don’t see any hidden files in c:\ unless you didn’t apply the changed folder view settings to c:\.

    Regarding a tool: Perhaps, the Windows Application Compatibility Toolkit (http://www.microsoft.com/windows/appcompatibility/default.mspx) lets you customize the DEP settings (I haven’t tried it myself though). Unfortunately, I don’t know the name of the tool shown on http://img68.exs.cx/img68/4286/dep.jpg

  11. Right click my computer
    Startup and Recovery> Settings
    “To edit the startup options file manualy ,click Edit>hit edit button

    edit line and save :)

    I couldnt get comp to find it either btw until i did this.

  12. aha, thanks craig, got it now, btw my command line said “/NoExecute=OptOut” which i’ve now changed to “/NoExecute=AlwaysOff” to try it out.

    can you explain why it was OptOut? instead of OptIn as in your example.

    Going to reboot to see if theres any performance increase. If i dont post back…its better ;)

  13. Sp2 seems to make The Sims 2 unplayable in terms of performance, even with my X800 card and 3Ghz CPU. I tried this trick and it solved the problem. Thanks!

  14. You’re welcome!

    BTW I just found out that there’s even an “official” way to change DEP settings (though it does NOT allow to COMPLETELY switch off DEP. Therefore, you still need to edit c:\boot.ini.)

    Right click my computer
    System performance[1]> Settings
    Click on the “Data execution prevention”[2] tab

    [1] or similar. I have the german edition of Windows XP SP2, where this button is called “Systemleistung”
    [2] likewise, it’s called “Datenausführungsverhinderung” on my box

  15. Hi,

    Can we include executables and cover them with DEP in the OPtin mode.OPtout provides us a list to exclude executables right?

  16. Saravan: Basically, yes.

    OptIn (default configuration): On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in,”
    With this option, only Windows system binaries are covered by DEP by default.

    OptOut: DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using ‘System’ in Control Panel. IT Pros and Independent Software Vendors (ISVs) can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect.

    (source: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx )

  17. Hi,

    The OPTIN doesn’t seem to provide an option to add Applications/executables.How else can we OPTIN applications.I wish to OPTIN Applications.Where can i do that?


  18. Does anyone know if there is a way to set “best performance” in the unattended install file. So far I haven’t seen anyone mention it.

  19. is there a performance hit when going from the default option of DEP (critical services and programs) to DEP for ALL programs?

Leave a Reply

Your email address will not be published. Required fields are marked *

− 7 = 1

This site uses Akismet to reduce spam. Learn how your comment data is processed.