Image File Execution Options Utilman Exe. Hklm software microsoft windows nt currentversion image file execution options. Value of this param is the path to file you wanna launch instead of utilman exe.
Sdbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a windows version newer than windows 7. Temp veles has modified and added entries within hkey local machine software microsoft windows nt currentversion image file execution options to maintain persistence. Reg add hklm software microsoft windows nt currentversion image file execution options utilman exe t reg sz v debugger d c windows system32 cmd exe f sethc exe hit f5 a bunch of times when you are at the rdp login screen.
Windows registry editor.
Value of this param is the path to file you wanna launch instead of utilman exe. There s very easy way to replace utilman exe or any other protected exe. Windows registry editor. Rename new key 1 to utilman exe.