Fix game stutter on Win 10 1703-1809

If I was to go down the route of disabling globally, I will of course make sure its still enabled for attack vectors.

Those are going to be.

Web browsers
Email clients
Office apps that can load code such as MS Office
Adobe Reader/Java/Flash etc.

It will still be possible to enable mitigations on these if off globally by default, and process explorer even seems to indicate many things still are using CFG, it doesnt force you to have it disabled on everything, and this is the approach apps like malwarebytes anti exploit and hitman pro alert take, they target the mitigations to specific executables.

I have already enabled everything but CFG and ASLR again and its no impact on any of the things I mentioned so as suspected its either ASLR, CFG or a combination of both.

 

I fixed FF7 by applying overrides to dwm.exe, the window manager executable. So not nearly as bad in terms of security implications as setting default to disable. I expect this will potentially help any windowed or borderless full screen game.

 

Which override did you apply to dwm.exe to resolve the issue?

 

bottom up aslr off and cfg off. Aslr is what had most of the impact, but cfg was more than insignificant so i did that too,

 

I still do not understand (as a developer) how ASLR can affect any process after it was created and started. I mean ASLR is applied only during the process creation stage, before the code is executed.

 

@Wagnard



It should be clearing the standby list now right?

Edit: I had Firefox.exe and Steam.exe in the exclusions list. I just cleared them two and it finally purged. Something not right there.

 

How you do that?

 

If you are on the latest Windows versions (1809, 1909 and above) most likely you don't need this, test your games without this, really, this is only if your games stop hitching with this, if they still do, you need another fix.

 

Security applet, app and browser control, exploit protection settings (scroll down to see it), program settings, add program to customise, add by path, then tick the override you want and apply.

I am currently considering my position on CFG, I expect if I keep it on by default I will potentially be having to whitelist dozens of games, quite some hassle, so I may end up going disable by default and then just enabling it for browsers, office, java, adobe. But as is for now, I have it on by default, overridden for dwm, macrium and a few games.

 

I grossly under stated the impact of CFG earlier on macrium.

My ff7 backup just completed in under 40 seconds with average read speeds of 4mB/sec on the SSD the files are stored on (no actual backup made as no changes, the time is spent scanning files for changes).

With CFG on it crawls not even reaching a single MB/sec and takes over 20 minutes, so CFG absolutely murders macrium reflect.

 

You guys talking about w10 v1703-1809 only? I have disabled CFG globally since I first discovered it existed a few years ago because it was reported causing stutters/decrease in performance in some games.(currently on w10 20h2)

You reckon bottom-UP ASLR could effect performance?I think I remember someone mentioning something about it doing something to some dx12 game like a year/2 years ago.Forgot the name of the game.

I've also seen a video of some guy adding game.exe's and disabling every exploit protection for said games.Seemed like a bit of a hassle tbh.

 

Actually there is PowerShell command to enable or disable any exploit mitigation for one or many exe-files:

Code:

NAME
    Set-ProcessMitigation
 
SYNOPSIS
    Commands to enable and disable process mitigations or set them in bulk from an XML file.
 
 
SYNTAX
    Set-ProcessMitigation
        [[-Name] <String>]
        [-Disable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate | RequireInfo | BottomUp | HighEntropy | StrictHandle | DisableWin32kSystemCalls | AuditSystemCall | ExtensionPoint | DynamicCode  | AuditDynamicCode | CFG | SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned | AuditMicrosoftSigned | AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly | AuditFont | BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter | AuditEnableExportAddressFilter | EnableExportAddressFilterPlus | AuditEnableExportAddressFilterPlus | EnableImportAddressFilter | AuditEnableImportAddressFilter | EnableRopStackPivot | AuditEnableRopStackPivot | EnableRopCallerCheck | AuditEnableRopCallerCheck | EnableRopSimExec | AuditEnableRopSimExec | SEHOP | AuditSEHOP | SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation | AuditChildProcess | UserShadowStack | UserShadowStackStrictMode | AuditUserShadowStack}]
        [-EAFModules <String[]>]
        [-Enable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate | RequireInfo | BottomUp | HighEntropy | StrictHandle | DisableWin32kSystemCalls | AuditSystemCall | ExtensionPoint | DynamicCode | AuditDynamicCode | CFG | SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned | AuditMicrosoftSigned | AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly | AuditFont | BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter | EnableExportAddressFilterPlus | EnableImportAddressFilter | EnableRopStackPivot | EnableRopCallerCheck | EnableRopSimExec | SEHOP | AuditSEHOP | SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation | AuditChildProcess | UserShadowStack | UserShadowStackStrictMode | AuditUserShadowStack}]
        [-Force {on | off | notset}]
        [-Remove]
        [-Reset]
        [<CommonParameters>]
 
