27678 total geeks with 3539 solutions
Recent challengers:
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 



User's box

Forgot password?
New account

[b][url=http ://de.jyyea. com/]qualita tiv hochwertigen <strong><a href="http:/ /de.jyyea.co m/">qualitat iv hochwertigen Uhren Replika</a>< /strong><br> <strong><a href="http:/ /www.jyyea.c om/de/">qual itativ hochwertigen Uhren Replika</a>< /strong><br>
[b]<a href="http:/ /de.shop-bea tsbydre.com/ ">besten<str ong><a href="http:/ /de.shop-bea tsbydre.com/ ">besten Beats von Dre</a></str ong><br> <strong><a href="http:/ /www.shop-be atsbydre.com /de/">besten Beats von Dre</a></str ong><br>
[b][url=http ://de.jyyea. com/]qualita tiv hochwertigen <strong><a href="http:/ /de.jyyea.co m/">qualitat iv hochwertigen Uhren Replika</a>< /strong><br> <strong><a href="http:/ /www.jyyea.c om/de/">qual itativ hochwertigen Uhren Replika</a>< /strong><br>
[b][url=http ://de.silico newatches.ne t/]qualitati v hochwerti<st rong><a href="http:/ /de.silicone watches.net/ ">qualitativ hochwertigen Uhren Replika</a>< /strong><br> <strong><a href="http:/ /www.silicon ewatches.net /de/">qualit ativ hochwertigen Uhren Replika</
[b]<a href="http:/ /de.jewelryi nhebrew.com/ ">Pandor<str ong><a href="http:/ /de.jewelryi nhebrew.com/ ">Pandora Schmuck Großhandel< /a></strong> <br> <strong><a href="http:/ /de.jewelryi nhebrew.com/ ">Pandora Schmuck billig</a></ strong><br>

Donate and help us fund new challenges
Due Date: Oct 31
October Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00

News Feeds
The Register
PHONE me if you
feel DIRTY: Yanks
and "Nadians wave
bye-bye to
Top VW exec blames
car pollution
cheatware scandal
on "a couple of
software engineers"
FBI boss: No
encryption backdoor
law (but give us
backdoors anyway)
Dot-gay bid fails
again: This time
because it is
too gay
Biz founded by
Chris "I hack
airplanes" Roberts
files for
Meg Whitman: Next
HP Enterprise CEO
is already on the
Chinese dragon
Alibaba ramps up
cloud war with
second US data
Furious LastPass
fans fear favorite
tool"s fate amid
LogMeIn"s gobble
China cuffs hackers
at US request to
stave off sanctions
What"s not up,
Docs? Google Docs
goes titsup in time
for Friday beers
BBC Optimizing UHD
Video Streaming
Over IP
Over 10,000
Problems Fixed In
Detroit Thanks To
Cellphone App
Scientists Control
a Fly"s Heartbeat
With a Laser
EFF: the Final
Leaked TPP Text Is
All That We Feared
ARM Processor On a
Disclosed Netgear
Flaws Under Attack
Amazon: a Single
Disaster Made Us
Rethink Our Cloud
Supply Chain
Microsoft"s Mission
To Reignite the PC
NetBSD 7.0 Released
Linus: "2016 Will
Be the Year of the
ARM Laptop"
Article viewer

Image File Execution Options

Written by:sefo
Published by:Nightscript
Published on:2006-02-13 11:36:22
Search OSI about Windows.More articles by sefo.
 viewed 95936 times send this article printer friendly

Digg this!
    Rate this article :
Located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,
there exists a registry key which allows the redirection of the excution of one application to another.


The key you create in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
must have the name of the application you want to take over.
For example you can create a new key called notepad.exe and then create a new string with the name Debugger
and value C:\WINDOWS\system32\calc.exe
Now if you try to run notepad, the calculator will be launched instead.

Moreover, if you have for example .txt files associated with notepad,
double-clicking on any text file will also run calc.exe


Now we're going to replace the string value by C:\WINDOWS\system32\write.exe
If you run notepad or double-click on a .txt file, you will see that wordpad runs instead,
but this time it displays the contents of notepad.exe in its editor.

