Image File Execution Options

Date:May 7, 2004 / year-entry #180
Tags:other
Orig Link:https://blogs.msdn.microsoft.com/oldnewthing/20040507-00/?p=39433
Comments:    5
Summary:Hereby incorporating by reference Junfeng Zhang's discussion of the Image File Execution Options registry key.

Hereby incorporating by reference Junfeng Zhang's discussion of the Image File Execution Options registry key.

Comments (5)
  1. Jonathan Payne says:
    May 7, 2004 at 7:34 am

    Raymond,

    Could you fill in the gaps in the linked article regarding ‘ApplicationGoo’ as AppCompat seems to be your area (or perhaps just say how the key got its name)?

    Jonathan

  2. Raymond Chen says:
    May 7, 2004 at 7:36 am

    I don’t know for sure what it is either, but from its name it appears clearly to be app compat goo.

    "Goo" is an informal term for "stuff".

  3. Pavel Lebedinsky says:
    May 7, 2004 at 3:40 pm

    I use IFEO to run all IE processes under debugger. There are two reasons for doing this. First, it makes me feel safer – if I go to some evil site that causes a buffer overrun in IE, there’s a very good chance that debugger will catch it (for both heap and stack based exploits).

    Second, this way I can see what’s going on when things don’t work. For example, I locked down my IE security zones and I often need to add new sites to the trusted sites zone to allow things like javascript (Trusted Sites on my machine is approximately equivalent to the default Internet zone). However it’s often difficult to tell what sites I should add, because main page can have subframes that point to other sites etc.

    So I added a tracing breakpoint to the debugger command line to show me what URLs IE is trying to connect to:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiexplore.exe]

    "Debugger"="ntsd.exe -G -c "bp WININET!InternetConnectA \"da poi(esp+8);g\"; g""

  4. George says:
    May 7, 2004 at 5:57 pm

    Oh, I used to use IFEO all the time on Windows 2000. For my purpose though, Software Restriction Policies have replaced my use of IFEO on XP and Server.

    I create a .cmd file with nothing in it. I set the debugger option to that file for specific executables. The effect is sort of like a DOS attack against myself if those executables attempt to run. This is most useful when ITG is being particularly aggressive in pushing down executables or resource hungry SMS clients.

  5. Junfeng Zhang says:
    May 10, 2004 at 9:42 pm

    Thank Raymond for linking my blog.

    You have no idea how much power you have. My blog usually have 100-200 web views in the first few days. This one has 1500+!

Comments are closed.


*DISCLAIMER: I DO NOT OWN THIS CONTENT. If you are the owner and would like it removed, please contact me. The content herein is an archived reproduction of entries from Raymond Chen's "Old New Thing" Blog (most recent link is here). It may have slight formatting modifications for consistency and to improve readability.

WHY DID I DUPLICATE THIS CONTENT HERE? Let me first say this site has never had anything to sell and has never shown ads of any kind. I have nothing monetarily to gain by duplicating content here. Because I had made my own local copy of this content throughout the years, for ease of using tools like grep, I decided to put it online after I discovered some of the original content previously and publicly available, had disappeared approximately early to mid 2019. At the same time, I present the content in an easily accessible theme-agnostic way.

The information provided by Raymond's blog is, for all practical purposes, more authoritative on Windows Development than Microsoft's own MSDN documentation and should be considered supplemental reading to that documentation. The wealth of missing details provided by this blog that Microsoft could not or did not document about Windows over the years is vital enough, many would agree an online "backup" of these details is a necessary endeavor. Specifics include:

<-- Back to Old New Thing Archive Index