    Set-ProcessMitigation
        [-Disable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate | RequireInfo | BottomUp | HighEntropy | StrictHandle | SystemCall | AuditSystemCall | ExtensionPoint | DynamicCode | AuditDynamicCode | CFG | SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned | AuditMicrosoftSigned | AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly | AuditFont | BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter | EnableExportAddressFilterPlus | EnableImportAddressFilter | EnableRopStackPivot | EnableRopCallerCheck | EnableRopSimExec | SEHOP | AuditSEHOP | SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation | AuditChildProcess | UserShadowStack | UserShadowStackStrictMode | AuditUserShadowStack}]
        [-EAFModules <String[]>]
        [-Enable {DEP | EmulateAtlThunks | SEHOP | ForceRelocate | RequireInfo | BottomUp | HighEntropy | StrictHandle | SystemCall | AuditSystemCall | ExtensionPoint | DynamicCode | AuditDynamicCode | CFG | SuppressExports | StrictCFG | BlockNonMicrosoftSigned | AllowStoreSigned | AuditMicrosoftSigned | AuditStoreSigned | EnforceModuleDepencySigning | DisableNonSystemFonts | FontAuditOnly | AuditFont | BlockRemoteImages | BlockLowLabel | PreferSystem32 | AuditImageLoad | EnableExportAddressFilter | EnableExportAddressFilterPlus | EnableImportAddressFilter | EnableRopStackPivot | EnableRopCallerCheck | EnableRopSimExec | SEHOP | AuditSEHOP | SEHOPTelemetry | TerminateOnHeapError | DisallowChildProcessCreation | AuditChildProcess | UserShadowStack | UserShadowStackStrictMode | AuditUserShadowStack}]
        [-Force {on | off | notset}]
        [-Remove]
        [-Reset]
        [-System]
        [<CommonParameters>]
 
    Set-ProcessMitigation [-IsValid] -PolicyFilePath <String> [<CommonParameters>]
 
 
DESCRIPTION
    Used to turn on and off various process mitigation settings. Can also apply (Or Validate) an XML file to apply settings for many processes at once.
 
PARAMETERS
    -Disable <String[]>
        Comma separated list of mitigations to disable. Disable list takes priority over enable list. If specified in both, it will be disabled.
 
    -EAFModules <String[]>
        Modules to be added to the EAF+ mitigation.
 
    -Enable <String[]>
        Comma separated list of mitigations to enable. Disable list takes priority over enable list. If specified in both, it will be disabled.
 
    -Force <String>
        Overrides a system setting either on or off depending on the level this is set at. Will force "on"/"off" all mitigations provided in the -Enable list
 
    -IsValid [<SwitchParameter>]
        Set to check the given XML file for validity. Requires local .xsd
 
    -Name <String>
        Name of the process to apply mitigation settings to. Can be in the format "notepad" or "notepad.exe"
 
    -PolicyFilePath <String>
        An XML file with mitigation settings for many processes that is applied to the registry
 
    -Remove [<SwitchParameter>]
        Removes a mitigation entry from the registry.
 
    -Reset [<SwitchParameter>]
        Resets a specific mitigation entry to defer.
 
    -System [<SwitchParameter>]
        Used to configure system defaults rather than individual apps.
 
