# Image File Execution Options Registry Keys Image File Execution Options (IFEO) is a registry key that allows users to attach debuggers to programs. Attackers may leverage this registry key to establish persistence, as code execution can be triggered by execution (and exiting) of a particular program on an endpoint. ## Analysis Value {% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %} [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ✅ | Server 2003 | ✅ | | Windows XP | ✅ | | | ## Artifact Location(s) {% tabs %} {% tab title="🔌 Offline System" %} * File: `%SystemRoot%\System32\config\SOFTWARE` * Key: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` * Key: `SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` {% endtab %} {% tab title="🔋 Live System" %} * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` * `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` {% endtab %} {% endtabs %} ## Artifact Parsers * RegistryExplorer (Eric Zimmerman) ## Artifact Interpretation Within the aforementioned registry locations exist keys named after certain executables on the endpoint. Placing a STRING value within these keys named `Debugger` allows an endpoint to specify an arbitrary executable that will be executed when the process is started. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.