Image File Execution Options


Hereby incorporating by reference Junfeng Zhang's discussion of the Image File Execution Options registry key.

Comments (5)
  1. Raymond,

    Could you fill in the gaps in the linked article regarding ‘ApplicationGoo’ as AppCompat seems to be your area (or perhaps just say how the key got its name)?

    Jonathan

  2. Raymond Chen says:

    I don’t know for sure what it is either, but from its name it appears clearly to be app compat goo.

    "Goo" is an informal term for "stuff".

  3. Pavel Lebedinsky says:

    I use IFEO to run all IE processes under debugger. There are two reasons for doing this. First, it makes me feel safer – if I go to some evil site that causes a buffer overrun in IE, there’s a very good chance that debugger will catch it (for both heap and stack based exploits).

    Second, this way I can see what’s going on when things don’t work. For example, I locked down my IE security zones and I often need to add new sites to the trusted sites zone to allow things like javascript (Trusted Sites on my machine is approximately equivalent to the default Internet zone). However it’s often difficult to tell what sites I should add, because main page can have subframes that point to other sites etc.

    So I added a tracing breakpoint to the debugger command line to show me what URLs IE is trying to connect to:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiexplore.exe]

    "Debugger"="ntsd.exe -G -c "bp WININET!InternetConnectA \"da poi(esp+8);g\"; g""

  4. George says:

    Oh, I used to use IFEO all the time on Windows 2000. For my purpose though, Software Restriction Policies have replaced my use of IFEO on XP and Server.

    I create a .cmd file with nothing in it. I set the debugger option to that file for specific executables. The effect is sort of like a DOS attack against myself if those executables attempt to run. This is most useful when ITG is being particularly aggressive in pushing down executables or resource hungry SMS clients.

  5. Thank Raymond for linking my blog.

    You have no idea how much power you have. My blog usually have 100-200 web views in the first few days. This one has 1500+!

Comments are closed.

Skip to main content