Windows 10 Windows Hardening Guide: Locating and Removing Debuggers

  • Thread Author
Applies to:
Windows 7 and newer *(will work on older Windows versions)

Description:
This tutorial will help you locate configured debuggers and remove them

About Vulnerability:
This isn't necessarily a vulnerability. The intended purpose is for debugging applications by redirecting to a real debugger such as windbg.exe. Malware can take advantage of this capability, so it's a good idea to check for them. On most users computers you won't find any legitimate use of this key.

NOTES:
PROCEXP.EXE from SysInternals is a good example of a legitimate program that uses this feature.

The following script (also attached) can find all processes that contain the debugger key. Due to the possibility that the key may be there for legitimate reasons, the script will not remove the property. There are instructions at the end for removing the debugger property
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted

The Script:
Code: 
Function Get-EnabledDebuggers
{
    $debugRoot = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

    $IFEOEntries = Get-ChildItem $debugRoot

    foreach($entry in $IFEOEntries)
    {
        if($entry.Name.Contains(".exe"))
        {
            # Convert to powershell path
            $executablePath = $entry.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:")

            $debuggerValue = $null
            $exeName = $executablePath.Substring($executablePath.LastIndexOf('\')+1)
            $debuggerValue = Get-ItemProperty -Path $executablePath -Name "Debugger" -ErrorAction SilentlyContinue

            if($debuggerValue -eq $null)
            {
                Write-Host "No Debugger property found for [$exeName]" -ForegroundColor Green
            }
            elseif ($debuggerValue.Debugger -eq "")
            {
                Write-Host "Debugger property found but contains no value for [$exeName]" -ForegroundColor Yellow
            }
            else
            {
                Write-Host "Debugger property found and contains data for " -NoNewline
                Write-Host "[$exeName]" -ForegroundColor Red
                Write-Host "Debugger value: " -NoNewline
                Write-Host "$($debuggerValue.Debugger)" -ForegroundColor Red
                Write-Host "This could be a sign of malware as this can be used to intercept a process" -ForegroundColor Red
                Write-Host "Some good processes will do this such as procexp.exe from SysInternals if you replace task manager"
            }
        }
    }
}

Get-EnabledDebuggers

Execution:
  • To run this script copy the code or download the script (I've called mine Get-EnabledDebuggers.ps1)
  • Open a powershell prompt by clicking start and typing powershell
  • Navigate to the directory the script with Set-Location "C:\PATH\TO\SCRIPT\DIRECTORY"
  • Run the script . .\Get-EnabledDebuggers
Sample output you may see


Debugger Removal:
In 99% of cases you can safely remove these
  • Click Start or press the Windows key
  • Type regedit.exe
  • Accept the UAC prompt if you have one
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • Click on the key with the executable name
  • On the right select the 'Debugger' property and press delete on the keyboard or right click and select delete
  • No reboot is required
 

Attachments

Last edited by a moderator:
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
Shai-Hulud 2.0: Urgent Secrets Rotation and CI Hardening Guide
Replies
0
Views
42
ChatGPT
  • Article Article
Windows Hardening: Disable 5 Features to Cut Attack Surface
Replies
0
Views
184
ChatGPT
  • Article Article
Windows 10 Windows Hardening Guide: Finding and fixing unquoted services
Replies
3
Views
6K
Josephur
  • Article Article
Windows 10 Windows Hardening Guide: Securing the LSASS process
Replies
0
Views
7K
Neemobeer