What are "image file execution options" ?

Page 2 of 2 FirstFirst 12

  1. Callender
    Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       New #11

    There's no service


    Alejandro85 said:
    Sir George said:
    Most likely the program is being run in "Services" and can be stopped there.
    It's another possibility, sure, but services do appear on task manager when it's elevated.
    Thanks, I checked Services using Elevated Task Manager and also Advanced Win Service Manager (elevated) and found nothing.
      My Computer
    Quote Quote

  3. DavidE
    Posts : 6,330
    Multi-Boot W7_Pro_x64 W8.1_Pro_x64 W10_Pro_x64 +Linux_VMs +Chromium_VM
       New #12

    Callender said:
    DavidW7ncus said:
    Callender said:
    I have software installed that prevents certain executable files from running if the file names are manually added to the block list. I'm actually struggling to understand how this works. I've done some digging about and I see entries listed as shown in the screenshot:

    What are "Image Executions Debugger" and "Kernel Autoboot" ?

    The software has no running process and doesn't appear in Task Manager so I'm trying to understand how it works. How does it block processes when it doesn't appear to have it's own running process?

    Example usage:

    I often install free software and then either keep it if I find it of use or remove it otherwise. It seems that a few times per year I'll end up installing some unwanted toolbar or PUP that has been bundled with a program's installer. So I've tried a few methods to block installation of unwanted toolbars when installing such software.

    An example might be Photofiltre - it installs Ask Toolbar with no chance to opt out of the installation (last time I checked anyway) but using the software that I'm trying out results in the program installing cleanly without the toolbar.
    What software (program) are you using for this?
    I'm using Image Hijacker but I don't really recommend other users to download it as a lot of the published download links are dodgy

    I use it to block toolbar installation and the like and display a message on screen when installation is blocked.
    Thanks for the reply and info!
    I've never used the Image Hijacker program ...
    Maybe someone else that uses it will see see this thread and be able to help.

    I'd be concerned with virus/malware ...
      My Computer
    Quote Quote

  4. Callender
    Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       New #13

    Can someone explain?


    Thanks for the help everyone! I decided to download a version of the Ask Toolbar installer - "Offercast2802_DEMOTB_.exe"and add it to the exclusion list in Image Hijacker before running a capture with ProcMon then trying to run the toolbar installer.

    The screenshots are what I think might be important in understanding how this software works but I admit that I don't have a full understanding so if anyone can interpret the screenshots - I'd be grateful.

    It seems to me as if registry entries for blocked executables are created in:

    HKEY\LOCAL MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options

    with the Value Name "Debugger"

    and the Value Data "C:\Users\Chris\Desktop\Toolbox\Image Hijacker\FM.exe"

    FM.exe as I understand it is the Image Hijacker executable that runs in place of "Offercast2802_DEMOTB_.exe" and displays the user defined message on screen - in this case "Ask Toolbar Installation Blocked"

    I still don't really understand what's happening here. It looks like registry entries can be used to block an executable and run another one in it's place but how on earth is the executable detected when it attempts to run?

    HELP!
    Attached Thumbnails Attached Thumbnails What are "image file execution options" ?-2013-12-07-03_47_10-event-properties.jpg   What are "image file execution options" ?-2013-12-07-03_48_32-event-properties.jpg   What are "image file execution options" ?-2013-12-07-03_49_23-event-properties.jpg   What are "image file execution options" ?-2013-12-07-03_52_41-registry-editor.jpg   What are "image file execution options" ?-process-tree.jpg  

    Last edited by Callender; 06 Dec 2013 at 23:11. Reason: include more info
      My Computer
    Quote Quote

  6. Alejandro85
    Posts : 2,467
    Windows 7 Ultimate x64
       New #14

    Got it! Forget everything about the kernel-mode driver I told before, it's probably wrong. That registry keys are the real thing that do the work.

    That registry path is a Windows special entry. It's designed to help programmers to run programs under debuggers before they launch, so you can monitor your program in the early phases of its startup. What those keys do is, when the executable pointed there is run, Windows does NOT run it, but instead it runs the thing specified in the "Debugger"" entry, passing the whole original command line to it. The real intention is to put a debugger there that can monitor the target program, but it can really be used for anything, effectively replacing any program with another one. That behavior is built-in in Windows itself, your program has nothing to do with that, just sets those entries and provides a nice "alternative" program to run instead.

    Look here:
    Launching the Debugger Automatically
    registry - set "Image File Execution Options" will always open the named exe file as default - Stack Overflow

    A practical usage (discussed in the StackOverflow thread) is replacing Notepad with Notepad2. There is done manually, but as far as I remember, the official Notepad2 installer does exactly the same, effectively running Notepad2 everywhere instead of the real built-in Notepad.

    BTW, may I suggest to use a more "innocent" program as a test piggy? Why not try this blocker with the calculator instead of a real virus?
      My Computer
    Quote Quote

  7. Callender
    Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       New #15

    Solved


    Thanks Alejandro85

    You explain very well indeed and with some decent advice. I did originally try substituting my browser with notepad to see if it worked but just couldn't understand how it worked. I chose Ask Toolbar as I knew that I could remove it!
      My Computer
    Quote Quote

 
Page 2 of 2 FirstFirst 12

  Related Discussions
I keep getting intermittent "(insert program name) - Bad Image" error pop-up. The message blames the file "npmproxy.dll". The pop-up is normally associated with an Apple program (I run Outlook and use iCloud and iTunes for syncing). I have spent countless hours trying to fix this. I have...
As a professional photographer, one of the most annoying things that bothers me about Windows7 is that the file folder looks like an open book with an image coming out of it. THAT is not good enough. In that respect, I liked WindowsXP much better. Is there ANY WAY to change it in Windows7 so...
Entering the bios limits me to certain options. Is there anyway to access the other options? sorry, newbie here.
I'd like to back up (and be able to restore upon win7 reinstall) all my heavily-customised Indexing Options settings. e.g. I have VERY customised list of file types that I have ticked in the Advanced Options, to the "Index Properties and File Contents" type instead of just "Properties" - which...
I have windows 7 build 6956 running perfect on my current pc, i tried installing it on another pc, and i got the error... "Windows could not collect information for since the specified image file does not exist." I used the same DVD, i know install.wim is on it. Any one else get this...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 15:21.
Find Us