In This Article
What is Protected Mode?
Protected mode refers to the 32-bit operating mode that is typically found on Intel 80286 or newer CPUs. Also known as protected virtual address mode, protected mode is found in most operating systems other than DOS.
- Protected mode is the security feature and the primary operating mode of modern Intel processors and its clones, from and after the 16 bit 80286.
- The later processors come with a 32-bit protected mode that allows using a number of virtual address spaces with addressable memory of up to 4 GB.
- This mode offers stringent hardware I/O and memory protection to the system and also restricts existing instruction sets through rings.
- The protected mode is enabled by default and it makes additional features available for the CPU, operating systems and the software to use.
- Turning this security mode off will make a computer system vulnerable to malicious software, adware, spyware, viruses, and plugins that can affect data files, apps, and Windows system files.
Understanding Protected Mode
Protected mode is a security feature that was added to the x86 architecture of Intel in early 1982. Over time, this became the foundation of all later Intel x86 architectures.
The initial versions, however, did not allow switching back to the real mode or enabling the protected mode.
There was an option available to protect the registers, stack pointers, and interrupt mask in the Random Access Memory. This option could be accessed via a keyboard controller.
In the later versions, starting with the 386 processors, enabling protected mode was allowed.
It was far easier than the steps involved in the 286 architecture because it offered an internal mechanism to exit the protected mode.
This mode offers several benefits, including but not limited to:
- Addressing extended and virtual memory
- Protection from overwriting programs
It also allows terminating a failed program without restarting the programs that are running or the computer system.
Ideally, the protected mode enhances the security aspect while also enhancing system stability with its unique features. Some of these features are:
There are four such levels, also known as rings, where ring 0 is the most privileged and ring 3 is the least privileged.
Usually, when the operating system runs on ring 0, the application runs on ring 3. These rings allow the system software to disallow access to data by the tasks.
Virtual 8086 mode:
This mode allows running codes for 8086 written earlier on new systems. This backward compatibility does not need any modifications to be made. It enhances system security and stability.
Compatibility with real mode applications:
Windows 3.x and its successors allow a binary compatibility with real mode so that Windows 2.x applications can run as well in protected mode.
The segment part is replaced in protected mode by a 16-bit selector. The index of an entry is contained in the thirteen upper bits in a descriptor table. This includes:
- A limit value of the size of the segment
- A few flags and
- The real line address of the segment.
Two lower bits delineate the request privilege from 0 to 3, and the last bit indicates whether the operation is against the GDT or the LDT.
This allows the operating system to run several tasks concurrently but can be used only when a task is programmed to be carried out on different processors.
The current context information is saved by the processors while switching between tasks in the task state segment.
The processors use this saved information to set their internal registers while rescheduling the original task for execution to start the process.
This feature protects against software bugs and allows the operating system to multitask more reliably. It checks the memory cycles before the process starts and terminates any offending cycles, generating an exception. This enhances the stability of all tools for software development.
Different sections of the memory are called pages. These pages can be transferred from primary storage to secondary storage, which offers more space to store.
The operating system can produce a diverse virtual address for every task, preventing one task from controlling the memory of another.
There is a collection of configurable debug registers that allow setting a breakpoint using a preferred memory address and typing the cycle to trigger it.
When this breakpoint is reached, the debugger takes control by generating an exception displaying the information about the internal state of the CPU.
Protected Mode is OS
Operating systems such as OS/2 1.x attempt to switch the CPU between real mode and protected mode, which is not only slow but also unsafe.
This is because the chances of the system crashing are really high in real mode. Therefore, it is best for an operating system to be in protected mode.
This allows a bound program or API to run either in protected mode or in real mode.
Windows 3.0 can run programs in real mode in 16-bit protected mode by preserving the single privilege level model used in real mode.
This allows DLLs and Windows applications to access hardware directly and hook interrupts.
A Windows 1.x or 2.x program, however, can run in the same way in both modes since they avoid segment arithmetic and are written properly.
Typically, all Windows programs avoid segment arithmetic since they use a software virtual memory system that moves data and program codes into memory when it is not running.
