Image File Execution Options


Expert Member
Jan 30, 2007
Had a laptop with plenty of viruses today and had some annoying problems
which I managed to solve after reading this article

my one problem was I could not open cmd.exe (By using run command, by shortcut or opening it from system32)
none of them worked, found that the virus had changed the settings
so if you try and open cmd.exe or taskmgr.exe it will run a copy of itself instead of the program your trying to access.. Some scary stuff I know... :eek::eek:

But hope this might help someone somewhere...

Image File Execution options key as an Attack Vector on Windows
Dana Epp posted interesting article about using Image File Execution options in the Windows registry to redirecting a process loading:

By simply mapping the executable name to a different debugger source, you can actually load something else entirely.

Let me give you a proof of concept:

Start the Registry Editor: Click Start, click Run, and then type regedt32.
Locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

To this hive, add the SOURCE exe as a key. Lets use notepad.exe: (Right click and select New, and then Key (Add the key and name it notepad.exe)
To the notepad.exe key, add a new REG_SZ (string) value called Debugger, and point it to c:\windows\system32\cmd.exe

Start up notepad (Click Start, click Run, and then type notepad)
Notice that a new cmd window opened instead