The reason is that write.exe (like notepad) opens directly the file specified in the second argument of its commandline.
(first argument being the name of the program itself)
So it means that when you redirect the execution of an application using this Image File Execution Options key,
the program executed instead of notepad will have the name and path of the file that has been overtaken.

As an exercise, write a program CmdLine.exe that displays it's arguments.
Now if you change the value of the string to c:\CmdLine.exe and run notepad, you will see:

  • arg 0 = c:\CmdLine.exe
  • arg 1 = C:\WINDOWS\system32\notepad.exe

    The interesting part is that if you try to double-click on a .txt file, CmdLine.exe will display an additional argument
    containing the path to the textfile!

  • arg 2 = C:\testfile.txt

    Knowing the path to the text file, it is easy to open it and check for a value or modify something and give control back to
    notepad with ShellExecute or CreateProcess providing the text file as argument.

    ::Test Program::

    How to use the program included

    -The executable must be placed in c:\ExecOption.exe
    -Run the program by double-clicking on it. It will create the registry key.
    (open Regedit and go to Image File Execution Options to see exactly how a valid key looks like)
    -Then you can click any .txt file (size < 512)
    -When you click on a .txt, the program ExecOption.exe is launched
    -It first deletes the registry key. (which is necessary)
    -Then it hooks the program associated (of course notepad)
    Note that your firewall should warn you when ExecOption.exe runs notepad
    -And finally opens the file.
    -The registry will be cleaned when you try to open a text file
    -To set the key again, you have to run the .exe one more time

    See source code in the zip file for more details.

    Basically, here's how it works:


    if NumberOfParam < 2

    else if NumberOfParam > 2
    end if


    This registry key is pretty evil.
    I haven't found a virus or malware using this technique yet but no doubt it will be exploited one day.
    However one might found a positive way to use this feature and I'd be curious to see what utility you can create.
    So please post a comment if you have a nice idea.

    A problem I encountered was that the .txt you open can be read, but is locked for write access by the system.
    So if anyone has an idea on how to unlock it easily please post a comment.

    Monday Morning note:
    It works fine on my XP sp1 but not on XP sp2.
    The time I wanted to give to this topic being over, I will not fix it. It comes I believe from the poor implementation of the commandline parsing procedure :)
    You can still test it of course, the program is harmless and it gives you a good idea of how things work.

  • Did you like this article? There are hundreds more.

    2006-02-13 14:06:05
    Well, actually i've just found a malware using this key on an XP sp2


    It's taking Explorer.exe over.
    Check it out in case... :)
    2006-02-13 16:43:02
    Thanks sefo.. something i was loking for.. well not exactly.. a wonderful trick nonetheless!
    2007-09-23 14:46:12
    Thanks for this most useful comment. My computer suddenly stopped running explorer.exe (and thus leaving me without all "my pc", "programs", "control panel" options).

    Deleting the key mentioned in this article (a malware) did the trick!

    Thanks a lot again.
    2007-09-24 21:18:00
    I have found a malware using this exploit, it maps regedit.exe, msconfig and the .exe of your antivirus to adamrf.exe.
    2008-09-24 20:38:03
    i have a very nasty malware that uses this key! if you want it, contact me. schnaps@gmail.com
    2009-01-17 03:19:55
    klomp.exe uses this
    2009-01-22 12:52:14
    I incountered a maleware named "Kazme__Gheya" that had used this registry key.
    2009-04-22 08:58:22
    My computer suddenly stopped running explorer.exe and thus leaving me without all "my pc", "programs", "control panel" options. Deleting the key mentioned in this article (a malware) did the trick! flash games
    2009-05-27 02:18:39
    SysInternals Proccess Explorer uses this technique to set self as the default Control+Alt+Del handler.
    2009-06-15 21:13:25
    it work with me
    for the good ideas ... you can change the "classical" windows applications like notepad to another improved application like notepad++
    2009-07-07 12:12:50
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc <a href="http://gotomypcfree.vox.com/">on your pc</a>.
    2009-07-07 12:13:05
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etcon your pc
    2009-08-07 02:33:32
    default Control+Alt+Del handler.
    buy clomid
    2009-10-04 14:29:28
    I have found a malware using this exploit too.
    monster truck games
    2009-12-13 15:42:00
    I also got a malware today, taking over all popular browsers (including Firefox, Opera, Safari, and Chrome) and redirecting them to the Internet Explorer. It to me hours to find out what that is and solve it. WTF Microsoft!
    2010-01-15 06:14:37
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc

    airport bus New York
    2010-01-15 09:07:37

    Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.

