By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

Windows 10 Windows Hardening Guide: Locating and Removing Debuggers

  • Thread Author
Applies to:
Windows 7 and newer *(will work on older Windows versions)

This tutorial will help you locate configured debuggers and remove them

About Vulnerability:
This isn't necessarily a vulnerability. The intended purpose is for debugging applications by redirecting to a real debugger such as windbg.exe. Malware can take advantage of this capability, so it's a good idea to check for them. On most users computers you won't find any legitimate use of this key.

PROCEXP.EXE from SysInternals is a good example of a legitimate program that uses this feature.

The following script (also attached) can find all processes that contain the debugger key. Due to the possibility that the key may be there for legitimate reasons, the script will not remove the property. There are instructions at the end for removing the debugger property
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted

The Script:
Function Get-EnabledDebuggers
    $debugRoot = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

    $IFEOEntries = Get-ChildItem $debugRoot

    foreach($entry in $IFEOEntries)
            # Convert to powershell path
            $executablePath = $entry.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:")

            $debuggerValue = $null
            $exeName = $executablePath.Substring($executablePath.LastIndexOf('\')+1)
            $debuggerValue = Get-ItemProperty -Path $executablePath -Name "Debugger" -ErrorAction SilentlyContinue

            if($debuggerValue -eq $null)
                Write-Host "No Debugger property found for [$exeName]" -ForegroundColor Green
            elseif ($debuggerValue.Debugger -eq "")
                Write-Host "Debugger property found but contains no value for [$exeName]" -ForegroundColor Yellow
                Write-Host "Debugger property found and contains data for " -NoNewline
                Write-Host "[$exeName]" -ForegroundColor Red
                Write-Host "Debugger value: " -NoNewline
                Write-Host "$($debuggerValue.Debugger)" -ForegroundColor Red
                Write-Host "This could be a sign of malware as this can be used to intercept a process" -ForegroundColor Red
                Write-Host "Some good processes will do this such as procexp.exe from SysInternals if you replace task manager"



  • To run this script copy the code or download the script (I've called mine Get-EnabledDebuggers.ps1)
  • Open a powershell prompt by clicking start and typing powershell
  • Navigate to the directory the script with Set-Location "C:\PATH\TO\SCRIPT\DIRECTORY"
  • Run the script . .\Get-EnabledDebuggers
Sample output you may see

Debugger Removal:
In 99% of cases you can safely remove these
  • Click Start or press the Windows key
  • Type regedit.exe
  • Accept the UAC prompt if you have one
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • Click on the key with the executable name
  • On the right select the 'Debugger' property and press delete on the keyboard or right click and select delete
  • No reboot is required


  • Get-EnabledDebuggers.zip
    814 bytes · Views: 430