A utility to query Windows support for security features and mitigations with hardware dependencies.
It's increasingly the case that many modern system security features depend on not only operating system support but underlying hardware capabilities. For example, many Windows security features leverage a TPM or virtualisation technology which requires CPU support. In addition, a significant number of processor security vulnerabilities have been disclosed in recent years, most prominently seen in the speculative execution class of vulnerabilities. Mitigating these vulnerabilities often requires the combination of a processor microcode update and associated operating system update to leverage the vulnerability mitigations on the processor which were introduced by the microcode update.
This utility is designed to query a Windows system to determine its support for and the configuration of security features which have dependencies on the underlying hardware. This includes both general-purpose security features (e.g. Virtualisation-based Security) and security features introduced to mitigate processor vulnerabilities (e.g. speculative execution mitigations). In addition, where applicable the utility attempts to determine if the state of a given security setting is considered "secure".
Determining if a given setting is secure can be non-trivial. While typically straightforward for general-purpose security features (they should be enabled), security settings introduced to mitigate a processor vulnerability are usually specific to certain processor architectures and further constrained to certain models. These settings being disabled is not necessarily insecure; it's only problematic if the processor itself is vulnerable. Further, some output is purely informational, such as indicating if certain processor features are supported. These features may reduce the performance impact of vulnerability mitigations, but their absence does not represent a security issue. The utility tries to take all this into account, taking a conservative approach, indicating a setting is "secure" only if there's a high degree of confidence.
- Windows 7 or Server 2008 R2 (or newer)
- Windows PowerShell 3.0 (or newer)
Built-in since Windows 8 and Server 2012 - Supported .NET runtimes
- .NET Framework 4.6.2 (or newer)
Built-in since Windows 10 1607 and Server 2016 - .NET 8 (or newer)
Install manually: Download
Install with WinGet:winget install Microsoft.DotNet.Runtime.8
- .NET Framework 4.6.2 (or newer)
By default all available collectors are run:
| Name | Description | Notes |
|---|---|---|
Ium |
Isolated User Mode | Depends on Virtualisation-based Security feature |
KernelDma |
Kernel DMA Protection | |
KvaShadow |
Kernel VA Shadow | Mitigation of speculative execution vulnerabilities |
PointerAuth |
Pointer Authentication | Currently only supported on ARM processors |
SecureBoot |
Secure Boot | |
ShadowStacks |
Shadow Stacks | Currently only supported on Intel and AMD processors |
SkSpecCtrl |
Secure Speculation Control | Depends on Virtualisation-based Security feature |
SpecCtrl |
Speculation Control | Mitigation of speculative execution vulnerabilities |
SystemInfo |
System Information | |
Tpm |
Trusted Platform Module | |
Vbs |
Virtualisation-based Security | |
Vsm |
Virtual Secure Mode | Depends on Virtualisation-based Security feature |
To select the collector to run use the -c or --collectors command-line parameter. The parameter can be specified multiple times to select multiple collectors.
Multiple output formats are supported:
table(default)
Easiest to interpret and designed for human consumption. This is the only format that also outputs if a given setting is considered secure.raw
A more minimal format without pretty table formatting.json
The raw data structures retrieved from querying the system. Primarily designed for programmatic ingestion and processing of the results.
To change the output format use the -o or --output command-line parameter.
- DMA
Direct Memory Access - IP
Instruction Pointer - MMIO
Memory-mapped I/O - PTE
Page Table Entry - TPM
Trusted Platform Module - VA
Virtual Address - VMM
Virtual Machine Monitor
- BIOS
Basic Input/Output System - UEFI
Unified Extensible Firmware Interface- MOR
Memory Overwrite Request Control
- MOR
- BHB
Branch History Barrier - BPB
Branch Predictor Barrier- IBPB (AMD / Intel)
Indirect BPB - SBPB (AMD)
Selective BPB
- IBPB (AMD / Intel)
- IBRS (AMD / Intel)
Indirect Branch Restricted Speculation- AutoIBRS (AMD)
Automatic IBRS - eIBRS (Intel)
Enhanced IBRS
