So what the heck are “Image File Execution Options” and why should I care about them? I know, the name alone is pretty complicated, so… let’s just call them IFEO for the rest of this post and keep things simple, shall we?
Honestly, you should be worried… very worried… about IFEO on your Windows PC. IFEO is an area of the registry that was created to configure various options that tell Windows what to do when a certain application is running on your system. It’s something developers can use to run a program in a debugger to troubleshoot an application they’re building instead of running the program directly. While this is all fine if you’re an application developer, the problem is that Windows doesn’t verify that the application you tell it to run instead of the program is actually a legitimate debugger or not. Let me show you an example so you can understand the essence of the problem:
Let’s say someone (for whatever reason) doesn’t want you to be able to run MalwareBytes on their system. All you would have to do is create a simple registry key and value in IFEO that will stop you in your tracks. The process that is executed when you click on malwarebytes is “mbam.exe”. You can easily view the processes in the task manager (or look at the shortcut) to resolve this. Then add a registry key called “mbam.exe” to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options using regedit. Notice the mbam.exe key that was created under “Image File Execution Options.” Once the key is added, add a string value to the key named debugger as shown in the image. Double click on the debugger value and you will see a dialog allowing you to add a path to the executable you would like to run instead of “mbam.exe”. This can be ANYTHING you want. Think of the possibilities… in this case I added a path to ac:test.exe, which doesn’t exist. When you try to run MalwareBytes, it won’t run!
There is a lot of malware out there that is doing just this. They are adding a big list of known security applications to your IFEO key so that when you try to run them, they either don’t run at all or actually launch another copy of the virus executable! How simple! If you suspect that your computer may be infected and you can’t start the security applications that you would normally use to help clean it up, this is a good place to start to determine how to get your applications working properly again.
The silver lining to all of this is that you can use IFEO to your advantage and do the exact same thing to malicious executables that they try to do to your security applications. If you find a suspicious EXE file on your system, this is a perfect way to turn the tables on malware and stop its ability to run on your system. Many times, malware is not yet smart enough to monitor IFEO keys to protect itself. A simple reboot after adding the malware to IFEO can give you a chance to remove it and finish the cleanup process.
