Problem solve Get help with specific problems with your technologies, process and projects.

Dual roles for XP Registry key

The "Image File Executive Options" Registry key in XP is a programmers' favorite to detect memory leaks and other problems. Use it to prevent certain programs from running at all.

Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!

Windows XP makes use of a Registry key called "Image File Execution Options" that lets you set behaviors for specific executables.

Most of the options available through this key involve kernel-level functions that programmers normally use to detect problems like memory leaks or heap problems. With a little creative work, however, it's possible to use it as a fairly sophisticated way to prevent certain programs from running at all.

The Registry key in question is located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.

Open up the Registry and take a look. Within it you may already see quite a few existing subkeys, each of which contains the name of an executable image. Each subkey also may contain one or more values that govern that program's behavior.

The value we're most interested in is a String value named Debugger, which allows a specific debugger to be fired up for that application when it's launched. Windows XP has within it a command-line debugger called ntsd, which can be used as a way to cause an application to terminate immediately if someone launches it.

To block an application, first add a new subkey under Image File Execution Options and name it after the executable you don't want to run. Include the file's extension, but don't include a pathname -- just the name of the executable itself. (The other subkeys listed there should provide you with an example to follow.) Inside that new subkey, create a String value and name it Debugger; set the value of Debugger to:
ntsd --
(That's ntsd, a space, and two dashes.)

This causes the debugger to attach to the program and exit immediately.

Bear in mind that conventional users should not be allowed to edit the Registry, or they will be able to defeat this pretty easily. This trick can also be made part of a logon script, a policy or a system image as a way of proactively blocking certain "known-bad" programs. (In theory it could also be used as an attack vector by a malicious program to block conventional ones from running as well.)

The JSI FAQ site has an interesting wrinkle on this particular technique. They've created a way to use it to keep users from running Windows Update -- namely, by blocking the application wupdmgr.exe. (See tip 9017 on their site.)

Serdar Yegulalp is editor of The Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.