Exploit Protection: system-level mitigation, Validate exception chains (SEHOP) must be on


Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate exception chains (SEHOP)", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.


Ensure exploit Protection system-level mitigation, "Validate exception chains (SEHOP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement.

Open "Windows Defender Security Center"
|_ Select "App & browser control".
|_ Select "Exploit protection settings".
|_ Under "System settings", configure "Validate exception chains (SEHOP)" to "On by default" or "Use default ()".

STIG: Server:
2019: https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93317

NIST 800-53: SI-18
CSCv7: 8.3
Shared Assessments SIG 2022: P.10, P.10.3, P.10.3.1, P.10.3.2