Techwiki:NtGlobalFlag
Amongst the functions involved in process creation there is also LdrQueryImageFileExecutionOptions that maintains trace of IFEO (Image File Execution Options) structure, this struct is located in Registry under the path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
The various possible values are:
- Debugger
- DisableHeapLookaside
- ShutdownFlags
- MinimumStackCommitInBytes
- ExecuteOptions
- GlobalFlag
- DebugProcessHeapOnly
- ApplicationGoo
- RpcThreadPoolThrottle
GlobalFlag is used to modify NtGlobalFlag for processes of specific image.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%SomeExeName%.exe]
"GlobalFlag"="FLG_*"
Where instead of FLG_* should be integer value of ORed Global Flags defined in include\ndk\pstypes.h
and in include\psdk\winternl.h