Geoff Chappell - Software Analyst
Since the introduction of Control Flow Guard for version 6.3, Windows accumulated rather many bit fields for whether this or that security mitigation applies. They were sprinkled through the Flags, Flags2 and Flags3 members of the EPROCESS. The 1709 release of Windows 10 collects them into a new set in union with a ULONG member named MitigationFlags, and added more—indeed, enough to overflow into a MitigationFlags2.
| Mask | Definition | Versions | Remarks |
|---|---|---|---|
| 0x00000001 |
ULONG ControlFlowGuardEnabled: 1; |
1709 and higher | previously in Flags |
| 0x00000002 |
ULONG ControlFlowGuardExportSuppressionEnabled : 1; |
1709 and higher | previously in Flags3 |
| 0x00000004 |
ULONG ControlFlowGuardStrict : 1; |
1709 and higher | previously in Flags3 |
| 0x00000008 |
ULONG DisallowStrippedImages : 1; |
1709 and higher | previously in Flags2 |
| 0x00000010 |
ULONG ForceRelocateImages : 1; |
1709 and higher | previously in Flags2 |
| 0x00000020 |
ULONG HighEntropyASLREnabled : 1; |
1709 and higher | previously in Flags2 |
| 0x00000040 |
ULONG StackRandomizationDisabled : 1; |
1709 and higher | previously in Flags2 |
| 0x00000080 |
ULONG ExtensionPointDisable : 1; |
1709 and higher | previously in Flags2 |
| 0x00000100 |
ULONG DisableDynamicCode : 1; |
1709 and higher | previously in Flags2 |
| 0x00000200 |
ULONG DisableDynamicCodeAllowOptOut : 1; |
1709 and higher | previously in Flags3 |
| 0x00000400 |
ULONG DisableDynamicCodeAllowRemoteDowngrade : 1; |
1709 and higher | previously in Flags3 |
| 0x00000800 |
ULONG AuditDisableDynamicCode : 1; |
1709 and higher | |
| 0x00001000 |
ULONG DisallowWin32kSystemCalls : 1; |
1709 and higher | previously in Flags2 |
| 0x00002000 |
ULONG AuditDisallowWin32kSystemCalls : 1; |
1709 and higher | |
| 0x00004000 |
ULONG EnableFilteredWin32kAPIs : 1; |
1709 and higher | previously in Flags3 |
| 0x00008000 |
ULONG AuditFilteredWin32kAPIs : 1; |
1709 and higher | previously in Flags3 |
| 0x00010000 |
ULONG DisableNonSystemFonts : 1; |
1709 and higher | previously in Flags3 |
| 0x00020000 |
ULONG AuditNonSystemFontLoading : 1; |
1709 and higher | previously in Flags3 |
| 0x00040000 |
ULONG PreferSystem32Images : 1; |
1709 and higher | previously in Flags3 |
| 0x00080000 |
ULONG ProhibitRemoteImageMap : 1; |
1709 and higher | previously in Flags3 |
| 0x00100000 |
ULONG AuditProhibitRemoteImageMap : 1; |
1709 and higher | |
| 0x00200000 |
ULONG ProhibitLowILImageMap : 1; |
1709 and higher | previously in Flags3 |
| 0x00400000 |
ULONG AuditProhibitLowILImageMap : 1; |
1709 and higher | |
| 0x00800000 |
ULONG SignatureMitigationOptIn : 1; |
1709 and higher | previously in Flags3 |
| 0x01000000 |
ULONG AuditBlockNonMicrosoftBinaries : 1; |
1709 and higher | |
| 0x02000000 |
ULONG AuditBlockNonMicrosoftBinariesAllowStore : 1; |
1709 and higher | |
| 0x04000000 |
ULONG LoaderIntegrityContinuityEnabled : 1; |
1709 and higher | previously in Flags3 |
| 0x08000000 |
ULONG AuditLoaderIntegrityContinuity : 1; |
1709 and higher | previously in Flags3 |
| 0x10000000 |
ULONG EnableModuleTamperingProtection : 1; |
1709 and higher | |
| 0x20000000 |
ULONG EnableModuleTamperingProtectionNoInherit : 1; |
1709 and higher | |
ULONG Reserved : 1; |
1803 only | ||
| 0x40000000 |
ULONG RestrictIndirectBranchPrediction : 1; |
1809 and higher | |
| 0x80000000 |
ULONG IsolateSecurityDomain : 1; |
1809 and higher |
The 1709 release leaves the highest two bits undefined. No reason is yet known that the next release defined only one of them as Reserved before both are put to use in the 1809 release.