Additional IEFO keys for Metro Apps

Posted on by

In my previous post I described how Metro Apps are hosted by wwahost.exe process which in turn leverages its IEFO (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wwahost.exe) key to store its additional execution configuration.

Looking closer at Procmon logs I noticed that the actual Metro App itself also leverages IEFO keys. I am not sure what the purpose of all of them is, but in some cases we can try to guess by looking at the names, and 2 of them were already described in my older posts.

  • IFEO\wwahost.exe
    • AllowTopLevelNavigation
    • BreakOnInitializeProcessFailure
    • CFGOptions
    • CustomUAActive
    • CWDIllegalInDLLSearch
    • DebugProcessHeapOnly
    • DelegatedNtdll
    • DeveloperAuthList
    • DisableByteCodeCache
    • disableCSP
    • DisableExceptionChainValidation
    • DisableHeapLookaside
    • DpiAwareness
    • EnabledTestHook
    • ExecuteOptions
    • FrontEndHeapDebugOptions
    • GdiScaling
    • GlobalFlag
    • KeepActivationContextsAlive
    • LogConsoleToDebugPort
    • MaxDeadActivationContexts
    • MaxLoaderThreads
    • MinimumStackCommitInBytes
    • PerProcessSystemDpi
    • RpcRuntimeConfigFlags
    • SearchPathMode
    • ShutdownFlags
    • TestEffectiveWebPlatformVersion
    • TracingFlags
    • TrackActivationContextReleases
    • UnloadEventTraceDepth
    • UseFilter
    • UseImpersonatedDeviceMap
    • WebInstanceUseAdapter
    • WindowsComponentEnabled
    • WWAInject
  • IFEO\wwahost.exe\4DF9E0F8.Netflix_6.81.325.0_x86__mcm4njqhnhss8!Netflix.App
    • DebugProcessHeapOnly
    • DisableHeapLookaside
    • FrontEndHeapDebugOptions
    • GlobalFlag
    • MaxLoaderThreads
    • ShutdownFlags
    • TracingFlags
    • UnloadEventTraceDepth
    • UseImpersonatedDeviceMap
  • IFEO\4df9e0f8.netflix
    • CustomUAActive
    • EnabledTestHook
    • LogConsoleToDebugPort
  • IFEO\WebView
    • AnyScriptNotify
  • IFEO\WebView\4df9e0f8.netflix
    • ExecutionMode