Policy

Enable svchost.exe mitigation options

Microsoft Windows

Back to Security SettingsBack to main
Enable svchost.exe mitigation options
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > Service Control Manager Settings > Security Settings
Supported on
At least Windows Server 2016, Windows 10

Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016

This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, these stricter security settings will not be applied.

Internal name
SvchostProcessMitigationEnable
Policy ID
ae5ad6b25c1c
Elements
0

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
System\CurrentControlSet\Control\SCMConfig
Value name
EnableSvchostMitigationPolicy
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
System\CurrentControlSet\Control\SCMConfig
Value name
EnableSvchostMitigationPolicy
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.