Image File Execution Options Registry Keys
Image File Execution Options (IFEO) is a registry key that allows users to attach debuggers to programs. Attackers may leverage this registry key to establish persistence, as code execution can be triggered by execution (and exiting) of a particular program on an endpoint.
Analysis Value
pageFile PathOperating System Availability
Major Version | Support | Major Version | Support |
---|---|---|---|
Windows 11 | ✅ | Server 2019 | ✅ |
Windows 10 | ✅ | Server 2016 | ✅ |
Windows 8 | ✅ | Server 2012 | ✅ |
Windows 7 | ✅ | Server 2008 | ✅ |
Windows Vista | ✅ | Server 2003 | ✅ |
Windows XP | ✅ |
Artifact Location(s)
File:
%SystemRoot%\System32\config\SOFTWARE
Key:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Key:
SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Artifact Parsers
RegistryExplorer (Eric Zimmerman)
Artifact Interpretation
Within the aforementioned registry locations exist keys named after certain executables on the endpoint. Placing a STRING value within these keys named Debugger
allows an endpoint to specify an arbitrary executable that will be executed when the process is started.
Last updated