Image File Execution Options Registry Keys

Image File Execution Options (IFEO) is a registry key that allows users to attach debuggers to programs. Attackers may leverage this registry key to establish persistence, as code execution can be triggered by execution (and exiting) of a particular program on an endpoint.

Analysis Value

pageFile Path

Operating System Availability

Major VersionSupportMajor VersionSupport

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

Artifact Location(s)

  • File: %SystemRoot%\System32\config\SOFTWARE

  • Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

  • Key: SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Artifact Parsers

  • RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the aforementioned registry locations exist keys named after certain executables on the endpoint. Placing a STRING value within these keys named Debugger allows an endpoint to specify an arbitrary executable that will be executed when the process is started.

Last updated