Does this site look plain?

This site uses advanced css techniques

No DEP! The Jamaica release (v8.0, in late 2006) of the Evolution™ Payroll Service-bureau software apparently conflicts with a setting of DEP - Data Execution Protection - and it's necessary to disable this setting for any Evolution program that might use it.

Table of Contents

Data Execution Prevention is a memory management technique used by some versions of Windows XP and Server 2003 to prevent some kinds of security attacks. It's a technically powerful method that solves a very large host of problems, but it's not compatible with all software for various reasons.

The Jamaica release includes some of these incompatibilities, and it's necessary to partially disable DEP on platforms that show the problem. It manifests itself with a "The RPC operation failed" message during report printing.

DEP has several modes on a system:

Turning DEP off entirely is not really a good idea, because the core Windows services are all designed to work with it, and it really does perform a useful security purpose.

Instead, we only need to insure that Evolution processes don't have DEP set, and this is achieved by the middle two settings above. We'll start with the easiest setting first.

Who should do this?

Not all users need concern themselves with this. Service bureaus running Windows 2000 servers won't ever see this problem, and most desktop users (even those with XP) won't either. This lists the two broad categories of systems where this may come into play.

Evolution Middle Tier
If you're running a Windows Server 2003 system in your Evolution Service Bureau, you should take these steps always, even if you're not seeing a problem with reports. DEP does kick the package servers sometimes, and there's no really good reason to chance it.
Don't wait for errors to show up: just do it.
Evolution Local / Remotes
Running Evolution on the desktop — either EvoLocal on the local Service Bureau staff workstations, or EvoRMT / EvoOLR on a client's computer — will run into these problems only rarely. Only certain processors actually support DEP, and it's not clear that the problem manifests itself in the same way as on the servers.
For the desktop, wait until you have a reason to disable DEP before you bother with it. It serves a really useful security purpose.

DEP is only a feature of Windows XP and Windows Server 2003, though it's expected to be found in Windows Vista as well. It requires support from both the operating system and the underlying CPU (there are both software and hardware flavors of DEP) — not all instances of DEP-supporting operating systems will actually have the full set of hardware to support it.

DEP Support across Windows versions
Windows version DEP ?
Windows Server 2003 Yes
Windows XP Yes
Windows Vista Not sure, but probably
Windows 2000 No DEP
Windows NT No DEP
Windows ME No DEP
Windows 98 No DEP
Windows 95 No DEP

Enabling DEP for Core Windows Services Only

DEP dialogs

For most users, this is by far the best option: it's something to set one time and then forget about.

Now it's done: DEP is disabled for all programs other than the core Windows services, and this should require no more attention in the future.

Though it's true that these third-party programs won't be protected, machines used for the Evolution middle tier shouldn't have that much exposure to the outside world — this means its "attack surface" will be pretty small.

DEP for Evolution Remote

The demands of the Evolution middle tier servers really insist on enabling DEP only for Windows core services, but Evolution Remote users may not have the luxury of doing this.

per-app DEP

These client machines typically run a wider variety of software, in a more hostile security environment, and there may be corporate IT policies that do not permit wholesale disabling of DEP. In these cases, it may be necessary to disable DEP much more selectively, leaving it enabled for all but the Evolution programs.

To do this, navigate to the DEP configuration dialog box as shown in the previous section, but instead select the lower radio button. Then:

This approach is a bit more work, but it more narrowly disables DEP just for the Evolution programs.

Note: we don't know which particular executables are actually troublesome, and it may not be that all must have DEP disabled, but this is the most expedient way to get this done until we can research it further.

Evolution Service Bureaus will have quite a few more programs in the exception list, and we've not yet enumerated them. We're quite sure that PackageServerService.exe is in that list.


First published: 2006/12/19