So what the heck are “Image File Execution Options” and why should I care about them? I know, the name is just pretty complicated, so … let’s call them IFEO for the rest of this post and make things easy, shall we?
You should honestly be concerned … very concerned … about IFEO on your Windows PC. IFEO is an area of the registry that was created to set various options that tell Windows what to do when a certain application is running on your system. It is something that developers can use to run a program in a debugger to troubleshoot an application they are building instead of running the program directly. While this is all very well if you are an application developer, the problem is that Windows does not verify that the application that tells you to run instead of the program is actually a legitimate debugger or not. Let me show you an example so you can understand the essence of the problem:
Let’s say someone (for whatever reason) doesn’t want you to be able to run MalwareBytes on their system. All that needs to be done is to create a simple registry key and value in IFEO that will stop it in its tracks. The process that runs when you click on malwarebytes is “mbam.exe”. You can easily view the processes in the task manager (or look at the shortcut) to solve this. Then add a registry key called “mbam.exe” in HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Image File Execution Options using regedit. Notice the key mbam.exe that was created in “Image File Execution Options.” After the key is added, add a string value to the key named debugger as shown in the image. Double click on the debugger value and you will see a dialog box allowing you to add a path to the executable you would like to run instead of “mbam.exe”. This can be ANYTHING you want. Think about the possibilities ….. in this case I added a path to c: test.exe, which does not exist. When you try to run MalwareBytes, it won’t run!
There is a large amount of malware that does just this. They are adding a large list of known security applications to your IFEO key so that when you try to run them, they either won’t run at all or run another copy of the virus executable! How simple! If you suspect that your computer may be infected and you cannot start the security applications that you would normally use to help clean it up, this is a good place to start determining how to get your applications to run correctly again.
The silver lining to all of this is that you can use IFEO to your advantage and do the exact same thing to malicious executables that they try to do to your security applications. If you find a suspicious EXE file on your system, this is a perfect way to turn the tables on malware and stop its ability to run on your system. Often times, the malware is not yet smart enough to monitor IFEO keys to protect itself. A simple reboot after adding the malware to IFEO can give you a chance to remove it and finish its cleanup process.
