{"id":32923,"date":"2005-12-19T10:00:11","date_gmt":"2005-12-19T10:00:11","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2005\/12\/19\/beware-the-image-file-execution-options-key\/"},"modified":"2005-12-19T10:00:11","modified_gmt":"2005-12-19T10:00:11","slug":"beware-the-image-file-execution-options-key","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20051219-11\/?p=32923","title":{"rendered":"Beware the Image File Execution Options key"},"content":{"rendered":"<p>Beware <a href=\"http:\/\/blogs.msdn.com\/junfeng\/archive\/2004\/04\/28\/121871.aspx\"> the Image File Execution Options key<\/a> (<a href=\"http:\/\/blogs.msdn.com\/greggm\/archive\/2005\/02\/21\/377663.aspx\">more<\/a>). Its power can be used for evil as well as for good.<\/p>\n<p> Its intended use is to force a program to run under a debugger regardless of how it is launched (and secondarily to alter how the system treats the program). It&#8217;s handy if you need to debug a program &#8220;in the wild&#8221; rather than under the controlled environment of your favorite IDE. For example, you can use it if you want to debug how a program runs when it is launched by some other program you can&#8217;t debug. <\/p>\n<p> Two things people often forget: <\/p>\n<ul>\n<li>If you err in specifying the debugger, the program won&#8217;t launch     at all.     For example, if you get the path to the debugger wrong     or if you subsequently uninstall the debugger,     you&#8217;ll get ERROR_FILE_NOT_FOUND when you try to run the target     program since the system can&#8217;t find the debugger. <\/li>\n<li>Remember to delete the entry for your program when you no     longer need it.     Otherwise you&#8217;ll wonder why the debugger keeps launching     for no apparent reason. <\/li>\n<\/ul>\n<p> Evil can be done with the Image File Execution Options key. Malware can install themselves as the &#8220;debugger&#8221; for a frequently-run program (such as Explorer) and thereby inject themselves into the execution sequence. <\/p>\n<p> Note that the ability to use the Image File Execution Options key for evil purposes is not a security hole. To modify the key in the first place requires administrator permissions. Consequently, anybody who can exploit this feature already owns your machine. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Beware the Image File Execution Options key (more). Its power can be used for evil as well as for good. Its intended use is to force a program to run under a debugger regardless of how it is launched (and secondarily to alter how the system treats the program). It&#8217;s handy if you need to [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-32923","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>Beware the Image File Execution Options key (more). Its power can be used for evil as well as for good. Its intended use is to force a program to run under a debugger regardless of how it is launched (and secondarily to alter how the system treats the program). It&#8217;s handy if you need to [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/32923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=32923"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/32923\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=32923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=32923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=32923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}