HKLM / Software / Microsoft / Windows NT / CURRENTVERSION / Image File Execution Options]
This item of the registry may not be familiar, because this is mainly used to debug the program, for general users
It is not meaningful. By default, only administrators and local system have the right to read and write, generally user read only.
Be first experiment: Create a new child "Test.exe" under this item, build a string value "debugger",
Numerical data is set to "cmd.exe / c echo", just rename a EXE file to "Test.exe", then in command
The line call "Test.exe", the resulting screen output is not the output of Test.exe, and it will be like this:
E: /> TEST
Test
E: /> TEST.EXE
Test.exe
The Windows NT system will first check this when performing a executable run request from the command line.
Is an executable file, if yes, what is format, then check if there is:
[HKLM / Software / Microsoft / Windows NT / CURRENTVERSION / Image File Execution Options / ImageName]
If there is, you will first try to read this key value:
[HKLM / Software / Microsoft / Windows NT / CURRENTVERSION / Image File Execution Options / ImageName]
"Debugger" = "debug_prog"
If there is, "debug_prog imagename" is executed, in the example, in fact, the system is actually executed:
cmd.exe / c echo test
Cmd.exe / c echo test.exe
If "debug_prog" is set to a program in the search path, it will get a very interesting tip: "
Can't find file E: / Test.exe. "In fact, Test.exe is in the current directory, here is not found.
Is that "debug_prog". And as long as it sets Test.exe, it is not only the test.exe does not exist, nor will it be prompted.
"System cannot be found", no output will be returned on the console.
This key value will be checked when the system is running any of the executable programs. This feature can be used to place the back door.
This is not mentioned in the past Windows security information. If you have a Windows 2000 security check column
Table, please add it.
This support value, I found it under Windows 2000:
ApplicationGoo
Debugger
PageHeapFlags
Disableheaplookaside
DebugProcessheaponly
PageHeapsizerAngestart
PageHeapsizRangendeend
PageHeaprandomprobability
PageHeaPdllRangestart
PageHeaPdllRangend
GLOBALFLAG
BreakondllLoad
The work of these items is only related to the file name, regardless of the path.
Among them, Debugger has been taught. DisableHeapLookaside can be used to correct some application runtime
The problem. Starting with Windows NT SP4, the Windows system uses new heap management mechanisms, new dynamics.
Memory allocation makes the application take less memory (also makes it more difficult to write Exploit :-)), but some applications cannot run normally under this mechanism, hang or errors. In this case, an item is built with the file name.
DisableHeapLookaside is set to "1", which will force the system to do not use new heap management mechanisms for this application. (base
Is it possible to fail after the spending of a general system? So, for the key
The program uses this means that in a sense, it is also a way to resist overflow attacks. )
For more information on disableheaplookaside, please refer to Microsoft Knowledge Base: Q252902, Q195008, Q195009.
Interestingly, Windows 2000 presets DISABLEHEAPLOOKASIDE for these file names when installing:
ENC98.EXE
F32main.exe
PRWIN8.EXE
PS80.exe
Qfinder.exe
QPW.exe
UA80.exe
WPWIN8.EXE
Probably Microsoft has received a report on these applications :-).
BreakondllLoad is used to debug DLL, such as an Isapi. The breakpoint can be set in the DLL just one load.
You can refer to Rick Strahl's "Debugging IIS5 Isapi Applications with VC "
ApplicationGoo I didn't find relevant information, but from the Value of Microsoft, it is stored in this item.
Version information. I guess whether I use this to match the specific version of the file.
The remaining values left although I know that they do exist, they can't find any information, even
There is only one word in msdn, but it is basically clear that it has been clear :-), it is used to control HEAP.
I hope that these values can have a little help to friends who are burying the headstock overflow.
extra information:
In XP, this item also supports shutdownflags. Here is a description of Microsoft:
Leak Detection When the process is exiting
Leak Detection is Made Every Time A Process Is Cleanly Exitation.
IT Doesn'''t Work if the process is terminated with terminateProcess ()
OR TERMINATTHREAD () / EXIXTTHREAD () for the last thread in the process;
But for MOST Applications this is not a problem.
To Enable Leak Detection When The Process Is Exitation, Set The Registry Key As Follows:
[HKLM / Software / Microsoft / Windows NT / CURRENTVERSION / Image File Execution Options / ImageName]
"Shutdownflags" = "3"
