Replacing What Runs for Exe

Sysinternals.com "Process Explorer" uses this registry key to hijack when you want TaskMgr.exe to run -- it will instead run "procexp.exe"

Looks like this works by telling the OS that you want to run a "debugger" for this exe. In this case, it's not really a debugger, just some *other* exe that you want to run?!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Value 0
Name: Debugger
Type: REG_SZ
Data: D:\Hanan\Utils\SysInternals\procexp_2k.exe

keywords: replace exe when it runs

Posted 6:08 PM    |    0 comments    |    Permalink