Thursday, December 11, 2008

Turning off Data Execution Prevention (DEP) for IE7 on Vista x64

Time flies so fast that you dont even realize you have not written a new blog entry in a very long time...  

In January of 2007, I posted a comment to a security blog relating to the difficulty in turning off DEP in the 32-bit version of Internet Explorer 7 on a Vista x64 OS.  As to why you would want to do this, I will offer no opinion and would not recommend it in general for long term use.  However, lets say that your 32 bit IE (on Vista x64) opens and immediately crashes for some reason.  This means you need to tweak settings (like removing an add-in) for the 32-bit IE, yet the control panel only offers the 64-bit IE settings. Normally, you can get to the 32-bit settings from inside a 32-bit browser instance but due to the immediate crash this is not possible.

A very astute individual came across my comment and since comments were closed on the initial post, sent me a how-to guide for accessing the 32-bit IE settings in Vista x64.  I offered to re-post the details here with attribution.  Kudos to Razvan Socol, a SQL Server MVP, for providing this solution after encountering the same problem (after "blindingly following the advice in the Security Advisory 961051"), which makes this post fairly timely in case someone else falls into this trap:
To access the options for the 32-bit Internet Explorer, I started an elevated command prompt and executed C:\WINDOWS\SYSWOW64\EXPLORER.EXE /SEPARATE to execute Windows Explorer in 32-bit mode. In this window, I navigated to the Internet Explorer icon on the desktop and by right-clicking it, I accessed the Internet Options for the Internet Explorer 32-bit, where I could finally uncheck that box.
I'd like to post a comment on Michael's blog to share this info with the world, but the comments are closed for that post. Anyway, I thought at least I should let you know on how to solve that problem, although I'm sure you have solved it in another way by now... [ed: I actually did not find an easy way to do it previously outside of several registry tweaks]