How to mitigate Zombie Load Vulnerability without dropping CPU performance

Earlier we mentioned that Intel recently confirmed a Zombieload vulnerability, and Intel has also introduced microcode updates to mitigate the vulnerability. Mitigating vulnerability updates can degrade the performance of Intel processors, especially on enterprise computers server.

The good news is that most home and corporate office users don’t have to worry about dropping CPU performance. The performance impact of microcode updates is very low. But if users need to use a computer for resource-intensive computing, then you can consider turning off vulnerability mitigation to restore higher performance.

ZombieLoad vulnerability

Closing vulnerability mitigation microcode updates, while recovering the original performance of the processor, pose potential security issues, so this is not recommended. In particular, the enterprise server or the computer in the intranet should be based on security. If you want to close the vulnerability mitigation measures, you can really consider it in advance. In addition, the performance degradation caused by microcode updates to game users is very small, so if it is not necessary or you don’t know the consequences of doing so, don’t change it.

According to Microsoft’s official solution, the following methods apply to the Spectre series vulnerability, the Meltdown series vulnerability, and the Microarchitectural Data Sampling vulnerability.

By modifying the registry key and adding a registry key, you can turn off Microsoft’s vulnerability microcode update pushed to the Windows 10 series through cumulative updates. After shutting down, Windows 10 will not continue to receive other security updates, but even if Microsoft pushes new microcode updates, it will not be enabled by default. Right-click on the Start menu and select Run and enter RegEdit to open the Registry Editor and paste the following path in the Registry Editor navigation bar.

To enable mitigations for Microarchitectural Data Sampling (CVE-2018-11091CVE-2018-12126CVE-2018-12127CVE-2018-12130) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) without disabling Hyper-Threading:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they’re restarted.

Restart the computer for the changes to take effect.

To enable mitigations for Microarchitectural Data Sampling (CVE-2018-11091CVE-2018-12126CVE-2018-12127CVE-2018-12130) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) with Hyper-Threading disabled:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they’re restarted.

Restart the computer for the changes to take effect.

To disable mitigations for Microarchitectural Data Sampling (CVE-2018-11091CVE-2018-12126CVE-2018-12127CVE-2018-12130) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646):

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

After completing the above operations, you need to restart the system to make the settings take effect, that is, restore the original performance of your Intel processor without being affected by the vulnerability.