Image File Execution Options

Location:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Classification:

Criteria	Value
Permissions	Admin
Security context	User; System¹
Persistence type	Registry
Code type	EXE
Launch type	Automatic; Any logon required; User initiated²
Impact	Destructive³
OS Version	All OS versions
Dependencies	OS only
Toolset	Scriptable

Description:

Well known key. If there is a subkey with a name matching the exe file name, the Debugger REG_SZ value is being read and launched with the original exe passed as parameter. Effectively it leads to image hijacking, as the configured exe is launched instead of the desired one.

References:

https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/

Credits:

Remarks:

Footnotes

Depends on the image being hijacked ↩
Depends on the image being hijacked ↩
The original exe will not start ↩

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ifeo.md

ifeo.md

Image File Execution Options

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks:

Files

ifeo.md

Latest commit

History

ifeo.md

File metadata and controls

Image File Execution Options

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks:

Footnotes