This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: W10 Mandatory ASLR default

I'd say add a check and post a warning would the best solution.

A setup script shouldn't modify a users security setup, and even if the script were to reset the settings they wouldn't be active until after a reboot.

On 2/15/2018 10:41 PM, Brian Inglis wrote:
On 2018-02-14 00:36, Andreas Schiffler wrote:
On 2/13/2018 11:17 PM, Thomas Wolff wrote:
Am 14.02.2018 um 04:25 schrieb Brian Inglis:
On 2018-02-12 21:58, Andreas Schiffler wrote:
Found the workaround (read: not really a solution as it leaves the system
vulnerable, but it unblocks cygwin)
- Go to Windows Defender Security Center - Exploit protection settings
- Disable System Settings - Force randomization for images (Mandatory ASLR) and
Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by

Now setup.exe works and can rebase everything; after that Cygwin Terminal
starts as a working shell without problems.
@cygwin dev's - It seems one of the windows updates (system is on 1709 build
16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e.
for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old
thread about this topic here
It would be good to devize a test for the setup.exe that
checks the registry (likely
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel])
for this state and alerts the user.
I'm on W10 Home 1709/16299.192 (slightly older).
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/System settings/Force randomization for
images (Mandatory ASLR) - "Force relocation of images not compiled with
/DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
(Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all
other settings are "On by default".
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/Program settings various .exes have 0-2
system overrides of settings.
It would be nice if one of the project volunteers with Windows threat mitigation
knowledge could look at these, to see if there is a better approach.
I guess Andreas' suggestion is confirmed by
Here is the registry state:
Mandatory ASLR off
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
Mandatory ASLR on
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
Could setup be updated to reset Mandatory ASLR if the reg keys exist, or an
/etc/postinstall/[0z] script do a check and reset?

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]