Block Application Execution by Faking a Debugger Programming 23 JUL 2008

RegistryHere’s a little tip to block unwanted applications like viruses or any malware that you don’t necessarily want running on your machine in the first place. The idea here is to use Window’s debugging functionality to create an almost ‘fake’ debugging process to capture the unwanted executable and thereby halt it from executing normally.

First off, you need to identify the unwanted executable. For this example’s purposes, let’s say our unwanted friend can be found at c:

Now open up your registry and navigate through to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion and locate the registry key named Image File Execution Options within it. Now this particular registry key is normally used for debugging purposes, but for our purposes, we are going to twist it just a little bit by making use of a specific string value, namely the “Debugger” SZ value.

Now basically this value is used to include a debugger that should launch the process whenever there is a demand to the OS which spawns it. So for instance: If you wanted to create a debugger for c:
then you would create a key named “Groupwise.exe” under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options and add a SZ value called “Debugger” and set it to a debugger like cdb.exe (Debugger = c:debuggerscbd.exe) for instance. The effect of this will then be that whenever you try and execute groupwise.exe, the debugger cdb.exe will launch and groupwise.exe will be spawned within it.

Of course, we don’t really want a debugger for our purposes, but maybe a nice log file about when and where the unwanted executable is starting up from might be nice. So this time around, try doing this:

1. Create a key named “Groupwise.exe” under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
2. In this new ‘Groupwise.exe” key that you have created, add a SZ value called “Debugger” and set it to: Debugger = cmd.exe /c echo %time% %date% >> c:ExecBlocked.log

And that is it. Now every time Groupwise.exe tries to start up, you get a nice and nifty log entry in your c:ExecBlocked.log file.

Just a note: if you want to let the process run normally again, simply remove your created key and value from the Image File Execution Options key to set everything back to the way it was.

About Craig Lotter

Software developer, husband and dad to two young ladies. Writer behind An Exploring South African. I don't have time for myself any more.