    web design nyc
    2010-01-16 06:34:12

    Well, this is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job!
    Movers Bronx
    2010-01-28 03:32:09
    These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the post, writing is simply great, thank you for the post.

    Brochure Printing
    2010-02-11 05:27:09
    Very nice and helpful information has been given in this article. I like the way you explain the things. Keep posting. Thanks.Medical Spa New York
    2010-02-21 17:59:24
    This is a great tutorial about the image file execution options ! Thanks for the links.
    <a href="http://blackonyxearringstore.com">black onyx earrings</a> | <a href="http://hardtailyogapants.com">hardtail yoga pants</a>
    2010-02-21 17:59:51
    This is a great tutorial about the image file execution options ! Thanks for the links.

    black onyx earrings
    hardtail yoga pants
    2010-12-21 19:41:41
    Or worse yet... fire up some keylogger (or other software), then launch the originally intended application with the parameters given so that the user does not see any odd behaviour.
    2011-01-28 11:35:03
    2011-02-15 09:32:10
    2011-03-02 21:15:02
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    2011-03-02 21:16:13
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    2011-03-11 16:56:27

    An interesting discussion is worth comment. I think that you should write more on this topic, it might not be a taboo subject but generally people are not enough to speak on such topics. To the next. Cheers
    klitschko vs solis
    solis vs klitschko
    klitschko solis fight
    2011-04-07 16:05:57
    I think that is a very useful site also shares a very nice thank you to everyone who contributed
    <a href="http://www.giochi1.org">Giochi</a>
    2011-05-03 16:48:32
    The biggest advantage of advertising your website on Facebook is that it offers multiple ways to maximize the return on your advertising investment.Advertising website on facebook
    2011-05-31 11:03:08
    Finally can copy!<a href="http://www.insanityworkoutdvdset.com">insanity workout dvd</a>
    2011-06-03 11:27:40
    2011-06-03 11:28:36
    2011-06-03 11:29:23
    I wonder how you got so good. This is really a fascinating blog, lots of stuff that I can get into. One thing I just want to say is that your Blog is so perfect!
    Generic Viagra
    2011-06-09 09:14:33
    2011-06-28 14:28:30
    Really very nice information shared liked reading it.
    <a href="http://www.medexpressrx.com">viagra online</a>|<a href="http://www.medexpressrx.com/generic-viagra.aspx">Generic Viagra</a>
    2011-06-28 14:29:25
    Excellent stuff discussed nice post.
    viagra online|Generic Viagra
    2011-06-28 23:54:57
    vere goooood thank you
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>
    <a title="&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;" href="http://www.m9ryh.com">&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;</a>
    <a title="&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;</a>
    <a title="&#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1605;&#1589;&#1585;&#1610;&#1607;</a>
    2011-06-28 23:56:45
    vere god
    http://www.osix.net] click here [/pop]
    2011-06-28 23:59:03
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>|http://www.xn----0mcg1bu2dvamg3b.com
    2011-06-30 14:32:57
    good job Mobile Computing || Networking solutions || Handheld Computers
    Anonymously add a comment: (or register here)
    (registration is really fast and we send you no spam)
    BB Code is enabled.
    Captcha Number:

    Blogs: (People who have posted blogs on this subject..)
    Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
    I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
    SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
    As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
    Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
    Hi my name is adam LOL

    Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
    Microsoft by abhijangda

    Quiz based on the Microsoft Operating System
    Reverse Engineering basics by sefo

    I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.

    Your Ad Here
    Copyright Open Source Institute, 2006