Looks like there could be more performance implications with latest Security Advisory from Microsoft. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013 Potential performance impacts Specific performance impact varies by hardware generation and implementation by the chip manufacturer. For most consumer devices, impact on performance may not be noticeable. Some customers may have to disable Hyper-Threading (SMT) to fully address the risk from MDS vulnerabilities. In testing Microsoft has seen some performance impact with these mitigations, in particular when hyperthreading is disabled. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. In some cases, mitigations are not enabled by default to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigations. We continue to work with hardware vendors to improve performance while maintaining a high level of security.
There should be a registry switch for disabling it if you're not worried about it though it's performance or security when using a Intel CPU and it affects all of them from what I am reading though the severity and resulting performance impact can vary.
Can't wait for new benchmarks. At this point I'd pay @Hilbert Hagedoorn for his time if he could do a roundup of all Intel CPUs since Sandy bridge, but that's a lot of work and probably only shows what we already suspect.
In cmd the following disables all mitigations: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
here output with stock settings Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID performance optimization is enabled: False [not required for security] Speculation control settings for CVE-2018-3639 [speculative store bypass] Hardware is vulnerable to speculative store bypass: True Hardware support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is enabled system-wide: False Speculation control settings for CVE-2018-3620 [L1 terminal fault] Hardware is vulnerable to L1 terminal fault: True Windows OS support for L1 terminal fault mitigation is present: True Windows OS support for L1 terminal fault mitigation is enabled: True BTIHardwarePresent : True BTIWindowsSupportPresent : True BTIWindowsSupportEnabled : True BTIDisabledBySystemPolicy : False BTIDisabledByNoHardwareSupport : False BTIKernelRetpolineEnabled : True BTIKernelImportOptimizationEnabled : True KVAShadowRequired : True KVAShadowWindowsSupportPresent : True KVAShadowWindowsSupportEnabled : True KVAShadowPcidEnabled : False SSBDWindowsSupportPresent : True SSBDHardwareVulnerable : True SSBDHardwarePresent : True SSBDWindowsSupportEnabledSystemWide : False L1TFHardwareVulnerable : True L1TFWindowsSupportPresent : True L1TFWindowsSupportEnabled : True L1TFInvalidPteBit : 45 L1DFlushSupported : True this is with 0.12 version, I can't seem to get the newest 0.13 PS module to load as listed on this site https://support.microsoft.com/en-us...-of-get-speculationcontrolsettings-powershell The command " Install-Module SpeculationControl" gives me just a pop-up window, "what file do you want to open" I tried DL script as noted on that site but again when I run "Import-Module.\SpeculationControl.psd1 " I get a red error saying path, name is not right but it is.
this is really getting ridiculous. by time things are done being patched performance will be less performance like ...
Well for home users IMO just disable it all in reg with 3/3 values (that is what I am doing again). FeatureSettingsOverride= 3 FeatureSettingsOverrideMask = 3 https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in
Remove the existing module before trying to install the new one. You can do this with Uninstall-module command I see you got the same advice on tenforum but you didn't reply there yet. You also need to enable the installation of unsigned modules.
I did reply by saying thanks for the help but I disabled all those, I never wanted it enabled but wanted the script to work with the new version. So that is the reason I get the popup "open with what app" when I run PS> Install-Module SpeculationControl? I didn't want to try Uninstall-module command as if I still got that trouble afterward then I have no output. PS: I was using the "Set-ExecutionPolicy RemoteSigned -Scope Currentuser" with yes to all for signing stuff. Also, there was another guy at tenforum with 0.12 and wanted to upgrade to 0.14, he got it working with -force option, so he didn't have the same problem. I tried that too but doesn't seem to help and I don't see anyone else with this type of problem, at least with Google. With the popup, I was thinking might be a file association issue but seems ok when checking.
are you using native 10 powershell or did you install powershell core? might not work with powershell core.
I got it working with this post https://www.tenforums.com/windows-1...763-503-may-14-a-post1633893.html#post1633893 you can see my reply. I am using native Win10 (1809) PS, haven't installed core or newer versions. So I now have C:\Program Files\WindowsPowerShell\Modules\SpeculationControl\1.0.14 with 1.0.12 to.
on i7-2600k, win10 pro 1809 build 503, all protection show as true as default now except these: SSBDWindowsSupportEnabledSystemWide : False <--- this one i CAN get to read as "True" with the MS reg key MDSWindowsSupportPresent : True MDSHardwareVulnerable : True MDSWindowsSupportEnabled : False <--- this one still reads as false when i use the recommended reg key. Am i correct that the MDS one is the newer issue, SSBD was earler but not enabled by default. And MDS i will have to wait for a new microcode (i currently have the latest from MS on their kb microcode ms-catalog)? Is the SSBD one not on by default because of perfomance issues?