Microsoft has tested Retpoline, a new mitigation method against Spectre variant 2 by Google, on Windows 10 Insider Builds for some time now. The company brought Retpoline to Windows 10 version 1809 by including it in the March 1 cumulative update KB4482887 for the version of Windows 10.

Tip: use the free InSpectre program for Windows check the vulnerability status.

Retpoline promises improved performance compared to the previous mitigation method used by Microsoft in its operating systems. Microsoft monitored the performance of Windows 10 systems and determined that Retpoline improved the launch time of Office applications by about 25% among other benefits.

When all relevant kernel-mode binaries are compiled with retpoline, we’ve measured ~25% speedup in Office app launch times and up to 1.5-2x improved throughput in the Diskspd (storage) and NTttcp (networking) benchmarks on Broadwell CPUs in our lab.

Retpoline is not enabled by default on production devices even though it is included in the March 1 update. Microsoft plans to roll out the mitigation over the course of the coming months.

Administrators who don't want to wait can enable Retpoline right away provided that the devices run Windows 10 version 1809 and have the latest cumulative update installed.

Microsoft employee Mehmet Iyigun describes the process on the Tech Community site. Note that it is recommended that you back up the system and data before you apply the change.

Windows 10 Clients

Note: Microsoft did not enclose the Registry key path with "". If you copy paste Microsoft's command you will receive an error.

Open an elevated command prompt, e.g. by opening Start, typing cmd.exe, right-clicking on the result, and selecting run as administrator. Run the following two commands: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400 When prompted to overwrite the existing value, select Y for yes. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400 When prompted to overwrite the existing value, select Y for yes. Restart the PC.

Alternative: use the following Registry file to make the change with a double-click on it: Regpoline Windows 10 Client

Windows 10 Server

Open an elevated command prompt. Run the following two commands: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x401 Restart the PC.

And here is the Registry file for Windows 10 Server versions: Windows 10 Server Regpoline

Note that you can make the changes in the Registry editor directly as well if you prefer to do so.

Verification

You may use the Get-SpeculationControlSettings PowerShell cmdlet to verify the status of Retpoline. BTIKernelRetpolineEnabled and BTIKernelImportOptimizationEnabled should be returned as True in the output.

Microsoft notes that Skylake and newer generations of Intel processors are not compatible with Retpoline; these will only return BTIKernelImportOptimizationEnabled as enabled when the command is run.

Summary Article Name Enable Retpoline on Windows 10 1809 and Server right now Description Find out how to enable Retpoline, an optimized mitigation against Spectre Variant 2 on Windows 10 version 1809 and latest Windows Server builds. Author Martin Brinkmann Publisher Ghacks Technology News Logo

Advertisement