We list mitigations added in all Windows versions (from Windows XP up to latest Windows 10).
| Version (and date) | Mitigation | References |
|---|---|---|
| >= Windows XP SP2 and >= Windows Server 2003 SP1 | DEP in userland and kernel land | 1 2 167 |
| >= Windows XP SP2 and >= Windows Server 2003 SP1 | Non-executable SharedUserData | 3 |
| >= Windows Vista | Integrity Levels (IL) | 4 |
| >= Windows Vista | ASLR | 5 5-2 167 |
| >= Windows Vista | User-mode Drive Framework (now in WDF) to be able to write user space only drivers | 208 209 210 211 |
| >= Windows XP SP2 with physical memory 508MB+ or >= Windows Vista | Delayed free list | 158 153 154 155 156 |
| Any 64-bit Windows | PagedPool is ReadWrite only (NX enabled) | 185 186 |
| >= Windows Vista | SMB default configuration does not allow anonymous login to named pipes | 6 |
| Visual Studio 2003 >= XXX | SafeSEH | 7 190 |
| Visual Studio 2003 >= XXX | GS stack cookie protection | 194 195 |
| >= Windows Server 2008 (enabled by default) and >= Windows Vista SP1 (disabled by default). Disabled by default on workstation < Windows 10 v1709 and enabled by default on server versions. | Structured Exception Handling Overwrite Protector (SEHOP) | 191 7 8 192 193 |
| >= Internet Explorer 7 and >= Windows Vista | Protected Mode (PM) - Low IL | 9 |
| Windows Vista? 7? | Kernel ASLR (KASLR) | 10 11 160 |
| >= Internet Explorer 10 and >= Windows 8 | Enhanced Protected Mode (EPM) - AppContainer | 12 13 14 |
| >= Internet Explorer 10 and >= Windows 8 | ForceASLR | 15 |
| >= Windows 8, 64-bit processes | High Entropy ASLR (HEASLR) | 16 17 |
| >= Internet Explorer 10 and >= Windows 8 | VTGuard | 18 19 |
| Windows 7 | Safe Unlinking in the kernel pool allocator | 20 |
| Windows 8 or 8.1? | No-Execute (NX) Page Table Entries (PTE) | 159 |
| Windows 8 | Safe Unlinking in the linked lists used in the kernel | 21 22 |
| >= Windows 8 | SMB default configuration does not allow anonymous login to IPC$ (IPC$ may be accessible but most commands cannot be used) | 23 |
| Windows 8 | Supervisor Mode Execution Prevention (SMEP) | 24 149 150 151 167 |
| Windows 8 32-bit/64-bit and backported to Vista+ 64-bit | NULL page mitigation | 25 26 27 28 29 170 |
| Windows 8/8.1 (Server 2012) - patch XXX?? | HAL non executable (NX) | 30 |
| Windows 8 | No-Execute (NX) Nonpaged Pool | 31 32 33 |
| <= Internet Explorer 10 | Memory Protector (MP) | 34 |
| Edge and Internet Explorer 11 | MemGC | 35 |
| >= Windows 8.1 | ObTypeIndexTable Index 0 hardening | 36 |
| >= Windows 8.1 32-bit/64-bit (update KB3000850) or >= Office 16.0.7341.2032 or compiled with >= VS2015 | Control Flow Guard (CFG) a.k.a. Forward-edge CFI (Integrity) | 37 38 39 40 41 42 43 44 45 46 47 48 49 50 146 166 167 168 198 199 206 |
| ? | Isolated Heap (only HTML/SVG/etc. elements accessible from JS, not helper/smaller objects) | 51 |
| >= Edge and Windows 10 v??? | Win32k syscall filter | 52 53 54 55 56 57 58 59 60 |
| Windows Vista | Kernel-Mode Code Signing (KMCS) a.k.a Digital Driver Signing | 147 164 |
| Windows Vista | Kernel Patch Protection (KPP) aka PatchGuard | 148 |
| Windows 10 1703 or 1607 >= 14332 (August 2016) | Page Table Entry (PTE) location ramdomized (full KASLR) | 61 62 63 64 65 180 180-2 |
