Event 1048 - DEP/NX Crash Recovery
- Logged Message
- What Is It?
- When Is This Event Logged?
- Example
- Remediation
- Related topics
Logged Message
Data Execution Prevention/No Execute (DEP/NX) option in Windows Internet Explorer 8 prevents code from running in non-executable memory. When a violation occurs, the browser stops responding instead of running malicious code. When Internet Explorer 8 has recovered from a crash caused by DEP/NX, this event is logged. Typically, DEP/NX failures occur due to attempts to exploit the browser or its add-ons. But it is possible that a browser add-on is not compatible with DEP/NX, and failures occur even without malicious content. If an incompatible add-on is found, contact the add-on developer for an updated version.
What Is It?
Windows Internet Explorer 7 in Windows Vista introduced an off-by-default Internet Control Panel option to "Enable memory protection to help mitigate online attacks." This option is also referred to as Data Execution Prevention (DEP) or No-Execute (NX). This option is enabled by default for Internet Explorer 8 on Windows Server 2008 and Windows Vista with Service Pack 1 (SP1) and later.
DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable. DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Windows Internet Explorer and the add-ons it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.
If a process running a particular webpage crashes, Internet Explorer automatically captures information about the crash and then recovers the process (the crash recovery portion of this is part of the new Loosely-Coupled Internet Explorer architecture). For example, you might have a page running a Microsoft ActiveX control that performs an illegal memory access (whether accidental or malicious).
When a crash occurs, Internet Explorer automatically logs:
- An exception code
- Exception address
- Exception flags
See the Windows Software Development Kit (SDK) for more information about the possible exception codes and exception flags: EXCEPTION_RECORD Structure
When Is This Event Logged?
This event is logged when a process running a page crashes.
Example
There are a number of conditions under which this event is logged. One example is a page that contains an ActiveX control that performs a divide-by-zero operation. In this case, the process will be recovered but DEP/NX will also log details about the crash. It's not possible to provide a complete example in this document. But here are the basic steps you would need to complete to create a sample that logs this event in the compatibility tool.
Using Microsoft Visual Studio 2008, create a Microsoft Visual C++ ActiveX control that exposes a callable function called DepTest and creates an exception. One way to do this is to cause a memory access violation:
void CMainDialog::DepTest() { //throw memory access violation error int *foo; *foo = 100; }
Create a webpage with the following contents. For this example call it 1048.html:
<html xmlns="http://www.w3.org/1999/xhtml" > <head > <title>DEP/NX Test</title> <script type="text/jscript"> function CreateCrash() { objCC.DepTest(); } </script> </head> <body> <object id="objCC" classid="<YOUR CLSID>" width="32" height="32"></object> <input id="Button1" onclick="CreateCrash()" value="DEP/NX Crash Recovery" type=button /> </body> </html>
Edit the name and class identifier (CLSID) of your ActiveX control in the <object> tag to match those of the ActiveX control that you wrote.
Press the "DEP/NX Crash Recovery" button.
Note This invokes the Microsoft JScript CreateCrash function, which calls into your ActiveX control method DepTest. This method throws an exception that causes the browser tab to crash. The event is logged when the crash occurs.
Remediation
No workaround is needed for this feature. The information captured in the log can be used to isolate the cause of the crash.