Integrated into Windows 10 is a security feature known as Control Flow Guard (CFG). This feature is designed to prevent memory corruption vulnerabilities and thwart potential ransomware attacks. To delve deeper into what Control Flow Guard on Windows 10 entails and how to toggle its functionality, read on in this article by Mytour.
Exploit Protection is part of the Exploit Guard feature in Windows Defender. Control Flow Guard (CFG) is a component of this feature. Refer to Mytour’s article below to learn more about Control Flow Guard on Windows 10 and how to manage its settings.
Exploring Control Flow Guard on Windows 10: Activation and Deactivation
1. What is Control Flow Guard on Windows 10? How does it operate?
Control Flow Guard is a feature that complicates arbitrary code execution exploitation through vulnerabilities such as buffer overflows. As we all know, software vulnerabilities are often exploited by providing abnormal data, … to a running program.
For instance, attackers can exploit buffer overflow vulnerabilities by supplying multiple inputs to a program, causing the program to maintain separate memory regions for overflow responses. This process could corrupt adjacent memory holding function pointers. When the program calls through this function, it may jump to an unintended location specified by the attacker.
To prevent such scenarios, a robust combination of compiler and runtime support in Control Flow Guard enforces the integrity of control flow to limit points where indirect call instructions can execute. Therefore, Control Flow Guard inserts additional security checks to detect attempts to hijack the original code.
When CFG verification fails at runtime, Windows will immediately terminate and close the program, disrupting any exploits attempting to indirectly call an invalid address.
2. How does Control Flow Guard affect web browsing performance?
Notably, the CFG feature has been reported to cause performance issues on Chromium-based browsers. All major web browsers such as Google Chrome, Edge, Vivaldi, and some others are affected.
The Windows Kernel Team management also acknowledges this issue and stated they will soon release a fix in the future.
How to Disable Control Flow Guard on Windows 10
Suppose for whatever reason you wish to turn off, disable the Control Flow Guard feature on Windows 10. Follow the steps below:
First, type Windows Security into the Search box on the Start Menu.
In the Windows Defender Settings window, under the Update and Security section, select Windows Security from the left panel.
Choose App & browser Control, then scroll down to find the Exploit Protection Settings section. Here, locate and select Control Flow Guard.
From the menu, select the Off by default option to disable the CFG feature.
This article by Mytour has just provided you with answers to the questions about Control Flow Guard on Windows 10: What is it? How to enable or disable it? Furthermore, if you have any inquiries or questions like what Windows Hardware Quality Labs or WHQL stands for, feel free to leave your comments below the article.
-
Home
-
News
- What Is Control Flow Guard? How to Disable It on Windows 10/11?
What Is Control Flow Guard? How to Disable It on Windows 10/11?
By Aurelie | Follow |
Last Updated
Software vulnerabilities are favored by attackers because they offer an opportunity to impact the operating systems that are protected normally. Control Flow Guard is designed to insert extra security checks that will identify attempts to hijack the original code. This post from MiniTool will explain the definition and functionality of Control Flow Guard in detail for you. Scroll down to get more information now.
What Is Control Flow Guard?
Control Flow Guard is a part of Exploit Protection in Windows Defender. It is tailored to block malicious code from changing the default control flow of Windows programs. By restricting where a program can execute code from, hackers will have trouble carrying out any codes through memory corruption vulnerabilities.
As the name suggests, this feature ensures control flow integrity for indirect calls. In other words, when the vulnerable program calls through this utility, it will jump to an unexpected location specified by the threat actors.
However, this feature also has some limitations. For example, it is reported that Control Flow Guard might influence the performance of Chromium-based browsers. Luckily, the Windows Kernal team is working hard to build a fix for it.
How to Disable Control Flow Guard Windows 10/11?
Way 1: Disable Control Flow Guard in System Settings
Control Flow Grard Windows 11/10 is set to on by default, so you can go to Exploit Protection to disable it manually. Follow these steps:
Step 1. Press Win + S to evoke the search bar.
Step 2. Type Windows Security and select the best match.
Step 3. Scroll down to find App & browser control and hit it.
Step 4. Tap on Exploit protection settings under Exploit protection.
Step 5. Click on the drop-down menu under Control flow guard and select Off by default.
Step 6. Restart your computer to apply the change.
Way 2: Disable Control Flow Guard in Program Settings
When you encounter game stuttering, lagging, and other problems, it is a good idea to disable Control Flow Guard for the executable file of the game. Here’s how to do it:
Step 1. Press Win + I to open Windows Settings.