| >= Windows 10 1809 (Pro/Enterprise) and >= Edge 77 | Application Guard for Edge | 66 67 207 |
| Windows 10/Edge >= XX/XX/2016??? | Virtual Machines (VM) for Edge | 68 |
| Windows 10 >= XX/XX/2016??? | Services process isolation (out of SVCHOST.EXE) | 69 |
| Windows 10 >= XX/XX/2016??? | Shadow stack | 70 71 |
| Windows 10/Edge >= XX/XX/2016??? | Prohibit dynamic code (VirtualAlloc RWX) | 72 73 |
| Windows 10/Office 2016 (Version 16.11 Build 7571.2075) | Forbid child to create process | 74 |
| Windows 10/Edge | Out-of-process JIT | 75 76 |
| Windows 10 v1607 (Build 14393) | NULL SecurityDescriptor kernel mitigation | 77 78 |
| Windows 10 (Build 15002) | Exports are invalid CFG icall | 79 |
| Windows 10 (Build 15021 / Removed in Build 15031) | Return Flow Guard (RFG) | 80 81 82 83 84 |
| Windows 10 (Build 15025) | Strict CFG | 85 86 |
| Windows 10 (Build 1703 Creators Update) | kCFG | 87 152 |
| Windows 10 (Build ?) | Font parsing restricted to AppContainer | 88 89 |
| Windows 10 (Build 16179) | Break LFH deterministic layouts | 90 91 188 188-2 |
| Windows 10 64-bit (1703 Creators Update) (April 2017) | HAL randomized / No HAL Heap static mapping | 92 93 |
| Internet Explorer 11 | Disable VBScript | 94 95 96 |
| Windows 10 (1703 Creators Update) | Arbitrary Code Guard (ACG) Enabled with PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON. Enabled by default in Edge only under certain conditions | 97 98 99 180 180-2 213 |
| Windows 10 (16215) | Arbitrary Code Guard and Code Integrity Guard for most svchost.exe | 100 |
| Windows 10 (16215) | Isolated kernel stacks | 101 |
| Windows 10 (?) | BufferedIO output buffer is always zero'd | 102 103 |
| Windows 10 RS3 (?) | EMET mitigations added to Win10 (Windows Defender Exploit Guard, etc.) | 104 105 106 107 |
| Windows 10 RS4 | Split kernel/page directory tables | 108 109 110 |
| Windows 10 ??? | Fonts in userland and appcontainerized | 111 |
| Windows 10 RS4 (17063) | SGX2 Support (EAUG, EMODPR, etc) | 112 |
| Windows 10 ??? | Kernel Virtual Address (KVA) Shadow (== KPTI) | 113 114 172 172-2 |
| Windows 10 ??? | Mitigations for speculative execution side channel vulnerabilities | 115 |
| Visual Studio 2017 version 15.5.5 or 15.6 Preview 4? | /Qspectre compiler option | 116 117 |
| Windows 10 build 17692 (fast ring) (June 2018) | WPAD JavaScript sandboxing in AppContainer | 118 |
| Windows 10 Redstone 5 (June 2018) | Virtualization Based Security (VBS) enables Hypervisor Code Integrity (HVCI) and Driver Signature Enforcement (DSE) => block Capcom rootkit/other drivers | 119 180 180-2 |
| Windows 10 Build 17723 (Fast Ring) and 18204 (Skip Ahead) | heap-backed pool allocator (with randomization) | 120 |
| Windows 10 Build 19H1 | Limited Supervisor Mode Access Prevention (SMAP) in paths handling DISPATCH_LEVEL + interrupts | 121 122 |
| Windows 10, version 1703 | Sandboxed Windows Defender (opt-in) | 123 124 |
| >= Windows 10 v1709 | Structured Exception Handling Overwrite Protector (SEHOP) enabled by default | 193 |
| Windows 10 WIPFast build or compiled with /kernel | InitAll compiler feature. No uninitialized Plain-old-data (POD) structs on the stack | 125 126 163 |
