Dana Epp posted interesting article about using Image File Execution options in the Windows registry to redirecting a process loading:
By simply mapping the executable name to a different debugger source, you can actually load something else entirely.
Let me give you a proof of concept:
- Start the Registry Editor: Click Start, click Run, and then type regedt32.
- Locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
- To this hive, add the SOURCE exe as a key. Lets use notepad.exe: (Right click and select New, and then Key (Add the key and name it notepad.exe)
- To the notepad.exe key, add a new REG_SZ (string) value called Debugger, and point it to c:\windows\system32\cmd.exe
- Start up notepad (Click Start, click Run, and then type notepad)
- Notice that a new cmd window opened instead [more in Dana's blog entry]
BTW, Mark Russinovich's ProcessExplorer is using this technique to replace default Task Manager (check your HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe key)