{ "id": "5158a521-bf21-4358-aae9-a2006e8c4f1a", "created_at": "2026-04-06T00:11:27.079687Z", "updated_at": "2026-04-10T03:30:33.822821Z", "deleted_at": null, "sha1_hash": "5ee3e4017baf24ef2493732e691a293c51644879", "title": "Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1535898, "plain_text": "Persistence using GlobalFlags in Image File Execution Options –\r\nHidden from Autoruns.exe\r\nPublished: 2018-04-10 · Archived: 2026-04-05 23:20:10 UTC\r\nTL;DR\r\n– Found a technique to execute any binary file after another application is closed without being detected by\r\nAutoruns.exe.\r\n– Requires administrator rights and does not belong in userland.\r\n– Can also be executed from alternate data streams\r\n– Plant file on disk and run these commands to create persistence that triggers everytime someone closes\r\nnotepad.exe:\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\"\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v Reportin\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v MonitorP\r\nImage File Execution Options\r\nAnother day with some unstructered research time. I must admit that it feels good every time. 🙂\r\nLast time I found a way to execute DLL files and still hide from Autoruns.exe.  This time I found some interesting\r\nstuff, that I have not found that much related information on and hopefully it will help people detect someone if\r\nthey are using this technique. This adventure started out when I was looking for other ways to execute data from\r\nalternate streams. Somehow I ended up in Process monitor (big surprise) and started looking at the Image File\r\nExecution Options. Normally I would just pass by these, since I always assume that someone has probably already\r\ndiscovered all there is to discover. Again it turns out that assumptions is the mother of all fu**ups.\r\nI started by Googling for information about the Image File Execution Options and especially the ApplicationGoo\r\nsetting and I ended up here: https://blogs.msdn.microsoft.com/junfeng/2004/04/28/image-file-execution-options/\r\nThis blogpost also mentioned GlobalFlags and that cought my eye. After I was done Googling and searching for\r\nApplicationGoo and what it did, I stumbled upon this and it turned out that you can add the ApplicationGoo in a\r\nspecial way to fake what operating system you are running to a process. I am not done researching the\r\nApplicationGoo, so feel free to go on your own adventure. 😉\r\nI returned to read some more details about the GlobalFlags, since that was more interesting. The MSDN blog\r\nstated the following (Thanks Microsoft):\r\nIf you play with gflags.exe more, you will found more interesting registry values under Image File\r\nExecution Options.\r\nhttps://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\r\nPage 1 of 6\n\nA quick search for gflags.exe and I found that this is a part of the Windows 10 SDK, and this binary was already\r\npresent on my machine. I fired up the application and it looks like this:\r\nThis application can be used to change all the flags related to the execution of a binary. Here could also be more\r\ninteresting stuff to dig into that I have not looked at yet.\r\nThe first thing I tried was to check if this Application could work as a Device Guard bypass by leveraging the\r\nLaunch command. This turned out to be negative. Based on my previous experience I already knew what the\r\ndebugger flag does so I did not care about that. What I however found out was that under the “Silent Process Exit”\r\ntab there was a lot of other interesting stuff to look at. 😈\r\nhttps://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\r\nPage 2 of 6\n\nAs you can see, my evil plan here is to execute an evil binary every time notepad.exe is closed. After planting this\r\nI verified that it worked by running just a renamed version of bginfo.exe. The point here is not the payload I am\r\nrunning, more the technique.\r\nAfter I close notepad.exe evil.exe is spawned like this:\r\nhttps://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\r\nPage 3 of 6\n\nSo this was pretty awesome I thought. It also turns out that autoruns.exe does not detect this technique. (Sorry\r\nMark, even more to do with autoruns.exe)\r\nAfter a bit more reversing I also figured out that the registry keys that decides what to launch as a silent “monitor”\r\nresides in “HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\”\r\nhttps://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\r\nPage 4 of 6\n\nAll that gflags.exe does is actually only write the registry keys necessary. To achieve the same with some simple\r\ncommands you could simply run the following lines in cmd.\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\"\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v Reportin\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v MonitorP\r\nThis is also pretty good documented at docs.microsoft.com.\r\nBONUS – Execute with Alternate data streams\r\nAlso figured out that you can leverage alternate data streams as well. That means you can take the evil.exe and\r\nadd it to for instance the tasks folder under C:\\windows\\ as an alternate stream. That can easily be done by\r\nchanging the registry and using this command:\r\ntype c:\\temp\\evil.exe \u003e c:\\windows\\tasks:evil.exe\r\nAfter I close notepad, it now looks like this:\r\nhttps://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\r\nPage 5 of 6\n\nI’ve got asked by some people since my last post on why I disclose these things, and my attentions are pure. Many\r\npeople fear that this is like giving away techniques to the bad guys, but I feel disclosing these things makes is\r\npossible to discover them in the wild and create good detection mechanisms and prevention. I have also seen a lot\r\nof discussions on Twitter lately about people not wanting to disclose their techniques since it makes their job more\r\ndifficult (pentesters) and that makes me sad in some way even though I can understand and relate to the reasons.\r\nMy reasons for sharing things I discover is to make things more secure for everyone and hopefully it will also\r\ninspire others to start their own research and disclose new and unknown stuff to the public.  Hope you enjoyed the\r\npost and as always, feedback is always welcome!\r\nSource: https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\r\nhttps://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" ], "report_names": [ "persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434287, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ee3e4017baf24ef2493732e691a293c51644879.pdf", "text": "https://archive.orkl.eu/5ee3e4017baf24ef2493732e691a293c51644879.txt", "img": "https://archive.orkl.eu/5ee3e4017baf24ef2493732e691a293c51644879.jpg" } }