Image File Execution Options Registry Keys
Image File Execution Options (IFEO) is a registry key that allows users to attach debuggers to programs. Attackers may leverage this registry key to establish persistence, as code execution can be triggered by execution (and exiting) of a particular program on an endpoint.
Analysis Value
File PathOperating System Availability
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
✅
Server 2003
✅
Windows XP
✅
Artifact Location(s)
File:
%SystemRoot%\System32\config\SOFTWARE
Key:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Key:
SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Artifact Parsers
RegistryExplorer (Eric Zimmerman)
Artifact Interpretation
Within the aforementioned registry locations exist keys named after certain executables on the endpoint. Placing a STRING value within these keys named Debugger
allows an endpoint to specify an arbitrary executable that will be executed when the process is started.
Last updated