I have a 32-bit executable running on Windows 10. The System DEP is set to OptIn.
I call GetProcessDEPPolicy and it returns:
dwFlags == 0 // DEP is disabled
bPermanent == 184 // which means TRUE, so permanent
This means I shouldn't be able to change it. However, this is right at start-up, so I SHOULD be able to change it.
In any case, if I ignore bPermanent and call SetProcessDEPPolicy with PROCESS_DEP_ENABLE, and THEN call GetProcessDEPPolicy again, it then returns:
dwFlags == 1 // DEP is enabled
bPermanent == 1 // Also TRUE, so supposedly still permanent
And if I call SetProcessDEPPolicy yet again, THEN it starts failing and I can't change it back.
So my question is: Why does GetProcessDEPPolicy return bPermanent for the first call? It sure looks like a bug / regression and I think this is a change in behavior as this code has been around for a decade and I'm sure it worked correctly in Windows 7 & 8.
This is a defect in the GetProcessDEPPolicy function. You can work around it by using the GetProcessMitigationPolicy function instead.
PROCESS_MITIGATION_DEP_POLICY policy = { 0 }; // important to preinitialize with 0
GetProcessMitigationPolicy(hProcess, ProcessDEPPolicy, &policy, sizeof(policy));
Sorry.