Win32 App Compat: Is there a manifest entry to opt my application out of NoExecute?

Question

Is there an assembly manifest (or perhaps a PE Image flag) to opt-out of (or opt-in to) NoExecute protection?

---

By default, Windows only protects its own binaries with NoExecute protection:

But i might want to opt my executable into NX protection.

i also might need to indicate to the user that my application is incompatible with NX protection. Rather than forcing the user to manually find, and add me, to a list, i can do it for them:

Note: i liken this to my ability to opt-in to running my application as a standard user:

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
  <security>
      <requestedPrivileges>
          <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
  </security>
</trustInfo>

Or the ability to opt-out of "running as standard user" protection:

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
  <security>
      <requestedPrivileges>
          <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
      </requestedPrivileges>
  </security>
</trustInfo>

---

Note: i don't think there is a way to opt-in, or out, of NX protection. So if the answer is No, that is fine. But i'm still asking because i might be wrong.

Answer 1

You can opt-in with IMAGE_DLLCHARACTERISTICS_NX_COMPAT (and/or SetProcessDEPPolicy)

If the system setting is not AlwaysOn (Can not be set in the GUI IIRC) then you can opt-out with SetProcessDEPPolicy

The parent process can force DEP with PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE on Vista+

Older ATL code and some 3rd party DRM/copyprotection stuff have special handling and will not be trapped by DEP when the system is in opt-out mode (Not sure about AlwaysOn)

To use "SetProcessDEPPolicy" on XP.SP2/2003.SP1 call the undocumented NtSetInformationProcess function.