27752 total geeks with 3539 solutions
Recent challengers:
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 



User's box

Forgot password?
New account

[b][url=http ://www.disco untchristian louboutin.to p/]christian louboutin sale[/url][/ b] [b]<a href="http:/ /www.discoun tchristianlo uboutin.t<st rong><a href="http:/ /www.discoun tchristianlo uboutin.top/ ">christian louboutin sale</a></st rong> <br> <strong><a hr
[b][url=http ://www.disco untchristian louboutin.to p/]christian louboutin sale[/url][/ b] [b][url=http ://www.disco untchristian louboutin.to p/]louboutin [/url][/b] [b]<a href="http:/ /www.discoun tchristianlo uboutin.top/ ">christian louboutin</a >[/b] [b]<a href
[b]<a href="http:/ /no.vohek.ne t/">New B<strong><a href="http:/ /no.vohek.ne t/">New Balance 574</a></str ong><br> <strong><a href="http:/ /www.vohek.n et/no/">New Balance 574</a></str ong><br>
[b][url=http ://no.barbou routlet.co/] Barbour jakker på salg[/url][/ b] [b]<br><stro ng><a href="http:/ /no.barbouro utlet.co/">B arbour jakker på salg</a></st rong><br><st rong><a href="http:/ /www.barbour outlet.co/no /">Barbour jakker på salg</a></st rong><br><s
[b][url=http ://no.pradai njapan.com/] Prada hangbags utløp[/url] [/b][b]<stro ng><a href="http:/ /no.pradainj apan.com/">P rada hangbags utløp</a></ strong><stro ng><a href="http:/ /www.pradain japan.com/no /">Prada hangbags utløp</a></ strong><stro ng><a href="http

Donate and help us fund new challenges
Due Date: Nov 30
November Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00

News Feeds
The Register
VPN users menaced
by port forwarding
LHC records biggest
bang ever with 1
EU privacy watchdog
calls for more
?processing of
personal data?
Walmart spied on
workers" Tweets,
blogs before
Amazon"s new drones
powered by Jeremy
Clarkson"s sarcasm
OLPC"s modular heir
hits the
crowdfunding trail
Is it a Loon or is
it a drone? Google
seeks experimental
radio license in US
Estonian vendor
sparks Li-Fi
hypegasm with
gigabit demo
Microsoft takes
PUPs behind the
shed with gun in
Google cloud outage
caused by failure
that saw admins run
it manually ... and
Diamond Nanothreads
Could Support Space
VW Officials Knew
Since Last Year of
Misleading Fuel
Economy Claims
Israel Meets With
Google and YouTube
To Discuss
Censoring Videos
Contractors or Not,
Seattle Uber
Drivers Might Get
Amazon Reveals New
Delivery Drone
Design With Range
of 15 Miles
Purdue Experiments
Student Loans
Facebook Expands
Parental Leave
Policy For All
Employees Globally
Ethics: A Good
Reason To Sit
Further Away From
Your Boss
Cortana Coming To
iOS, For 2000 Beta
Canadian, UK Law
Professors Condemn
Space Mining
Provisions of
Commercial Space
Article viewer

Image File Execution Options

Written by:sefo
Published by:Nightscript
Published on:2006-02-13 11:36:22
Search OSI about Windows.More articles by sefo.
 viewed 96953 times send this article printer friendly

Digg this!
    Rate this article :
Located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,
there exists a registry key which allows the redirection of the excution of one application to another.


The key you create in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
must have the name of the application you want to take over.
For example you can create a new key called notepad.exe and then create a new string with the name Debugger
and value C:\WINDOWS\system32\calc.exe
Now if you try to run notepad, the calculator will be launched instead.

Moreover, if you have for example .txt files associated with notepad,
double-clicking on any text file will also run calc.exe


Now we're going to replace the string value by C:\WINDOWS\system32\write.exe
If you run notepad or double-click on a .txt file, you will see that wordpad runs instead,
but this time it displays the contents of notepad.exe in its editor.

The reason is that write.exe (like notepad) opens directly the file specified in the second argument of its commandline.
(first argument being the name of the program itself)
So it means that when you redirect the execution of an application using this Image File Execution Options key,
the program executed instead of notepad will have the name and path of the file that has been overtaken.

