Disabling 16 bit applications in Windows

In January, someone at Google discovered a bug in Windows that had been there for 17 years. (This was reported at The Register, among other places.) Microsoft have now released a patch, as described in Security Bulletin MS10-015, so it’s no longer a problem. However, I think that the details are interesting, particularly if you intend to move to 64-bit Windows at some point.

Windows 95 was the first 32-bit version of Windows, but it still allowed you to run 16-bit applications (designed for Windows 3.1), and newer versions of Windows have kept that option. Similarly, a 64-bit version of Windows will run 32-bit applications, but it won’t run 16-bit applications. This particular bug was part of the 16-bit subsystem, so it didn’t apply to 64-bit versions of Windows.

If you are using 32-bit Windows, you can still disable the 16-bit subsystem via Group Policy. Run “gpedit.msc” (this needs to run as administrator on Vista/7), then browse to:
Computer Configuration\Administrative Templates\Windows Components\Application Compatibility
Change the “Prevent access to 16-bit applications” setting to be Enabled.

Local Group Policy Editor

I’ve done this on my computer at home and at work, for a couple of reasons. Firstly, it reduces my attack surface, so I won’t be affected by any other bugs in this part of Windows. Secondly, I’ll find out whether I’m using any 16-bit software; if so, I won’t be able to use it on 64-bit Windows, so I either need to replace it or delay that move, and this will allow me to make an informed decision.

If you change this setting, then try to run a 16-bit application, you see a message like this:

16-bit error message

I think that’s a fairly clear error message – if I see it, I’ll know exactly why the program was blocked. The minor snag is that I get the UAC elevation prompt first, i.e. I have to enter an admin username/password (to run the software) before it tells me that I can’t continue, but that’s not too bad.

The only real problem so far has been when I tried to upgrade my BIOS. The Dell program displayed this error message:

BIOS Flash error message

I disabled the GPO setting (allowing 16-bit programs to run), rebooted, and then I was able to upgrade my BIOS. I then enabled the GPO setting again. Apparently you can run the BIOS flashing program from a DOS boot disk or from within Windows, so that’s presumably why it’s 16-bit. Dell don’t offer any 64-bit drivers for this particular model of PC (OptiPlex 360), so it wouldn’t exactly be a problem, but it’s not ideal either. I have run their BIOS flashing programs on servers (running 64-bit Windows), so hopefully they’ll do equivalent programs for their desktop machines in due course. For now, it’s just something to be aware of.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.