How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

Microsoft Defender logo on a colorful background

Kernel-mode hardware stack protection is a security feature introduced in Windows 11 22H2 that protects systems from various memory attacks such as stack buffer overflows.

Microsoft added this feature to Windows 11 22H2 as part of the Microsoft Defender April 2023 update.

When kernel-mode hardware stack protection is enabled, it will increase the security of Windows by using hardware to enforce stack protection, making it harder for attackers to exploit vulnerabilities.

What is hardware stack protection in kernel mode?

Windows Kernel-Mode Hardware Stack Protection is a security feature that primarily protects against stack buffer overflow attacks, where an attacker attempts to initiate arbitrary code execution by overflowing a buffer (temporary memory storage) on the stack (a data structure used to store program function calls and local variables).

During these attacks, the attacker attempts to overwrite the return address or control data in order to redirect program execution to run malicious code of the attacker’s choice.

The method of rewriting the return address or control data to redirect the flow of program execution is known as a return-oriented programming (ROP) attack.

The hardware stack protection feature in Windows kernel mode requires a special hardware temporary stack called Shadow Stacks.

The shadow stack is a temporary memory stack that reflects the standard stack used by the operating system, and the stack cannot be modified by applications running on Windows.

These shadow stacks are used as follows:

  1. When a program function is called, the return address is stored on both the normal stack and the shadow stack.
  2. When the function returns, the stack’s hardware guard checks to see if the return address from the main stack matches the address stored on the shadow stack.
  3. If the return addresses match, the function returns as expected and program execution continues as normal.
  4. However, if the return addresses do not match, this may indicate an attack such as a stack buffer overflow or a ROP attack. When this happens, Windows will terminate the process to prevent malicious code from executing.

Using shadow stacks, the hardware stack protection feature can mitigate attacks, thereby protecting the system from vulnerabilities, including zero days.

However, since shadow stacks require Intel Control-Flow Enforcement Technology (CET), this feature is only available on newer processors.

Therefore, to use hardware stack protection in Windows kernel mode, the device must have an Intel Tiger Lake or AMD Zen3 processor or later with processor virtualization enabled in the BIOS.

How to enable hardware stack protection in kernel mode

While the hardware stack protection feature in Windows kernel mode can be tricky to understand, enabling the feature is quite simple.

If you are running Windows 11 22H2 with the latest updates, open Windows Security and navigate to Device Security > Core isolation.

If you have the required hardware and have CPU virtualization enabled, you will see an option called “Hardware stack protection in kernel mode,’ as shown below.

Hardware stack protection in kernel mode
Source: BleepingComputer

To enable this feature, simply toggle it to the On position and Windows will check loaded device drivers to determine if they conflict with the security feature.

If any conflicting drivers are found, you will be prompted to review the list of drivers to upgrade to newer versions before you can enable this feature.

Once you update your drivers to the latest versions, you can try to enable the feature again and see if there are any further conflicts.

If no conflicting drivers are found, Windows may prompt you to restart your computer to enable this feature.

May cause unexpected behavior

Unfortunately, when this feature is enabled, you may find that certain programs no longer work because their drivers conflict with the kernel mode hardware stack protection feature.

This usually happens when Windows is unaware of a driver conflicting with a feature and still allows it to be enabled.

Although these conflicts can cause Windows to crash, more often than not, the program will no longer run and Windows will report that the driver is incompatible and offer to turn off the security feature.

Incompatible driver message
Incompatible driver message
Source: Reddit

Users who have enabled this feature have reported that many conflicts are related to copyright protection and anti-cheat drivers used in games including PUBG, Valorant (Riot Vanguard), Bloodhunt, Destiny 2, Genshin Impact, Phantasy Star Online 2 (Game Guard) . and Dyze.

However, as more users start using this Windows security feature, we are likely to see updated versions of these anti-fraud and copyright protection programs to support stack protection.

Leave a Comment