Step 2. Navigate to Update & Security > Windows Security > App & browser control.
Step 3. Click on Exploit protection settings and go to the Program settings tab.
Step 4. Select the executable file of the target game or other applications and hit Edit.
Step 5. Scroll down to find Control flow guard (CFG) > tick Override system settings under it > toggle it off > hit Apply.
When it comes to data protection, a free PC backup software called MiniTool ShadowMaker comes in handy. It is compatible with almost all the Windows systems and it supports backing up a large variety of items including files, folders, the Windows system, selected partitions, and even the whole disk.
What’s more, it also allows you to migrate data and operating system from HDD to SSD for better system performance. This tool provides you with a trial edition and you can enjoy almost all the functions for free within 30 days. Here, we will show you how to create a file backup with it:
Step 1. Download, install and launch MiniTool ShadowMaker Trial Edition.
MiniTool ShadowMaker TrialClick to Download100%Clean & Safe
Step 2. In the Backup page, you can select the backup source and destination.
- Backup source – go to SOURCE > Folders and Files to select what to backup.
- Backup destination – pick an external hard drive or a USB flash drive as a storage path in DESTINATION.
Step 3. Click on Back Up Now to start the process immediately. Also, you can delay the task by hitting Back Up Later. To view the backup progress, go to the Manage tab.
Final Words
This post introduces the definition of Control Flow Guard, how it works, and how to disable CFG on your computer. More importantly, you also get a freeware called MiniTool ShadowMaker to protect your data. If you are interested in it, you can have a try.
About The Author
Position: Columnist
Aurelie is a passionate soul who always enjoys researching & writing articles and solutions to help others. Her posts mainly cover topics related to games, data backup & recovery, file sync and so on. Apart from writing, her primary interests include reading novels and poems, travelling and listening to country music.
Control Flow Guard (CFG) is a critical security feature integrated into Microsoft’s Windows operating system designed to help protect against a variety of exploitation techniques that attackers use to compromise systems. With the rise of sophisticated cyber threats and the increasing complexity of software applications, security measures such as CFG have become vital in maintaining the integrity and security of computer systems. This article aims to provide a comprehensive understanding of Control Flow Guard, its operational principles, features, benefits, and guidance on how to enable or disable it on Windows systems.
Understanding Control Flow Guard
Definition
Control Flow Guard (CFG) is a security feature present in Windows since Windows 8.1 and 10. It is designed to mitigate control-flow hijacking attacks (such as buffer overflow exploits) by ensuring that the transfer of control within a program follows designated paths established at compile time. If the application attempts to execute code from an unauthorized location, CFG can intercept this attempt, causing the application to crash or produce an error instead of executing potentially harmful code.
How Control Flow Guard Works
The fundamental mechanism of Control Flow Guard revolves around the insertion of metadata during the compilation process of an application. This metadata records valid transition points in the execution flow. When an application is run, CFG consults this metadata to ensure that all control transfers comply with the permissible paths defined during the compilation phase.
In practical terms, CFG works in the following way:
-
Compilation: When an application is compiled, the compiler generates metadata that outlines the valid addresses for control transfers (such as function calls, return addresses, and jumps).
-
Validation: When the application runs, each transfer of control is validated against this metadata. If a control flow transfer leads to a non-permitted location (indicating potential exploitation), CFG intervenes.
-
Mitigation: In response to an invalid control transfer, CFG can generate an exception. This action can lead to the termination of the potentially malicious code execution, providing a safety net that confines the damage that an exploit might cause.
Types of Attacks Mitigated by CFG
Control Flow Guard plays a guard role against several types of attacks, including:
- Buffer Overflows: These attacks occur when data overruns the buffer’s bounds, potentially overwriting executable code.
- Return-Oriented Programming (ROP): Attackers leverage small sequences of code already present in the application’s memory to craft malicious exploits without injecting harmful code.
- Jump-Oriented Programming (JOP): Similar to ROP, this technique uses existing code to manipulate application flow without direct code injection.
The Importance of Control Flow Guard
Enhancing Application Security
The emergence of CFG is crucial due to the increasing sophistication of cyber threats. Exploitation techniques have evolved, making traditional security measures insufficient. By enforcing rigid checks on control flow, CFG prevents unauthorized execution paths that could lead to system compromise, data theft, or complete service disruption.
