Image File Execution Options Registry Keys

Image File Execution Options (IFEO) is a registry key that allows users to attach debuggers to programs. Attackers may leverage this registry key to establish persistence, as code execution can be triggered by execution (and exiting) of a particular program on an endpoint.

Analysis Value

File Path

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	✅
Windows XP	✅

Artifact Location(s)

🔌 Offline System

• File: %SystemRoot%\System32\config\SOFTWARE

• Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

• Key: SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

🔋 Live System

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Artifact Parsers

• RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the aforementioned registry locations exist keys named after certain executables on the endpoint. Placing a STRING value within these keys named Debugger allows an endpoint to specify an arbitrary executable that will be executed when the process is started.