{
	"id": "fccbc688-e1ac-458b-bc1a-1d169084bc68",
	"created_at": "2026-04-06T00:13:11.247391Z",
	"updated_at": "2026-04-10T03:21:22.660256Z",
	"deleted_at": null,
	"sha1_hash": "2e3fbfa75a98b42998019745b06e0395ab4f21cb",
	"title": "Image File Execution Options (IFEO)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86408,
	"plain_text": "Image File Execution Options (IFEO)\r\nBy kexugit\r\nArchived: 2026-04-05 13:23:53 UTC\r\n Image File Execution options provides you with a mechanism to always launch an executable directly under the\r\ndebugger. This is extremely useful if you ever need to investigate issues in the executable's startup code (services\r\nespecially). You can set the IFEO options directly via the registry or indirectly using the Gflags tools (available\r\nwith the Window debugging toolkit).   \r\nYou need to create a registry key and populate it with a value as follows -\r\nKey\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\r\n\u003cexecutable\u003e\"\r\nValue Debugger : REG_SZ : \u003cfull-path to your favorite debugger\u003e\r\nYou do not need the full path to the application, only the exe name will suffice. However you do need the full path\r\nto the debugger.  As an example, we look at launching notepad under ntsd, you would be creating the following -\r\nKey\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\notepad.exe\"\r\nValue Debugger : REG_SZ : \"c:\\dbg\\ntsd.exe -g\"\r\nYou can also use Gflags to set IFEO too -\r\nhttps://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/\r\nPage 1 of 4\n\nHow does IFEO work?     \r\nKernel32!CreateProcess when called without the DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS\r\ncreation flags, checks the registry to see if IFEO has been set on the executable that it is launching. If yes, then it\r\nsimply prepends the debugger path to the executable name, effectively getting the executable to launch under the\r\ndebugger. If you do not specify the correct path to the debugger, then you'll probably get greeted with a \"file not\r\nfound\" error. In our notepad/ntsd example above, Kernel32!CreateProcess ends up invoking -\r\n\"c:\\dbg\\ntsd.exe -g notepad.exe\"     \r\nNow ntsd eventually launches notepad under the debugger by calling Kernel32!CreateProcess with one of the\r\nfollowing creation flags - DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS. The presence of any of\r\nthese creation flags forces Kernel32!CreateProcess to bypass IFEO options this time around (else we would have\r\nbeen running into an endless loop) and actually launch the executable under the debugger.    \r\nIFEO and 64 bit -     \r\nA word of caution - For 32 bit executable running in the WOW on X64 machines, your natural tendency might be\r\nto create the registry key in the syswow node -\r\nhttps://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/\r\nPage 2 of 4\n\n\"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\\u003cexecutable\u003e\"     \r\nHowever Gregg Miskelly notes that you should set the IFEO corresponding to the bit-ness to the application\r\ncalling into kernel32!CreateProcess to launch the executable -    \r\n\"On Win 64, there are two copies of HKEY_LOCAL_MACHINE\\Software (one for 32-bit apps, and one for 64-bit\r\napps), and therefore there are two copies of these options. However, where the operating system looks isn't\r\ndependant on the bit-ness of the application that is going to be debugged (which is what you would probably\r\nexpect). Instead, it is dependent on the bit-ness of the application that called CreateProcess.\"\r\nOther IFEO caveats -  \r\nRaymond Chen notes the following caveat in his blog entry  -\r\n\"If you passed special parameters via the STARTUPINFO structure, those parameters get passed to the debugger.\r\nAnd the PROCESS_INFO that is returned by the CreateProcess function describes the debugger, not the process\r\nbeing debugged.\"\r\nIFEO and Managed debuggers -\r\nIFEO can only be used for native or interop debugging, but not for managed debugging. Mike Stall has an\r\nexcellent blog entry that describes in great detail exactly why. The gist is this - Managed debuggers like\r\nMdbg/cordbg/VS.NET use ICorDebug::CreateProcess to launch managed executables under the debugger.\r\nHowever for managed debugging, the debugger should call ICorDebug::CreateProcess without the\r\nDEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS creation flags (this is publicly documented). This API\r\ninternally ends up calling Kernel32!CreateProcess without the DEBUG_PROCESS or\r\nDEBUG_ONLY_THIS_PROCESS creation flags. This leads to the endless loop that I described above. Is this an\r\nICorDebug API design flaw?  Not really. Just an oversight in my opinion - The API designers missed one\r\nscenario. Maybe in the next version of the CLR this will be fixed (I do not know for sure).\r\nSome excellent resources on IFEO -\r\nExercise for reader -\r\nDoes IFEO work with other Win32 APIs like ShellExecute, CreateProcessAsUser, CreateProcessWithLogonW\r\nand CreateProcessWithTokenW?\r\nTIP of the day -\r\nQuestion - System services can launch before the user has a chance to log on. So how do you debug the startup\r\ncode of these system services?\r\nAnswer - Put the machine under kernel Debugger (KD), use IFEO to launch the service under NTSD (use ntsd's \r\n\"-d\" option to pipe the ntsd output to KD) and reboot the machine. When the system service launches, it will be\r\nlaunched under ntsd.  The ntsd debugger will automatically cause it break into KD when it encounters the initial\r\nhttps://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/\r\nPage 3 of 4\n\nloader breakpoint. The debugging session will begin in user mode automatically (yipee!). After you are done\r\ndebugging, switch control to KD by issuing \".breakin\" command.\r\nSource: https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/\r\nhttps://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
	],
	"report_names": [
		"image-file-execution-options-ifeo"
	],
	"threat_actors": [],
	"ts_created_at": 1775434391,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e3fbfa75a98b42998019745b06e0395ab4f21cb.pdf",
		"text": "https://archive.orkl.eu/2e3fbfa75a98b42998019745b06e0395ab4f21cb.txt",
		"img": "https://archive.orkl.eu/2e3fbfa75a98b42998019745b06e0395ab4f21cb.jpg"
	}
}