| Windows 10 Fall Creators Update (2017) | VBScript execution disabled in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default | 127 128 |
| Windows 10 Pro or Enterprise Insider build 18305 | Windows Sandbox (run any application in isolation) | 129 130 |
| Windows 10 build ??? (after 16299) | Windows Object Type encoding | 131 132 |
| Windows 10 build ??? | eXtended Control Flow Guard (XFG): Validates call-targets by hash on target type | 133 134 180 180-2 181 181-2 183 183-2 204 214 222 223 |
| Windows 10 build 17672 | Kernel pool moving towards Low Fragmentation Heap algorithm | 135 136 |
| Windows 10 1809 build ??? | Threat-Intelligence Kernel APC Injection Sensor | 137 138 139 |
| Windows Insider Flight 18980 | kernel-mode and Hyper-V automatic initialization of scalars (pointers, int, etc.) | 140 |
| Windows 10 ??? (Oct 2019) | Virtualization Based Security (VBS) enabled by default | 141 142 180 180-2 |
| Windows 10 1607 | tagWND.strName primitive mitigation | 144 |
| Windows 10 1709 | win32k object type isolation | 215 216 217 |
| Windows 10 1803 | win32k tagWND additional r/w primitive removal | 215 |
| Windows 10 1809 | win32k desktop heap user/kernel separation | 215 |
| Windows 10 1809 | kLFH (disable by default) | 143 |
| Windows 10 1903 | kLFH (enabled by default) | 218 |
| Windows 10 1903 | Userland Control-flow Enforcement Technology (CET) | 200 201 202 203 |
| Windows 10 March 2020 | Hardlink mitigation (requires FILE_WRITE_ATTRIBUTES) | 157 |
| Windows 10 May 2020 and supported hardware | eXtended Flow Guard (XFG) (improved CFG) forward-edge CFI, can use Intel CET shadow stacks (only on supported hardware) | 145 161 161-2 161-3 165-2 214 |
| Windows 10 ??? | No Uninitialized Stack | 162 162-2 |
| Windows 10 ??? | Extreme Flow Guard (xFG) | 165 165-2 180 180-2 214 |
| Windows 10 21H1 | Kernel Data Protection (KDP) | 165 165-2 174 174-2 175 175-2 177 177-2 |
| Windows 10 ??? | Vulnerable driver blocking | 169 |
| Windows 10 ??? | Zeroed kernel pool allocation | 171 173 173-2 179 182 182-2 187 187-2 |
| Windows 10 21H1 | Authenticated Pointers (PAC) on ARM64 | 176 |
| Windows 10 21H1 | Dynamic relocations to allow user shared data to be relocated | 176 |
| Windows 10 21H1 | Kernel Mode TLS (Thread Local Storage) with PsTls* APIs | 176 |
| Windows 10 21H1 | Kernel Control-flow Enforcement Technology (CET) | 176 180 180-2 |
| Visual Studio 2019 ??? | ASan support for MSVC | 196 197 |
| Windows 10 ??? | Supervisor Mode Access Prevention (SMAP) | 178 178-2 |
| Windows 10 ??? | Randomized mapping of VTL0's KUSER_SHARED_DATA in ring0 VTL1 | 184 189 |
| Windows 10 ??? | Require graphics drivers developers to write user space only drivers | 208 |
| Windows 11 (Build 22000) | Allows not following symlink for mount points (not default yet) | 202 |
| Windows 11 (Build ???) | XTENDED_CONTROL_FLOW_GUARD, POINTER_AUTH_USER_IP, REDIRECTION_TRUST | 212 |
| Windows 10 / Windows Server 2016 and 2019 | Keyboard and mouse disabled in session 0 | 219 220 |
| Windows 10 1803 / Windows 11 / Windows Server 2019 and 2022 | Interactive Services Detection Service (UI0Detect) binaries removed | 221 |