Applies to:
Windows 7 and newer *(will work on older Windows versions)
Description:
This tutorial will help you locate configured debuggers and remove them
About Vulnerability:
This isn't necessarily a vulnerability. The intended purpose is for debugging applications by redirecting to a real debugger such as windbg.exe. Malware can take advantage of this capability, so it's a good idea to check for them. On most users computers you won't find any legitimate use of this key.
NOTES:
PROCEXP.EXE from SysInternals is a good example of a legitimate program that uses this feature.
The following script (also attached) can find all processes that contain the debugger key. Due to the possibility that the key may be there for legitimate reasons, the script will not remove the property. There are instructions at the end for removing the debugger property
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted
The Script:
Execution:
Debugger Removal:
In 99% of cases you can safely remove these
Windows 7 and newer *(will work on older Windows versions)
Description:
This tutorial will help you locate configured debuggers and remove them
About Vulnerability:
This isn't necessarily a vulnerability. The intended purpose is for debugging applications by redirecting to a real debugger such as windbg.exe. Malware can take advantage of this capability, so it's a good idea to check for them. On most users computers you won't find any legitimate use of this key.
NOTES:
PROCEXP.EXE from SysInternals is a good example of a legitimate program that uses this feature.
The following script (also attached) can find all processes that contain the debugger key. Due to the possibility that the key may be there for legitimate reasons, the script will not remove the property. There are instructions at the end for removing the debugger property
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted
The Script:
Code:
Function Get-EnabledDebuggers
{
$debugRoot = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
$IFEOEntries = Get-ChildItem $debugRoot
foreach($entry in $IFEOEntries)
{
if($entry.Name.Contains(".exe"))
{
# Convert to powershell path
$executablePath = $entry.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:")
$debuggerValue = $null
$exeName = $executablePath.Substring($executablePath.LastIndexOf('\')+1)
$debuggerValue = Get-ItemProperty -Path $executablePath -Name "Debugger" -ErrorAction SilentlyContinue
if($debuggerValue -eq $null)
{
Write-Host "No Debugger property found for [$exeName]" -ForegroundColor Green
}
elseif ($debuggerValue.Debugger -eq "")
{
Write-Host "Debugger property found but contains no value for [$exeName]" -ForegroundColor Yellow
}
else
{
Write-Host "Debugger property found and contains data for " -NoNewline
Write-Host "[$exeName]" -ForegroundColor Red
Write-Host "Debugger value: " -NoNewline
Write-Host "$($debuggerValue.Debugger)" -ForegroundColor Red
Write-Host "This could be a sign of malware as this can be used to intercept a process" -ForegroundColor Red
Write-Host "Some good processes will do this such as procexp.exe from SysInternals if you replace task manager"
}
}
}
}
Get-EnabledDebuggersExecution:
- To run this script copy the code or download the script (I've called mine Get-EnabledDebuggers.ps1)
- Open a powershell prompt by clicking start and typing powershell
- Navigate to the directory the script with Set-Location "C:\PATH\TO\SCRIPT\DIRECTORY"
- Run the script . .\Get-EnabledDebuggers
Debugger Removal:
In 99% of cases you can safely remove these
- Click Start or press the Windows key
- Type regedit.exe
- Accept the UAC prompt if you have one
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Click on the key with the executable name
- On the right select the 'Debugger' property and press delete on the keyboard or right click and select delete
- No reboot is required
