HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
然後 他會問我說 我電腦要不要加入這個東西
如果我按允許 狂案 也沒反應
如果我案禁止 狂案 也沒反應
- 虫Lv 51 decade agoFavorite Answer
Now we're going to replace the string value by C:\WINDOWS\system32\write.exe
If you run notepad or double-click on a .txt file, you will see that wordpad runs instead,
but this time it displays the contents of notepad.exe in its editor.
The reason is that write.exe (like notepad) opens directly the file specified in the second argument of its commandline.
(first argument being the name of the program itself)
So it means that when you redirect the execution of an application using this Image File Execution Options key,
the program executed instead of notepad will have the name and path of the file that has been overtaken.
As an exercise, write a program CmdLine.exe that displays it's arguments.
Now if you change the value of the string to c:\CmdLine.exe and run notepad, you will see:
arg 0 = c:\CmdLine.exe
arg 1 = C:\WINDOWS\system32\notepad.exe
The interesting part is that if you try to double-click on a .txt file, CmdLine.exe will display an additional argument
containing the path to the textfile!
arg 2 = C:\testfile.txt
Knowing the path to the text file, it is easy to open it and check for a value or modify something and give control back to
notepad with ShellExecute or CreateProcess providing the text file as argument.