MitigationFlags2 in the EPROCESS

Since the introduction of Control Flow Guard for version 6.3, Windows accumulated rather many bit fields for whether this or that security mitigation applies. The 1709 release of Windows 10 collected many of these from the Flags, Flags2 and Flags3 members of the EPROCESS for a new set in union with a ULONG member named MitigationFlags. New bits for new mitigations are mostly in a second new set in union with a ULONG named MitigationFlags2.

Mask Definition Versions
0x00000001 
ULONG EnableExportAddressFilter : 1;
 1709 and higher
0x00000002 
ULONG AuditExportAddressFilter : 1;
 1709 and higher
0x00000004 
ULONG EnableExportAddressFilterPlus : 1;
 1709 and higher
0x00000008 
ULONG AuditExportAddressFilterPlus : 1;
 1709 and higher
0x00000010 
ULONG EnableRopStackPivot : 1;
 1709 and higher
0x00000020 
ULONG AuditRopStackPivot : 1;
 1709 and higher
0x00000040 
ULONG EnableRopCallerCheck : 1;
 1709 and higher
0x00000080 
ULONG AuditRopCallerCheck : 1;
 1709 and higher
0x00000100 
ULONG EnableRopSimExec : 1;
 1709 and higher
0x00000200 
ULONG AuditRopSimExec : 1;
 1709 and higher
0x00000400 
ULONG EnableImportAddressFilter : 1;
 1709 and higher
0x00000800 
ULONG AuditImportAddressFilter : 1;
 1709 and higher
0x00001000 
ULONG DisablePageCombine : 1;
 1809 and higher
0x00002000 
ULONG SpeculativeStoreBypassDisable : 1;
 1809 and higher
0x00004000 
ULONG CetShadowStacks : 1;
 1809 only 
ULONG CetUserShadowStacks : 1;
 1903 and higher
0x00008000 
ULONG AuditCetUserShadowStacks : 1;
 2004 and higher
0x00010000 
ULONG AuditCetUserShadowStacksLogged : 1;
 2004 and higher
0x00020000 
ULONG UserCetSetContextIpValidation : 1;
 2004 and higher
0x00040000 
ULONG AuditUserCetSetContextIpValidation : 1;
 2004 and higher
0x00080000 
ULONG AuditUserCetSetContextIpValidationLogged : 1;
 2004 and higher

This page was created on 23rd September 2018. and was last modified on 31st July 2022.

Copyright © 2018-2022. Geoff Chappell. All rights reserved. Conditions apply.