Here’s the deal: The image file name associated with an executable can be different depending on how the process is launched. And Image File Execution Options (IFEO) works on the image file name, not the executable name. To illustrate this, we can rename mfcmapi.exe (my favorite executable, natch) to ThisIsAReallyLongName.exe and run some tests. First, let’s determine the short file name for this file:
D:\MFCMAPI>dir /x ThisIsAReallyLongName.exe03/16/2009 10:28 AM 1,982,976 THISIS~1.EXE ThisIsAReallyLongName.exe
Next, we launch Procmon and look for anyone opening an IFEO key for a process with “this” in the name. Let’s try launching the process from the command line, using both the long and the short name:D:\MFCMAPI>ThisIsAReallyLongName.exe64-bit cmd.exe RegOpenKeyHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ThisIsAReallyLongName.exeD:\MFCMAPI>THISIS~1.EXE64-bit cmd.exe RegOpenKeyHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ThisIsAReallyLongName.exe
I trimmed and formatted the Procmon output a bit for clarity. The columns are bitness, process name, operation, and key read. So far, no difference in the keys. Let’s see what happens if we ask the debugger to launch the process:D:\MFCMAPI>windbg ThisIsAReallyLongName.exe64-bit windbg.exe RegOpenKeyHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ThisIsAReallyLongName.exe32-bit ThisIsAReallyLongName.exe RegOpenKeyHKLM\SOFTWARE\Microsoft\WINDOWS NT\CURRENTVERSION\Image File Execution Options\ThisIsAReallyLongName.exeD:\MFCMAPI>windbg THISIS~1.EXE64-bit windbg.exe RegOpenKeyHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\THISIS~1.EXE32-bit THISIS~1.EXE RegOpenKeyHKLM\SOFTWARE\Microsoft\WINDOWS NT\CURRENTVERSION\Image File Execution Options\THISIS~1.EXE
The first thing we notice is now both the launching process and the launched process are reading IFEO keys. Next, we notice the 64/32 bit difference showing up in the paths. But the biggest difference is one is looking for a key named “ThisIsAReallyLongName.exe” while the other looks for “THISIS~1.EXE”.
So maybe this is a quirk of the debugger? Let’s try running the app from Start Run:Start\Run: d:\mfcmapi\ThisIsAReallyLongName.exe64-bit Explorer.EXE RegOpenKeyStart\Run: d:\mfcmapi\thisis~1.exe64-bit Explorer.EXE RegOpenKeyHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\thisis~1.exe
We’re back to one process reading the keys, but we still see that the key name depends on whether we used the long or short name for the file.
So – the upshot here, combined with the 32/64 bit issue from before, is when setting IFEO options to enable UST (or anything else IFEO is used for), you potentially need to set the options in 4 places, depending on the bitness of the process, whether or not a long file name is involved, and who launched the process.