Compliance with Security Standards
Many regulatory frameworks and standards require enterprises to implement robust security practices. Features like CFG enhance compliance by adding another layer of security to software development and deployment practices. This assists organizations in meeting both internal security policies and external regulatory requirements.
Limited Performance Impact
One significant advantage of CFG is its design, which allows developers to enable this robust security feature without a noticeable performance hit on most applications. While CFG does introduce overhead due to the validation checks, the impact is often minimal compared to the security benefits it provides.
How to Turn Control Flow Guard On or Off
Enabling or disabling Control Flow Guard can be essential for various reasons, including specific application compatibility requirements or troubleshooting security features. Windows provides several methods for managing CFG settings.
Enabling Control Flow Guard Globally
To enable CFG globally on a Windows system, you can use the Windows Security Features settings or the Windows Registry Editor. Below are the detailed steps for both:
Method 1: Using Windows Security Features
-
Open Windows Security: Click on the «Start» menu and type “Windows Security”. Click on the application when it appears.
-
Navigate to App & browser control: Find and click on the «App & browser control» section.
-
Exploit Protection Settings: Scroll down and click on «Exploit protection settings.» This will open a new window where you can adjust various exploit protection settings.
-
Control Flow Guard Settings: Scroll down to find the “Control flow guard” option under System settings. Here, you can toggle the status to «On» or «Off» based on your requirements.
-
Save and Exit: After making the changes, be sure to click on the “Apply” button to save your settings.
Method 2: Using the Windows Registry Editor
-
Open Registry Editor: Press
Win + R, typeregedit, and pressEnterto open the Registry Editor. -
Navigate to the Appropriate Key: Go to the following path:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options. -
Modify the CFG Setting: If you want to enable Control Flow Guard, create a new DWORD (32-bit) value named
ControlFlowGuardand set its value to1. To disable it, you can set the value to0. -
Restart the System: Changes to the Registry often require a reboot. Ensure that you exit the Registry Editor and restart your machine for the changes to take effect.
Enabling Control Flow Guard for a Specific Application
In certain scenarios, you may want to enable or disable CFG on a per-application basis. This customization allows flexibility for applications that may not be fully compatible with CFG, while still protecting others.
Steps for Application-Specific CFG Settings:
-
Open the Windows Security and Access Exploit Protection: Follow the steps above to open Windows Security and navigate to “Exploit protection settings.”
-
Add an Application: In the program settings section, click on “Add an app to customize.” Choose whether you want to add a “Program” or “Program folder”.
-
Browse to the Application: Locate the executable file for the application you want to customize.
-
Set Control Flow Guard: Once the application is added, you can configure the CFG settings specific to that executable file.
-
Apply Changes: Don’t forget to apply the changes before closing the settings window.
FAQs Surrounding Control Flow Guard
Does Control Flow Guard work with all applications?
Control Flow Guard is specifically designed to work with applications that support it. Modern software developed with built-in support for CFG will benefit from this security feature. However, legacy applications or those not compiled with CFG may experience compatibility issues.
Can Control Flow Guard cause application crashes?
While Control Flow Guard significantly enhances security, in some cases, it may inadvertently cause application crashes if those applications are not programmed to handle CFG checks appropriately. If you experience consistent application crashes, you may need to disable CFG for that specific application.
Is it recommended to keep Control Flow Guard enabled?
For most users and organizations, it is generally recommended to keep CFG enabled due to its robust protective capabilities against common types of exploitation. Disabling CFG should only occur in certain situations where compatibility issues arise, alongside a thorough assessment of the risks involved.
What if an application fails to launch due to CFG?
If an application fails to launch due to Control Flow Guard, users can attempt to disable CFG specifically for that application through the Windows Security settings or through the Registry Editor, reverting CFG management back to system default.
Is there any way to monitor the effectiveness of Control Flow Guard?
While users can enable logging for certain types of incidents through Windows Event Viewer or third-party security solutions, CFG does not provide direct monitoring capabilities out of the box. Many organizations employ comprehensive security monitoring tools that give broader visibility into application behavior, and CFG’s preventive measures can often be indirectly evaluated through incident reports and overall system integrity.
Conclusion
Control Flow Guard represents a fundamental advancement in application security in the modern coding landscape. By implementing strong checks on control transfers within applications, CFG reduces the potential for exploitation, protecting users and systems from complex threats. Windows offers straightforward methods to both enable and disable CFG, allowing users to tailor security settings based on their specific needs while maintaining a critical layer of defense against the evolving cyber threat landscape.
