IFEO Tool - Block malicious EXEs from running in your machine

cndps

Member
May 25, 2019
5
PT
OS
Windows 8.1
BR
Chrome 74.0.3729.169
IFEO Tool is a simple batch file that adds or removes registry keys from Image File Execution Options (IFEO). This tool was developed to make more easier the proccess of blocking unknown trojan, virus or worms by simply adding the EXE to the list of IFEO with a dummy file execution.

The problem!
A user is using the computer and notice a increase of CPU usage or suddently the computer start running slow. The logic step for the user is view the Task Manager or Process Explorer and find which processes are causing this. The user then tries to close them but they keep re-opening or simply they don't close and the user antivirus does nothing.

The solution!
Execute the IFEO Tool batch file with admin privileges, write the process name + extension and restart the computer. After reboot go to the EXE location and delete it.

Limitation
It isn't possible to block EXEs with similar names to system files (For example: svchost.exe). Doing this will lock the computer and it will require a rollback or reinstalation of Windows.

Download:

Source
Code:
@echo off
@title IFEO Tool
:start
echo .....................................................
echo .                   IFEO Tool                       .
echo .                                                   .
echo .      Block EXEs from running in the machine       .
echo .                                                   .
echo .  (This program requires admin privileges to run)  .
echo .....................................................
echo (1) Add registry key                                .
echo (2) Remove registry key                             .
echo .....................................................
set /p choice=Choose what you like to do (1/2) : 
if "%choice%"=="1" goto 1
if "%choice%"=="2" goto 2
cls
goto start
:1
cls
echo .....................................................
echo .                   IFEO Tool                       .
echo .                                                   .
echo .      Block EXEs from running in the machine       .
echo .                                                   .
echo .  (This program requires admin privileges to run)  .
echo .....................................................
set /p id1="Write EXE: "
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%id1%" /v Debugger /t REG_SZ /d "ntsd -d" /f
pause
cls
goto start
:2
cls
echo .....................................................
echo .                   IFEO Tool                       .
echo .                                                   .
echo .      Block EXEs from running in the machine       .
echo .                                                   .
echo .  (This program requires admin privileges to run)  .
echo .....................................................
set /p id1="Write EXE: "
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%id1%" /f
pause
cls
goto start
 
  • Like
Reactions: ThumperTM

DVDR_Dog

Well-Known Member
Donator
Nov 5, 2018
85
OS
Windows 10
BR
Chrome 74.0.3729.169
Good idea but as we all know those clever virus/adware/spyware folks tend to do everything in their power to mimic windows processes to prevent just what you suggest and is the program's limitation. Just shutting off a process without knowing it's dependencies is asking for big trouble IMO.
Autoruns a nifty freeware program from Mark Russinovitch does a pretty good job of mapping out what's going on and their dependencies. Just do a search for it and download from a reputable site. That way you always get the latest version as opposed to me posting a D/L link. It's also available from the portable apps site and runs off a USB stick.
 

Latest posts