The location is:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<nameOfEXE>
Oddly, Windows checks the same registry key regardless of where it actually found the exe or who is executing it.
If you create a registry entry at the right spot with the "Debugger" string you can make it execute another program instead:
I feel like this could be handy in a situation where you can edit the registry but file integrity prevents you from modifying files on disk. You can kind of stitch execution together to somewhere you control.
Also found mention of the same registry entry here: https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/
Post a Comment