3

Image Execution Options (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options) with a key named after the executable and a string (REG_SZ) value is known to be a nice inroute if you need to modify the behavior of an application to be launched.

However, if I have a very common name for an executable, such as launcher.exe, how can I be a bit more specific? Can I at all?

I'd like to make sure that only the particular binary I have in mind will be affected, although in my particular use case it's only a moderate impact if I cannot limit it to the exact executable.

I would like to write myself a little wrapper program that, similar to Process Explorer from Sysinternals, replaces the standard behavior for my specific launcher.exe in that it sets the environment variable similar to set __COMPAT_LAYER=RUNASINVOKER in a shell.

Now I know how to write the wrapper and all, the main question is, whether there is a way to tell in the registry, using some magic underneath Image Execution Options, to limit the scope of the Debugger value "hack" or would I have to filter this in my wrapper?

Relates to:

Community
  • 1
0xC0000022L
  • 7,544
  • 10
  • 54
  • 94

2 Answers2

7

Starting with Windows 7, there is a way to limit Image File Execution Options to exact path.

  1. Create a dword with name "UseFilter" and nonzero value under ...\Image File Execution Options\filename.exe.
  2. Create a subkey with arbitrary name, e.g. ...\Image File Execution Options\filename.exe\MyFilter.
  3. Under that subkey, create a string with name "FilterFullPath" and full path as a value, e.g. "C:\mypath\filename.exe". Also, create whatever options you need, "Debugger" in your case, there.

Now, when the system starts any "filename.exe", it checks whether the full path matches "FilterFullPath" from any subkey. (There can be several subkeys for different paths.) If there is a match, options from the matched subkey are used. Otherwise, options from base key IFEO\filename.exe are used, as usual.

E. Grechnikov
  • 86
0

It seems to be possible to do it like this

enter image description here

The screenshot shows to create subkeys corresponding to the full path of a binary underneath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, e.g.:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

under which then a Debugger string value could be created and set.

0xC0000022L
  • 7,544
  • 10
  • 54
  • 94
David Marshall
  • 7,346