I always forget about this. Viruses like to stuff hundreds of entries into
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This is a very old bypass that was put in to aid in debugging, but it can also be used to completely hijack a program. You add a key that’s the name of an executable, and then you add a string value named Debugger; the contents of this are what’s used to “debug” the program. If you put something that’s not a debugger but always present, then your program won’t run. Malware tends to stuff this with svchost.exe. So if you had
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] "Debugger"="svchost.exe"
then you’d be unable to run any program named mbam.exe. This is a surprisingly effective technique, especially when you add an entry “regedit.exe” preventing the Regedit.exe editor from being used. Programmers can still use reg.exe on the command-line, this seems to be immune to this interception technique. Or maybe the last time I saw this on a computer, the virus missed that loophole.
Note that there is still a semi-legitimate key to add to an entry in Image File Execution Options, and that is a REG_DWORD named DisableExceptionChainValidation. This is another hack that Microsoft added – if your program is crashing a lot, this gets set and makes things a little better. I forget why, I should look it up.