Windows IFEO, GWX, Nirvana, and more

Updated: June 16, 2016

This article has a rather convoluted storyline, so bear with me. An anonymous source closely intimate with Microsoft products emailed me with a very interesting piece of information, tapping into the special ninja powers of Image File Execution Options (IFEO) and Windows debugger. To what end, you may ask? TheĀ GWX nonsense.

So, in a manner very similar to my article on WMIC, yet another highly overlooked and ultra-powered capability present in Windows since the olden days, let me show you how you can use IFEO to kick ass while using your operating system, even if programs are trying to misbehave.

Background story

Anyhow, Windows comes with a neat feature called Image File Execution Options. Nothing new, we're talking early 2000s, if not earlier. Reflected through registry keys, IFEO lets you run programs with, let's call them debug options, for the purpose of development, troubleshooting, debugging, and such.

You may say, why do I need this, when I can use flags, switches and options already available for the particular executable? But then, what if you want to use things that the compiled object does not provide? Because this may be a little difficult to understand, let's take a look at an example. Backup your stuff first!

Take two innocent programs like Notepad (notepad.exe) and IrfanView (i_view32.exe). A text editor and an image viewer. Let's create an entry for Notepad under IFEO in the registry, and then set a Debugger key that invokes IrfanView. Start regedit, and then navigate to:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options

Registry, IFEO

In the left pane, you will notice tons of programs, some of which may look familiar. Create a new key and name it notepad.exe. This is just for the sake of our exercise, and we will late delete it. Select notepad.exe, then in the right pane, create a new value. Name it Debugger. It should be a regular string (REG_SZ). Then, edit its data and type: i_view32.exe. The final result should look something like the screenshots below.

Irfanview as debugger for Notepad

Notepad reg key ready

Practically, what this will do is launch Notepad, and then hand over to IrfanView. From a logical perspective, this makes no sense, but it allows you to break the execution of a program and divert it elsewhere.

Debugger working

Enter GWX

Remember all that Windows 10 prompt thingie? If you do not want that, you can uninstall the KB, you can neuter its execution as I've shown you in my original guide, or you can use the Debugger method. To wit, you can try something like this, from an elevated prompt as you need to write to registry:

Windows NT\CurrentVersion\Image File Execution Options\gwx.exe"
/v Debugger
/d "C:\windows\system32\cmd.exe /c exit 0"

What do we have here? We are adding a new registry key called gwx.exe under:

HKLM\SOFTWARE\Microsoft\<...>\Image File Execution Options\

Any executable with the name GWX.EXE will be trapped this way. Then, we create a value called Debugger of a regular string type, and set its data to be the Windows CMD, which just runs and exits with the exit status 0. In the programming world, exit status 0 means everything is fine.

In other words, any gwx.exe executable, when started will just run the command line - a shell, and exit without doing anything. This is pure debugging if you will, and you are not limited in any way in how you setup IFEO, what executables you use as a source and what as your target. Bob's your uncle. Practically, this makes GWX into a dummy, like any program that merely starts a shell and then promptly exits.

Using IFEO, you can then work around file ownership and permissions problems that you may or may not encounter, as outlined in my guide for getting rid of GWX. Last but not the least, this is an extremely powerful feature, and if misused, you could end up nicely bricking your Windows. You have been warned!

More reading

Some useful articles on this topic:

Image File Execution Options by Junfeng Zhang

Image File Execution Options by Mithun Shanbhag

An Introduction to Image File Execution Options

Beware the Image File Execution Options key


There's beauty in how Microsoft sometimes does things, and I am really impressed by the freedom and power they've given the debugger side of life, the dark side of life. But like any tool, it can be used to wreak havoc or render good. In our case, we merely want a simple, elegant way to remove the Windows 10 upgrade prompt. This lets us do that with the minimum of fussing.

Now, this is not a solution, more of a workaround. If there's another GWX-alike process, it won't be trapped this way. It still keeps all the files in place, and the scheduled tasks, and it's more of an acknowledgment and neutralization of a problem than a complete removal from your system. However, it does open a whole new world of freedom and flexibility. As always, I would strongly advice you use system imaging and backups and never tamper unless you're fully confident with the registry and the implications of your work. Hopefully, you've learned something really valuable and useful today. Happy Internetting.


You may also like: