The Kernel Mode Hardware-enforced Stack Protection feature is a new security feature that was introduced in Windows 11 22H2 to protect systems from memory attacks such as stack buffer overloads.
Microsoft added this feature in Windows 11 22H2 to a Microsoft Defender Update in April 2023.
When enabled, Hardware-enforced Kernel-mode Stack Protection enhances the security of Windows, by using hardware-based stack protection to make it harder for attackers exploit vulnerabilities.
What is Kernel Mode Hardware Enforced Stack Protection.
Windows Kernel Mode Hardware-enforced Stack Protection is a security measure that protects against stack overflow attacks. An attacker can trigger code execution by overflowing the temporary memory on the stack.
In these attacks, an attacker tries to change the return address and control data of a program to execute malicious code.
Return-Oriented Programming is the technique that involves overwriting return addresses or control data in order to reroute a program’s flow of execution.
Windows Kernel Mode Hardware-enforced Stack Protection requires a hardware-based temporary stack named Shadow Stacks in order to function.
Shadow Stacks are temporary memory stacks that mirror the standard Windows stack. Applications cannot modify the Shadow Stack.
The Shadow Stacks can be used as follows:
- The return address of a function is stored both in the normal stack as well as the Shadow Stack when the program is called.
- Hardware-enforced Stack Protection checks if, when the function returns from a call, the address stored in the Shadow Stack matches the return address of the primary stack.
- If the return address matches, the function returns exactly as expected and the program continues to run normally.
- If the return addresses are not identical, it could be an indication of an attack such as a ROP or Stack Buffer Overflow. Windows will stop the process in order to prevent malicious code from being executed.
Shadow Stacks and Hardware-enforced Stack Protection can be used to mitigate attacks. This will protect the system against vulnerabilities including zero-days.
Shadow Stacks requires Intel Control-Flow Enforcement Technology, so it is only available with newer CPUs.
To use the Windows Kernel mode Hardware-enforced stack protection, the device must be equipped with an Intel Tiger Lake or AMD Zen3 processor and have CPU virtualization enabled within the BIOS.
Enabling Kernel-mode Hardware-enforced Stack Protection
Although the Windows Kernel mode Hardware-enforced stack protection feature is complex to understand, it’s fairly simple to enable.
Open Windows Security and select Device Security >> Core isolation.
As shown below, if you have the necessary hardware and CPU virtualization enabled, you’ll see a setting named ‘Hardware-enforced Kernel Mode Stack Protection‘.
Windows will then check to see if any device drivers are loaded that may conflict with this security feature. It will ask you to check the list of drivers and update them to the latest versions before you enable the feature.
You can try to enable it again after updating the drivers. Windows will prompt you to restart your computer if no drivers conflict with the feature are found.
Could cause unexpected behavior
When this feature is enabled, you may notice that certain programs will no longer run as their drivers are in conflict with the Kernel mode Hardware-enforced Stack Protection feature. It is common for Windows to not be aware of a driver conflicting with a feature and allow it to still be enabled.
Windows may crash if the drivers are incompatible, but it’s more likely that Windows will not launch the program and will prompt you to disable security.
Users who enabled this feature reported that most conflicts were with anti-cheat and copyright protection drivers in games such as PUBG (Riot Vanguard), Bloodhunt (Genshin Impact), Destiny 2, Genshin Impact (Game Guard), Phantasy Star Online 2(Game Guard) and Dayz.
As more Windows users start to use the Windows security feature to protect copyright and anti-cheat programs, it is likely that we will see updated versions of these programs to support stacking protection.