Image File Execution Options Registry Keys

Image File Execution Options (IFEO) is a registry key that allows users to attach debuggers to programs. Attackers may leverage this registry key to establish persistence, as code execution can be triggered by execution (and exiting) of a particular program on an endpoint.

Analysis Value

File Path

Operating System Availability

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

✅

Windows XP

✅

Artifact Location(s)

File: %SystemRoot%\System32\config\SOFTWARE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Key: SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Artifact Parsers

RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the aforementioned registry locations exist keys named after certain executables on the endpoint. Placing a STRING value within these keys named Debugger allows an endpoint to specify an arbitrary executable that will be executed when the process is started.

Last updated 2 years ago

hashtagAnalysis Value

hashtagOperating System Availability

hashtagArtifact Location(s)

hashtagArtifact Parsers

hashtagArtifact Interpretation

Analysis Value

Operating System Availability

Artifact Location(s)

Artifact Parsers

Artifact Interpretation