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and  OutVariable. For more information, see about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
 
    Example 1
 
    PS C:\>  set-ProcessMitigation -Name Notepad.exe -Enable SEHOP -Disable MandatoryASLR
 
    Gets the current process mitigation for "notepad.exe" from the registry and then enables SEHOP, and disables MandatoryASLR.

    Example 2
 
    PS C:\> set-ProcessMitigation -PolicyFilePath settings.xml
 
    Applies all settings inside settings.xml

    Example 3
 
    PS C:\> set-ProcessMitigation -PolicyFilePath settings.xml -IsValid
 
    Checks if the given file is a valid settings.xml, requires local .xsd

REMARKS
    To see the examples, type: "get-help Set-ProcessMitigation -examples".
    For more information, type: "get-help Set-ProcessMitigation -detailed".
    For technical information, type: "get-help Set-ProcessMitigation -full".

And there is "get" counterpart command

Code:

NAME
    Get-ProcessMitigation
 
SYNOPSIS
    Gets the current process mitigation settings, either from the registry, from a running process, or saves all to a XML.
 
 
SYNTAX
    Get-ProcessMitigation [-FullPolicy] [<CommonParameters>]
 
    Get-ProcessMitigation [-Id] <Int32[]> [<CommonParameters>]
 
    Get-ProcessMitigation [-Name] <String> [-RunningProcesses] [<CommonParameters>]
 
    Get-ProcessMitigation [-RegistryConfigFilePath <String>] [<CommonParameters>]
 
    Get-ProcessMitigation [-System] [<CommonParameters>]
 
 
DESCRIPTION
    Gets all process mitigation settings either by process name (either running or from -Registry), or by process ID. Can also save all settings to an XML file.
 
PARAMETERS
    -FullPolicy [<SwitchParameter>]
        Returns every processes' current mitigation settings in the registry
 
    -Id <Int32[]>
        Process Id to retrieve current running process mitigation settings from
 
    -Name <String>
        Current process name to get current running (Or from registry) process mitigation settings from one (Can be more than one instance)
 
    -RegistryConfigFilePath <String>
        File to save the current registry process mitigation configuration to
 
    -RunningProcesses [<SwitchParameter>]
        Pull the current process mitigation settings from a running instance instead of the registry.
 
    -System [<SwitchParameter>]
        Pulls the current system defaults for process mitigations.
 
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and  OutVariable. For more information, see about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
 
    Example 1
 
    PS C:\> Get-ProcessMitigation -Name notepad.exe -RunningProcess
 
    Gets the current settings on all running instances of notepad.exe

    Example 2
 
    PS C:\> Get-ProcessMitigation -Name notepad.exe
 
    Gets the current settings in the registry for notepad.exe

    Example 3
 
    PS C:\> Get-ProcessMitigation -Id 1304
 
    Gets the current settings for the running process with pid 1304

    Example 4
 
    PS C:\> Get-ProcessMitigation -RegistryConfigFilePath settings.xml
 
    Gets the all process mitigation settings from the registry and saves them to the xml file settings.xml

    Example 5
 
    PS C:\> Get-ProcessMitigation -FullPolicy
 
    Gets all policies for all processes set in the registry.

    Example 6
 
    PS C:\> Get-ProcessMitigation -System
 
    Gets the current system process mitigation defaults stored in the registry.

    Example 7
 
    PS C:\> Get-Process notepad | Get-ProcessMitigation
 
    Gets the current process mitigation settings for all running instances of notepad.exe

REMARKS
    To see the examples, type: "get-help Get-ProcessMitigation -examples".
    For more information, type: "get-help Get-ProcessMitigation -detailed".
    For technical information, type: "get-help Get-ProcessMitigation -full".

So using these two commands you can disable mitigations in bulk:
- manually disable mitigations for one exe-file (and apply);
- get XML-file with mitigations for that file with "Get-ProcessMitigation" command and add as many other exe-files to that XML-file;
- apply your XML-file with "Set-ProcessMitigation" command.

PS Of course, it is possible to write tool which will made all this but with simple GUI, if you will manage to find not-so-lazy-programmer.

PPS Also it is possible to create a PowerShell script which will search for exe-files in specified folders and disable a set of mitigations for all found ones.