Therefore, manipulating absolute addresses can be potentially dangerous and therefore handles should be kept in memory blocks when these are not running.
In Windows 3.1, however, real mode was not supported and therefore could not be accessed.
In modern 32-bit operating systems, virtual 8086 mode is still used to run applications in OS/2 2.0 and 32-bit Windows NT but is controlled by a 32-bit kernel.
However, the 64-bit operating systems running in long mode do not use this because long mode is removed from virtual 8086 mode.
Protected Mode in Assembly Language
The most commonly used X86 assembly language in protected mode is x86 assembly programming. It typically uses 32-bit addressing of registers, memory, paging, and protection.
There are eight 32-bit General Purpose Registers or GPRs used in this process in protected mode. Four are data registers and the other four are address registers.
The four data registers are:
- The accumulator EAX
- The base register EBX
- The counter register ECX
- The data register EDX
The four address registers are:
- The source register ESI
- The destination register EDI
- The stack pointer register ESP
- The stack base pointer register EBP
Apart from that, there are also some non-application registers used to change the state of the CPU such as:
- The control registers CR0, CR1, CR2, and CR3
- The test registers TR4, TR5, TR6, and TR7
- The descriptor registers Global Descriptor Table Register (GDTR), Local Descriptor Table Register (LDTR), Interrupt Descriptor Table Register (IDTR) and
- The task register (TR).
All these registers can be used for holding data as well as for segmented addressing of the memory both.
In addition to that, there are also a host of mnemonics for the opcodes used in this language such as add, bound, call, div, enter, hlt, into, jpe, leave, mov, not, or, push, ret, sets, test, verr, wait, and xor, just to name a few.
Different addressing models are also used in this mode such as:
- Physical addresses
- Linear addresses
- Logic addresses
There are basically two distinct descriptors used to hold information about the behavior and appearance of the memory as well such as:
- A Global Description Table or GDT. which is pointed to by the GDTR
- A Local Description Table or LDT, which is pointed to by the LDTR
These tables usually have 48-bit wide pointers with two fields as follows:
- There is a pointer to the beginning of the table called the base field and
- There is a section that indicates the length of the table denoted in bytes called the limit.
The interrupts in the protected mode can be programmed to switch into a particular thread or process automatically.
To switch to protected mode, here are the steps:
- Load GDTR with the pointer to the GDT-table
- Load IDTR with the pointer to the IDT OR disable interrupts
- Set the PE-bit of the CR0-register
- Jump to the 32-bit code for flushing the PIQ
- Set TR with the selector of a legitimate TSS
You may also load LDTR with the pointer to the LDT-table at your discretion.
What is Protected Mode in Windows 10?
Windows protected mode is a feature of Internet Explorer. This protects the system from spyware, viruses, adware and other malicious software that may enter into it from the Internet or from any other potentially insecure locations.
This mode opens these locations and sites safely in read-only mode so that you can read and see the contents.
Typically, in Windows, there are several reasons for a file to open in a protected view and specific warning messages and images will be displayed for each when you open them in a protected view.
Depending on the version, some of these are:
- The file may be opened from an Internet location – The message will read, “Be careful – files from the Internet can contain viruses. Unless you need to edit, it’s safer to stay in Protected View.”
- The file may be received as an Outlook attachment and the sender is considered unsafe by your computer policy – The message will read, “Be careful – email attachments can contain viruses. Unless you need to edit, it’s safer to stay in Protected View.”
- The file may be opened from any unsafe location – The message will read, “This file was opened from a potentially unsafe location. Click for more details.”
- The file may be blocked by File Block – The messages will read when editing is not allowed as, “Editing this file type is not allowed due to your policy settings. Click for more details.” When editing is allowed but not recommended, the message will read as, “Editing this file type is not recommended due to your File Block settings in the Trust Center. Click for more details.”
- There may be a file validation failure – The message will read, “Microsoft 365 has detected a problem with this file. Editing it may harm your computer. Click for more details.”
- The file may be opened in Protected View with the Open in Protected View option – The message will read, “This file was opened in Protected View. Click for more details.”
