View on GitHub

Image File Execution Options


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\


Criteria Value
Permissions Admin
Security context User; System1
Persistence type Registry
Code type EXE
Launch type Automatic; Any logon required; User initiated2
Impact Destructive3
OS Version All OS versions
Dependencies OS only
Toolset Scriptable


Well known key. If there is a subkey with a name matching the exe file name, the Debugger REG_SZ value is being read and launched with the original exe passed as parameter. Effectively it leads to image hijacking, as the configured exe is launched instead of the desired one.



See also:


  1. Depends on the image being hijackedĀ 

  2. Depends on the image being hijackedĀ 

  3. The original exe will not startĀ