 

Another update on dwm, previously my entire system used to briefly hang when editing tasks in task scheduler, was a very odd behaviour, since I have removed mitigations from it that behaviour has stopped. Essentially what I am saying is there is more and more justification to freeing dwm, its unlikely to be a viable attack vector on your system so no real security implications.

Also thanks for info mbk1969, that is useful for perhaps scripted/automated configuration, probably will use it to batch whitelist games as you suggested.

 

Yep I am on 1809.

I will tell you my opinion.

I dont think CFG is a blanket large performance hit to everything, I think its a case if you write your code to be aware of it, it will perform better, kind of like REBAR on nvidia, how it benefits some games but not others, depends how the workflow of the code is. Microsoft Office on my rig right now flies, its way faster than office 2010 was on Windows 8, and Windows 8 doesnt have CFG.

One could argue similar with ASLR, Windows has 2 ASLR options, one is to enable it on applications that support it, the other is to force enable it on other applications, the second is off by default as one might guess, it could cause unpredictable stability. The reason I think DWM is bad with ASLR, is DWM interacts with any program that utilises gpu acceleration in the windowed environment, my theory is if that application is not supporting ASLR natively (such as the 20+ year old final fantasy 7) then it can have a negative effect on performance. ASLR basically randomises the address space, to me logically that shouldnt have a huge performance hit so the results on FF7 did surprise me, I think its an edge case.

When you look at what CFG does however, its easy to see how that can hurt performance.

An interesting note as well from google developers, on a memory exploit document written for chrome, they advise people to not use EMET to force mitigations vs what is natively compiled in as OS managed exploit protection has much bigger performance impact vs app managed.

Given I am now aware of a command line command, I am probably going to keep CFG enabled globally now, and make a script that scans for executables in my game folders, and then exempt them, probably a little bit risky if someone ever managed to dump malware in those folders, but I would rather do that then disable it globally. I already have ASLR disabled globally. However I expect I will change that back to default as well, and use the script, as I think most of the benefit I am getting from the ASLR off is on DWM, so just need to override it on that and specific games. ASLR has no effect on macrium reflect or the task scheduler UI, for those two its just CFG.

 

@Chrysalis

When executable file (exe, dll) is not build with CFG feature support you can`t force CFG with such executable ("I am sure" but not "I know"). You can switch On/Off CFG for executable files built with CFG support

PS
https://forums.guru3d.com/threads/p...ames-eg-metro-exodus-bf5.425353/#post-5642374
and overall
https://forums.guru3d.com/threads/p...-individual-games-eg-metro-exodus-bf5.425353/

 

Yeah thanks, it might be the chrome devs were referring to other mitigations as the article talks about multiple exploits, DEP, ASLR etc.

Here is the article, it doesnt mention CFG. Was written before CFG was widely used.

https://www.chromium.org/Home/chromium-security/chromium-and-emet

 

"ROP chain detection and prevention" - but they talk about EMET protecting Windows API functions, not functions in code of executable itself. Windows API functions are well known and reside in OS code itself...

 

Was wondering, with newer versions of W10, 20H2 for example, is it better to not use standbylist cleaner and the 0.5 timer-res? (i don't know if windows uses 0.5 anyway when you play games for example)
Would be good to know if i can finally forget about this program.
i'm really curious.

 

Since Windows 10 version 1803 17134.320 it was fixed, so any Windows version after that should be free of the problem, however some people still report better performance using standby list cleaner, so you just have to keep testing it, some say they still have the problem, so keep that in mind.

As for the timer res, don't touch bcdedit and don't change it to 0.5 randomly in Windows thinking "I know better". Lleave this as stock, Windows knows that its doing and when to set it to 0.5. It's weird you say "0.5" since Windows 10 handles this as an uneven number; 0.4992 in my case when I change it, leave this alone in Windows, don't make it an "even" number, this is a debug number for a reason, if you change it to "even number" on 10 it will hurt other system timers and some games could have odd frametiming issues, I learned that the hard way.

 

All 3 game store/launchers on my rig - Steam, Origin, UPlay - set timer resolution to 1ms.
Windows itself does not need high timer resolution.