- AutoIBRS (AMD)
- SSBD (AMD / ARM / Intel)
Speculative Store Bypass Disable - SSBS (ARM)
Speculative Store Bypass Safe - STIBP (AMD / Intel)
Single Thread Indirect Branch Predictors
CALL/JMP- BHB (Intel)
Branch History Buffer - BTB (AMD / Intel)
Branch Target Buffer
- BHB (Intel)
RET- RAP (AMD)
Return Address Predictor - RAS (AMD)
Return Address Store - RSB (Intel)
Return Stack Buffer- RSBA
RSB Alternate - RRSBA
Restricted RSBA
- RSBA
- RAP (AMD)
- CFI
Control-flow integrity- CET (Intel)
Control-flow Enforcement Technology - PAC (ARM)
Pointer Authentication Code- QARMA
Qualcomm ARM Authenticator
- QARMA
- SS (AMD)
Shadow Stack
- CET (Intel)
- Firmware runtime execution
- SMM (AMD / Intel)
System Management Mode - SMM (ARM)
Secure Monitor Mode
- SMM (AMD / Intel)
- Interupt controllers
- APIC (AMD / Intel)
Advanced Programmable Interrupt Controller- APICv (Intel)
APIC Virtualisation - AVIC (AMD)
Advanced Virtual Interrupt Controller
- APICv (Intel)
- GIC (ARM)
Generic Interrupt Controller- GICv3
GIC version 3 - GICv4
GIC version 4
- GICv3
- APIC (AMD / Intel)
- Non-executable memory protection (W^X)
- NX (AMD)
No eXecute - XD (Intel)
eXecute Disable - XN (ARM)
eXecute Never
- NX (AMD)
- Non-executable userland in kernel
- PXN (ARM)
Privileged eXecute Never - SMEP (AMD / Intel)
Supervisor Mode Execution Protection
- PXN (ARM)
- SLAT
Second Level Address Translation- GMET (AMD)
Guest Mode Execute Trap - MBEC (Intel)
Mode-Based Execution Control - TTS2UXN (ARM)
Translation Table Stage 2 Unprivileged eXecute-Never
- GMET (AMD)
- TLB entry management
Translation Lookaside Buffer- ASID (ARM)
Address Space Identifier - PCID (AMD / Intel)
Process-Context Identifiers- INVPCID
Invalidate Process-Context Identifier
- INVPCID
- ASID (ARM)
- Transactional memory
- TSX (Intel)
Transactional Synchronization Extensions- HLE
Hardware Lock Elision - RTM
Restricted Transactional Memory
- HLE
- TSX (Intel)
- Trusted execution
- SEV (AMD)
Secure Encrypted Virtualization- ES
Encrypted State (formerly SEV-ES) - SNP
Secure Nested Paging (formerly SEV-SNP) - TIO
Trusted I/O (formerly SEV-TIO) - TSME
Transparent Secure Memory Encryption
- ES
- TDX (Intel)
Trust Domain Extensions- PAMT
Physical-Address-Metadata Table - SEAM
Secure Arbitration Mode - TME-MK
Total Memory Encryption - Multi-Key
- PAMT
- SEV (AMD)
- BHI
Branch History Injection - BTC (Phantom, Retbleed)
Branch Type Confusion - FPVI
Floating Point Value Injection - GDS (Downfall)
Gather Data Sampling - L1TF (Foreshadow-NG)
L1 (Level 1 Data Cache) Terminal Fault - LVI
Load Value Injection - MDS
Microarchitectural Data Sampling- L1DES (CacheOut)
L1D Eviction Sampling - MDSUM (ZombieLoad)
Microarchitectural Data Sampling Uncacheable Memory - MFBDS (ZombieLoad)
Microarchitectural Fill Buffer Data Sampling - MLPDS
Microarchitectural Load Port Data Sampling - MSBDS (Fallout)
Microarchitectural Store Buffer Data Sampling - TAA (ZombieLoad v2)
TSX Asynchronous Abort - VRS
Vector Register Sampling
- L1DES (CacheOut)
- MMIO Stale Data
Memory-mapped I/O Stale Data- DRPW
Device Register Partial Write - FBSDP
Fill Buffer Stale Data Propagator - PSDP
Primary Stale Data Propagator - SBDR
Shared Buffers Data Read - SBDS
Shared Buffers Data Sampling - SRBDS Update
Special Register Buffer Data Sampling Update - SSDP
Sideband Stale Data Propagator
- DRPW
- RFDS
Register File Data Sampling - SCSB
Speculative Code Store Bypass - Spectre
- BCB (Spectre: Variant 1)
Bounds Check Bypass - BCBS (Spectre-NG: Variant 1.1)
Bounds Check Bypass Store - BHB (Spectre-BHB)
Branch History Buffer - BTI (Spectre: Variant 2, Spectre-BTB)
Branch Target Injection - RDCL (Spectre: Variant 3, Meltdown)
Rogue Data Cache Load - RSRR (Spectre-NG: Variant 3a)
Rogue System Register Read - SSB (Spectre-NG: Variant 4)
Speculative Store Bypass
- BCB (Spectre: Variant 1)
- SRBDS (CROSSTalk)
Special Register Buffer Data Sampling - SRSO (Inception)
Speculative Return Stack Overflow
- HVCI
Hypervisor-protected Code Integrity - HVPT
Hypervisor-enforced Paging Translation - IUM
Isolated User Mode - KMCI
Kernel Mode Code Integrity - UMCI
User Mode Code Integrity - VSM
Virtual Secure Mode - WSMT
Windows SMM Security Mitigations Table
- KB4072698: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
- KB4073119: Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
- KB4073757: Protect your Windows devices against speculative execution side-channel attacks
- KB4457951: Windows guidance to protect against speculative execution side-channel vulnerabilities
All content is licensed under the terms of The MIT License.