As an exercise, write a program CmdLine.exe that displays it's arguments.
Now if you change the value of the string to c:\CmdLine.exe and run notepad, you will see:

  • arg 0 = c:\CmdLine.exe
  • arg 1 = C:\WINDOWS\system32\notepad.exe

    The interesting part is that if you try to double-click on a .txt file, CmdLine.exe will display an additional argument
    containing the path to the textfile!

  • arg 2 = C:\testfile.txt

    Knowing the path to the text file, it is easy to open it and check for a value or modify something and give control back to
    notepad with ShellExecute or CreateProcess providing the text file as argument.

    ::Test Program::

    How to use the program included

    -The executable must be placed in c:\ExecOption.exe
    -Run the program by double-clicking on it. It will create the registry key.
    (open Regedit and go to Image File Execution Options to see exactly how a valid key looks like)
    -Then you can click any .txt file (size < 512)
    -When you click on a .txt, the program ExecOption.exe is launched
    -It first deletes the registry key. (which is necessary)
    -Then it hooks the program associated (of course notepad)
    Note that your firewall should warn you when ExecOption.exe runs notepad
    -And finally opens the file.
    -The registry will be cleaned when you try to open a text file
    -To set the key again, you have to run the .exe one more time

    See source code in the zip file for more details.

    Basically, here's how it works:


    if NumberOfParam < 2

    else if NumberOfParam > 2
    end if


    This registry key is pretty evil.
    I haven't found a virus or malware using this technique yet but no doubt it will be exploited one day.
    However one might found a positive way to use this feature and I'd be curious to see what utility you can create.
    So please post a comment if you have a nice idea.

    A problem I encountered was that the .txt you open can be read, but is locked for write access by the system.
    So if anyone has an idea on how to unlock it easily please post a comment.

    Monday Morning note:
    It works fine on my XP sp1 but not on XP sp2.
    The time I wanted to give to this topic being over, I will not fix it. It comes I believe from the poor implementation of the commandline parsing procedure :)
    You can still test it of course, the program is harmless and it gives you a good idea of how things work.

  • Did you like this article? There are hundreds more.

    2006-02-13 14:06:05
    Well, actually i've just found a malware using this key on an XP sp2


    It's taking Explorer.exe over.
    Check it out in case... :)
    2006-02-13 16:43:02
    Thanks sefo.. something i was loking for.. well not exactly.. a wonderful trick nonetheless!
    2007-09-23 14:46:12
    Thanks for this most useful comment. My computer suddenly stopped running explorer.exe (and thus leaving me without all "my pc", "programs", "control panel" options).

    Deleting the key mentioned in this article (a malware) did the trick!

    Thanks a lot again.
    2007-09-24 21:18:00
    I have found a malware using this exploit, it maps regedit.exe, msconfig and the .exe of your antivirus to adamrf.exe.
    2008-09-24 20:38:03
    i have a very nasty malware that uses this key! if you want it, contact me. schnaps@gmail.com
    2009-01-17 03:19:55
    klomp.exe uses this
    2009-01-22 12:52:14
    I incountered a maleware named "Kazme__Gheya" that had used this registry key.
    2009-04-22 08:58:22
    My computer suddenly stopped running explorer.exe and thus leaving me without all "my pc", "programs", "control panel" options. Deleting the key mentioned in this article (a malware) did the trick! flash games
    2009-05-27 02:18:39
    SysInternals Proccess Explorer uses this technique to set self as the default Control+Alt+Del handler.
    2009-06-15 21:13:25
    it work with me
    for the good ideas ... you can change the "classical" windows applications like notepad to another improved application like notepad++
    2009-07-07 12:12:50
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc <a href="http://gotomypcfree.vox.com/">on your pc</a>.
    2009-07-07 12:13:05
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etcon your pc
    2009-08-07 02:33:32
    default Control+Alt+Del handler.
    buy clomid
    2009-10-04 14:29:28
    I have found a malware using this exploit too.
    monster truck games
    2009-12-13 15:42:00
    I also got a malware today, taking over all popular browsers (including Firefox, Opera, Safari, and Chrome) and redirecting them to the Internet Explorer. It to me hours to find out what that is and solve it. WTF Microsoft!
    2010-01-15 06:14:37
    hmm thats pretty clever to use that reg key. wonder what happens if you set up a loop so notepad launches calc which launches notepad etc

    airport bus New York
    2010-01-15 09:07:37

    Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.

    web design nyc
    2010-01-16 06:34:12

    Well, this is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job!
    Movers Bronx
    2010-01-28 03:32:09
    These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the post, writing is simply great, thank you for the post.

