How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

Kernel-mode Hardware-enforced Stack Protection is a security feature introduced in Windows 11 22H2 that protects the system from various memory attacks, such as stack buffer overflow.

Microsoft added this feature to Windows 11 22H2 as part of the Microsoft Defender update in April 2023.

When enabled, Kernel-mode Hardware-enforced Stack Protection enhances Windows security by using hardware to enforce stack protection, making it harder for attackers to exploit vulnerabilities.

What is Kernel-mode Hardware-enforced Stack Protection?

Kernel-mode Hardware-enforced Stack Protection is a security feature primarily protecting against stack buffer overflow attacks, where attackers attempt to trigger arbitrary code execution by overflowing buffers (temporary memory storage) on the stack (data structure used to store program function calls and local variables).

During these attacks, attackers try to overwrite the return address or control data to redirect program execution to run malicious code of the attacker's choice.

The technique of overwriting the return address or control data to redirect program execution flow is known as Return-Oriented Programming (ROP) attacks.

The Windows Kernel-mode Hardware-enforced Stack Protection feature requires a special hardware-based temporary stack called Shadow Stacks to function.

Shadow Stacks are temporary memory stacks that mirror the standard stack used by the operating system, and this stack cannot be modified by applications running on Windows.

These Shadow Stacks are utilized as follows:

1. When a program function is called, the return address is stored in both the regular stack and the Shadow Stack.
2. When that function returns, the hardware-supported stack protection feature checks if the return address from the main stack matches the one stored in the Shadow Stack.
3. If the return address matches, the function proceeds as expected, and program execution continues normally.
4. However, if the return address does not match, this may indicate an attack, such as a stack buffer overflow or ROP attack. If this occurs, Windows will halt the process to prevent the execution of malicious code.

By using Shadow Stacks, the hardware-supported Stack Protection feature can mitigate attacks, thus protecting the system from vulnerabilities, including zero-days.

However, since Shadow Stacks require Intel Control-Flow Enforcement Technology (CET) technology, this feature is only available on newer CPUs.

Therefore, to use Kernel-mode Hardware-enforced Stack Protection in Windows, the device must have an Intel Tiger Lake CPU or AMD Zen3 CPU and newer with CPU virtualization enabled in the BIOS.

How to Enable Kernel-mode Hardware-enforced Stack Protection

Although the Kernel-mode Hardware-enforced Stack Protection feature in Windows may be complex to understand, enabling this feature is quite straightforward.

If you are running Windows 11 22H2 with the latest updates, open Windows Security and navigate to Device Security > Core Isolation.

If you have the required hardware and CPU virtualization enabled, you will see a setting called 'Kernel-mode Hardware-enforced Stack Protection', as shown below.

To enable this feature, simply switch it to 'On', and Windows will check the loaded device drivers to see if any drivers conflict with the security feature.

If any conflicting drivers are detected, you will be prompted to review the list of drivers to be updated to a newer version before you can enable the feature.

After updating the drivers to the latest version, you can try enabling the feature again and see if there are any further conflicts.

If no conflicting drivers are found, Windows may prompt you to restart your computer to enable the feature.

Kernel-mode Hardware-enforced Stack Protection Can Cause Unexpected Behavior

Unfortunately, when this feature is enabled, you may find that certain programs no longer function because their drivers conflict with the Kernel-mode Hardware-enforced Stack Protection feature.

This typically occurs when Windows is unaware of any drivers conflicting with the feature and still allows it to be enabled.

Although these conflicts can cause Windows crashes, often programs cannot be launched again, and Windows will state that the driver is incompatible and prompt you to disable the security feature.

Users who have enabled this feature report that many conflicts are related to copyright protection and anti-cheat drivers used by games, including PUBG, Valorant (Riot Vanguard), Bloodhunt, Destiny 2, Genshin Impact,Phantasy Star Online 2 (Game Guard), and Dayz.

However, as more users begin to use this Windows security feature, we are likely to see enhanced versions of these anti-cheat and copyright protection programs to support stack protection.