Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: What are "image file execution options" ?

06 Dec 2013   #11
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
There's no service

Quote   Quote: Originally Posted by Alejandro85 View Post
Quote   Quote: Originally Posted by Sir George View Post
Most likely the program is being run in "Services" and can be stopped there.
It's another possibility, sure, but services do appear on task manager when it's elevated.
Thanks, I checked Services using Elevated Task Manager and also Advanced Win Service Manager (elevated) and found nothing.


My System SpecsSystem Spec
.
06 Dec 2013   #12
DavidE

Multi-Boot W7_Pro_x64 W8.1_Pro_x64 W10_Pro_x64
 
 

Quote   Quote: Originally Posted by Callender View Post
Quote   Quote: Originally Posted by DavidW7ncus View Post
Quote   Quote: Originally Posted by Callender View Post
I have software installed that prevents certain executable files from running if the file names are manually added to the block list. I'm actually struggling to understand how this works. I've done some digging about and I see entries listed as shown in the screenshot:

What are "Image Executions Debugger" and "Kernel Autoboot" ?

The software has no running process and doesn't appear in Task Manager so I'm trying to understand how it works. How does it block processes when it doesn't appear to have it's own running process?

Example usage:

I often install free software and then either keep it if I find it of use or remove it otherwise. It seems that a few times per year I'll end up installing some unwanted toolbar or PUP that has been bundled with a program's installer. So I've tried a few methods to block installation of unwanted toolbars when installing such software.

An example might be Photofiltre - it installs Ask Toolbar with no chance to opt out of the installation (last time I checked anyway) but using the software that I'm trying out results in the program installing cleanly without the toolbar.
What software (program) are you using for this?
I'm using Image Hijacker but I don't really recommend other users to download it as a lot of the published download links are dodgy

I use it to block toolbar installation and the like and display a message on screen when installation is blocked.
Thanks for the reply and info!
I've never used the Image Hijacker program ...
Maybe someone else that uses it will see see this thread and be able to help.

I'd be concerned with virus/malware ...
My System SpecsSystem Spec
06 Dec 2013   #13
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Can someone explain?

Thanks for the help everyone! I decided to download a version of the Ask Toolbar installer - "Offercast2802_DEMOTB_.exe"and add it to the exclusion list in Image Hijacker before running a capture with ProcMon then trying to run the toolbar installer.

The screenshots are what I think might be important in understanding how this software works but I admit that I don't have a full understanding so if anyone can interpret the screenshots - I'd be grateful.

It seems to me as if registry entries for blocked executables are created in:

HKEY\LOCAL MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options

with the Value Name "Debugger"

and the Value Data "C:\Users\Chris\Desktop\Toolbox\Image Hijacker\FM.exe"

FM.exe as I understand it is the Image Hijacker executable that runs in place of "Offercast2802_DEMOTB_.exe" and displays the user defined message on screen - in this case "Ask Toolbar Installation Blocked"

I still don't really understand what's happening here. It looks like registry entries can be used to block an executable and run another one in it's place but how on earth is the executable detected when it attempts to run?

HELP!


Attached Thumbnails
What are "image file execution options" ?-2013-12-07-03_47_10-event-properties.jpg   What are "image file execution options" ?-2013-12-07-03_48_32-event-properties.jpg   What are "image file execution options" ?-2013-12-07-03_52_41-registry-editor.jpg   What are "image file execution options" ?-process-tree.jpg  
Attached Images
What are "image file execution options" ?-2013-12-07-03_49_23-event-properties.jpg 
My System SpecsSystem Spec
.

07 Dec 2013   #14
Alejandro85

Windows 7 Ultimate x64
 
 

Got it! Forget everything about the kernel-mode driver I told before, it's probably wrong. That registry keys are the real thing that do the work.

That registry path is a Windows special entry. It's designed to help programmers to run programs under debuggers before they launch, so you can monitor your program in the early phases of its startup. What those keys do is, when the executable pointed there is run, Windows does NOT run it, but instead it runs the thing specified in the "Debugger"" entry, passing the whole original command line to it. The real intention is to put a debugger there that can monitor the target program, but it can really be used for anything, effectively replacing any program with another one. That behavior is built-in in Windows itself, your program has nothing to do with that, just sets those entries and provides a nice "alternative" program to run instead.

Look here:
Launching the Debugger Automatically
registry - set "Image File Execution Options" will always open the named exe file as default - Stack Overflow

A practical usage (discussed in the StackOverflow thread) is replacing Notepad with Notepad2. There is done manually, but as far as I remember, the official Notepad2 installer does exactly the same, effectively running Notepad2 everywhere instead of the real built-in Notepad.

BTW, may I suggest to use a more "innocent" program as a test piggy? Why not try this blocker with the calculator instead of a real virus?
My System SpecsSystem Spec
07 Dec 2013   #15
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Solved

Thanks Alejandro85

You explain very well indeed and with some decent advice. I did originally try substituting my browser with notepad to see if it worked but just couldn't understand how it worked. I chose Ask Toolbar as I knew that I could remove it!
My System SpecsSystem Spec
Reply

 What are "image file execution options" ?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Bad Image Error due to file "npmproxy.dll"
I keep getting intermittent "(insert program name) - Bad Image" error pop-up. The message blames the file "npmproxy.dll". The pop-up is normally associated with an Apple program (I run Outlook and use iCloud and iTunes for syncing). I have spent countless hours trying to fix this. I have...
General Discussion
Cant find "System Image" of 36 GB but its shows on "Manage Disc Space"
Dear Experts, I have created windows image on Drive F: but delete it after some time manually due to some space prob. But while backup shows about 40 GB only few GB space got free after deletion. When i try to again take the the backup using windows 7 backup & restore option, its still shows 35...
Backup and Restore
Can File "image" be changed to XP style ??
As a professional photographer, one of the most annoying things that bothers me about Windows7 is that the file folder looks like an open book with an image coming out of it. THAT is not good enough. In that respect, I liked WindowsXP much better. Is there ANY WAY to change it in Windows7 so...
Customization
No "usb legacy support" "qfan" options on my asus laptop bios.
Entering the bios limits me to certain options. Is there anyway to access the other options? sorry, newbie here.
Performance & Maintenance
How to back up the "Indexing Options" settings? [registry/system file?
I'd like to back up (and be able to restore upon win7 reinstall) all my heavily-customised Indexing Options settings. e.g. I have VERY customised list of file types that I have ticked in the Advanced Options, to the "Index Properties and File Contents" type instead of just "Properties" - which...
Backup and Restore
"..image file [install.wim] does not exist."
I have windows 7 build 6956 running perfect on my current pc, i tried installing it on another pc, and i got the error... "Windows could not collect information for since the specified image file does not exist." I used the same DVD, i know install.wim is on it. Any one else get this...
Backup and Restore


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 21:22.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App