- The file may be opened from the OneDrive storage of someone else – The message will read, “Be careful – This file is from someone else’s OneDrive. Unless you trust this person and want to continue collaborating with them, it is safer to stay in Protected View.”
When you choose to open a file even after getting a message, you can do so by using the Open in Protected View option. The steps to follow are:
- Click File
- Click Open
- Click on the arrow beside the Open button on the Open dialog box
- Click on Open in Protected View from the list
How To Turn Off Protected Mode?
Though you should not disable protected mode to affect the security of your device, you may if you wish by making changes in the advanced settings in the tools in Internet Explorer.
The steps to follow for disabling protected mode are:
- Start Internet Explorer
- Select Tools
- Select Internet options
- Go to the Advanced tab
- Under Security, uncheck the Enable Enhanced Protected Mode check box
- Click Apply and OK
- Click OK on the warning window to confirm the changes
Once you are done, you must restart the browser so that the changes take effect.
Disabling protected mode should be done at your own risk. Even if you have to, do it temporarily when you need to load any incompatible add-ons and are sure that the site and the content you are using are absolutely safe and secure.
How to Enable Protected Mode?
The protected mode is usually enabled by default. However, it is disabled in Windows 8.1 by default but can be enabled from the Tools menu in the Internet Explorer.
If it is not, then you can specify the settings from the advanced properties with the preference set to Enhanced.
Before you make changes in the settings, you should first check the status to find out whether or not the protected mode is enabled. The steps to follow for that are:
- Choose File
- Select Properties
- Click on Advanced
- Select Protected Mode
If you find that it is not enabled, then you must first take some preparatory steps and then make the changes.
Before switching to protected mode, these are the things you should do:
- Disable interrupts including Non-Maskable Interrupt or NMI according to the Intel Developer’s Manual
- Enable the A20 Line
- Load the Global Descriptor Table with sector descriptors suitable for data, code, and stack
Now to specify the settings, you should follow these steps:
- Choose Edit
- Select Preferences
- Choose Categories
- Select Security (Enhanced) in the list
- Select Enable Protected Mode at Startup in the Sandbox Protections section
- Enable Create Protected Mode Log File for recording procedures
It might take some time for the changes to take effect when you start the app next time. However, you can click on View Log to open the log file and check.
What Features Become Available in Protected Mode?
In the protected mode, the system software will be able to use specific features such as paging, virtual memory and multitasking.
Also, enabling protected mode will unleash the real power of the CPU, operating system and the software.
The CPU is typically initialized in the real mode by the Basic Input Output System or BIOS. When the protected mode is enabled, the power of the CPU will be enhanced significantly.
However, it will not allow using most of the BIOS interrupts because they typically work in real mode.
This mode also enables the software to use its privilege levels since it will be given different ring values such as 0, 1, 2, or 3. The different ring values give different permissions to the program. For example:
- 0 indicates a super administrator-enabled program with full access permissions like in the operating system files.
- 3 indicate default applications with very limited permissions. This prevents the operating systems from being damaged by rogue programs.
The operating system also has enhanced control in protected mode over all the apps running on the system. This control allows it to shut down or delegate a process that is unsafe to run.
This specific mode also enhances memory usage abilities of programs with the use of paging resources.
It allows using more memory by the applications than what is physically available to them.
It also keeps the virtual memory segments secure with firewalls and with the access to these areas restricted by the system.
Protected mode makes the space available in virtual memory and paging files available for allocation by removing processes from the physical memory to the virtual memory paging files on the hard drive.
This increases the processing time of the CPU as well as augments security since a separate and reserved space is created to be accessed only by the application and not by all other resources of the system.
In the protected mode, multitasking is another major benefit offered with the use of call gates, permission rings, and task state segments.
This gives priority to particular processes and operations and the level of priority controls the amount of processor time to be given to the function of a specific process or app.
Where is Protected Mode Status Available?
The status of protected mode is available under the Advanced tab in the Properties section of the File option.
Protected Mode or Enhanced Protected Mode is a useful feature that guards the computer from malicious software.
It prevents harmful activities and potentially unsafe web content from accessing your system and therefore prevents viruses, adware and spyware. So, it is unwise to disable this protective shield.