    Brochure Printing
    2010-02-11 05:27:09
    Very nice and helpful information has been given in this article. I like the way you explain the things. Keep posting. Thanks.Medical Spa New York
    2010-02-21 17:59:24
    This is a great tutorial about the image file execution options ! Thanks for the links.
    <a href="http://blackonyxearringstore.com">black onyx earrings</a> | <a href="http://hardtailyogapants.com">hardtail yoga pants</a>
    2010-02-21 17:59:51
    This is a great tutorial about the image file execution options ! Thanks for the links.

    black onyx earrings
    hardtail yoga pants
    2010-12-21 19:41:41
    Or worse yet... fire up some keylogger (or other software), then launch the originally intended application with the parameters given so that the user does not see any odd behaviour.
    2011-01-28 11:35:03
    2011-02-15 09:32:10
    2011-03-02 21:15:02
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    2011-03-02 21:16:13
    Hello friends,this is a nice site and I wanted to post a note to let you know, good job! Thanks
    2011-03-11 16:56:27

    An interesting discussion is worth comment. I think that you should write more on this topic, it might not be a taboo subject but generally people are not enough to speak on such topics. To the next. Cheers
    klitschko vs solis
    solis vs klitschko
    klitschko solis fight
    2011-04-07 16:05:57
    I think that is a very useful site also shares a very nice thank you to everyone who contributed
    <a href="http://www.giochi1.org">Giochi</a>
    2011-05-03 16:48:32
    The biggest advantage of advertising your website on Facebook is that it offers multiple ways to maximize the return on your advertising investment.Advertising website on facebook
    2011-05-31 11:03:08
    Finally can copy!<a href="http://www.insanityworkoutdvdset.com">insanity workout dvd</a>
    2011-06-03 11:27:40
    2011-06-03 11:28:36
    2011-06-03 11:29:23
    I wonder how you got so good. This is really a fascinating blog, lots of stuff that I can get into. One thing I just want to say is that your Blog is so perfect!
    Generic Viagra
    2011-06-09 09:14:33
    2011-06-28 14:28:30
    Really very nice information shared liked reading it.
    <a href="http://www.medexpressrx.com">viagra online</a>|<a href="http://www.medexpressrx.com/generic-viagra.aspx">Generic Viagra</a>
    2011-06-28 14:29:25
    Excellent stuff discussed nice post.
    viagra online|Generic Viagra
    2011-06-28 23:54:57
    vere goooood thank you
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>
    <a title="&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;" href="http://www.m9ryh.com">&#1588;&#1575;&#1578; &#1605;&#1589;&#1585;&#1610;</a>
    <a title="&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1607; &#1605;&#1589;&#1585;&#1610;&#1607;</a>
    <a title="&#1605;&#1589;&#1585;&#1610;&#1607;" href="http://www.m9ryh.com">&#1605;&#1589;&#1585;&#1610;&#1607;</a>
    2011-06-28 23:56:45
    vere god
    http://www.osix.net] click here [/pop]
    2011-06-28 23:59:03
    <a title="&#1583;&#1585;&#1583;&#1588;&#1577;" href="http://www.m9ryh.com">&#1583;&#1585;&#1583;&#1588;&#1577;</a>|http://www.xn----0mcg1bu2dvamg3b.com
    2011-06-30 14:32:57
    good job Mobile Computing || Networking solutions || Handheld Computers
    Anonymously add a comment: (or register here)
    (registration is really fast and we send you no spam)
    BB Code is enabled.
    Captcha Number:

    Blogs: (People who have posted blogs on this subject..)
    Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
    I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
    SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
    As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
    Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
    Hi my name is adam LOL

    Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
    Microsoft by abhijangda

    Quiz based on the Microsoft Operating System
    Reverse Engineering basics by sefo

    I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.

    Your Ad Here
    Copyright Open Source Institute, 2006