Process Mitigation / Exploit Protection

Process Mitigation (PM)
Win 10 Exploit protection settings are displayed/controlled in Update & Security_Windows Security_App & browser control_Exploit protection settings.

Depending on the GPOs used the settings may or may not be visible or changeable within the user interface.

The powershell cmdlet Set-ProcessMitigation -system can be used to control the settings.  The results of these commands modify a registry key value

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationOptions

Settings for applications are stored here
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<AppName.exe>\MitigationOptions

Using get-processmitigation -system
Many of the PM settings display as NOTSET.  This means that they are at the OS default settings and may be ON or OFF.  Using the -RegistryConfigFilePath to export the settings to an XML file will not include any default system settings, only ones that have been specifically set.

Once Set-ProcessMitigation is used for any settings e.g. to set ON for a given setting, the only way to return to the original NOTSET state is to delete the MitigationOptions key above.

Set-ProcessMitigation only enables or disables settings, it cannot be used to return to the original OS default setting state NOTSET

In Windows 10 1803 and 1809 these are the OS default settings

Control Flow Guard (CFG)
Use default (On)

Data Execution Prevention (DEP)
Use default (On)

Force randomization for images (Mandatory ASLR)
Use default (Off)

Randomise memory allocations (Bottom-up ASLR)
Use default (On)

High-entropy ASLR
Use default (On)

Validate exception chains (SEHOP)
Use default (On)

Validate heap integrity
Use default (On)