Ensuring that CFG is appropriately configured can dramatically enhance the security posture of systems, empowering both individual users and organizations to better safeguard their digital environments against increasingly sophisticated cyber threats. The implementation of Control Flow Guard signifies the ongoing commitment to security innovation within the Windows ecosystem, ensuring that applications can run more safely and reliably in an era where security is paramount.
Windows 10 Version 1709 (Fall Creators Update) with Visual Assist build 2238 or older
Microsoft tightened security in the Windows 10 Version 1709 Fall Creators Update (FCU), but unfortunately, the tightening adversely affects the performance of applications that use the Win32 GetPixel API. Visual Assist build 2238 uses the API so initial opening of editor windows in Visual Studio, when Visual Assist is active, can be extremely slow.
You can speed up the opening of editor windows to pre-FCU levels by updating to Visual Assist build 2248 or newer, or by disabling Control Flow Guard (CFG) for Visual Studio.
Disable CFG by navigating to:
Windows Defender Security Center | App & browser control | Exploit protection settings | Program settings | Add program to customize | Add by program name
Be cautious and choose the exact file path(s) for Visual Studio, or disable protection for any application named «devenv.exe».
Scroll to disable Control Flow Guard (CFG).
You might improve the performance other aspects of Visual Assist in Visual Studio, at least with respect to the effects of tighter security in the FCU, by disabling all 21 program security settings specific to the application.
Apply, and restart your PC.
You can improve performance of all affected applications in the FCU by disabling CFG at the system level:
App & browser control | Exploit protection settings | System Settings
Obviously, disabling a security feature has its own cost, i.e. less security. You can learn more about the slowness of the API at TenForums and in the Visual Studio Developer Community.
Related Documentation
| Title | Meaning |
|---|---|
| Resolve a performance problem with Visual Assist | Starting point for all performance problems |
Windows 10 built-in security feature — Control Flow Guard (CFG) is designed to combat memory corruption vulnerabilities. Control Flow Guard helps prevent memory corruption, which is very helpful to prevent ransomware attacks. The capabilities of the server are restricted to whatever is needed at that point of time to reduce the attack surface. Exploit Protection is a part of the Exploit Guard feature in Windows Defender. CFG is a part of this feature.
Control Flow Guard in Windows 10
Let’s delve a bit deeper into the Control Flow Guard feature in Windows 10 and answer a few questions like:
- What is Control Flow Guard and how does it work?
- How does Control Flow Guard affect browser performance?
- How to disable Control Flow Guard?
1] What is Control Flow Guard and how does it work
Control Flow Guard is a feature that makes it harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. As we know, software vulnerabilities are often exploited by providing unlikely, unusual, or extreme data to a running program. For example, an attacker can exploit a buffer overflow vulnerability by providing more input to a program than expected, thereby over-running the area reserved by the program to hold a response. This scheme possibly corrupts adjacent memory that may hold a function pointer. When the program calls through this function, it may then jump to an unintended location specified by the attacker.
To avoid such instances, a potent combination of compile and run-time support from Control Flow Guard implements a control flow integrity that tightly restricts spots where indirect call instructions can be executed. It also identifies the set of functions in the application that could be the potential targets for indirect calls. As such, Control Flow Guard inserts extra security checks that could detect attempts to hijack the original code.
When a CFG check fails at runtime, Windows immediately terminates the program, thus breaking any exploit that attempts to indirectly call an invalid address.
2] How does Control Flow Guard affect browser performance
The feature is reported to be causing performance issues for Chromium-based browsers. All major browsers like Google Chrome, Microsoft Edge browser, Vivaldi and scores of others seem to have been affected by it. The issue came to light when developers at Vivaldi run Chromium unit tests on Windows 7 and found them running faster than on the most recent version of Windows 10.
The Windows Kernel Team manager acknowledged the issue and said they built a fix which will be shipped in a couple of weeks.
3] How to disable Control Flow Guard in Windows 10
If you wish to disable this feature, follow this procedure.
Click on Start and search for Windows Security.
Choose Windows Security from the left pane of ‘Update and Security‘ section of Windows Defender Settings.
Select ‘App & browser Control‘ and scroll down to locate ‘Exploit Protection Settings‘. Select it and choose ‘Control Flow Guard‘.
Hit the drop-down arrow and select ‘Off by default’ option.
I hope this helps.