Discussion:
How to debug a native Windows application
(too old to reply)
Sorin Rusu
2006-05-23 13:45:02 UTC
Permalink
Hello,
How am I supossed to debug a native Windows application launched by
CSRSS.EXE during windows startup process?

I copied my application to C:\windows\system32 and I changed the
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute value from
"Autocheck Autochk *" to "myapp Autocheck Autochk *".
The application works fine but I don't know how to debug it. (I tried with
windbg in kernel mode but I didn't managed to 'catch' it.

Thanks,
Sorin
Drew Bliss [MSFT]
2006-05-23 19:57:00 UTC
Permalink
Debugging from a kernel debugger is in some ways the simplest thing to do.
You can set a breakpoint on nt!NtCreateProcess* to watch for processes
getting created, after which you can try and get control of yours. As
you're in control of your app a simpler option is to have your app make a
system call at startup. You can then set a breakpoint on the kernel side of
the system routine to break when your app calls it. The more unique a
system call you pick the fewer hits you get to wade through.
Post by Sorin Rusu
Hello,
How am I supossed to debug a native Windows application launched by
CSRSS.EXE during windows startup process?
I copied my application to C:\windows\system32 and I changed the
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute value from
"Autocheck Autochk *" to "myapp Autocheck Autochk *".
The application works fine but I don't know how to debug it. (I tried with
windbg in kernel mode but I didn't managed to 'catch' it.
Thanks,
Sorin
Pavel Lebedinsky [MSFT]
2006-05-24 11:21:39 UTC
Permalink
I think you should also be able to do something like this:

request initial breakpoint (Ctrl+K in kd)
.reboot
!gflag +ksl
sxe ld yourapp.exe
g

This should break in when your native app is started by smss.
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Post by Drew Bliss [MSFT]
Debugging from a kernel debugger is in some ways the simplest thing to do.
You can set a breakpoint on nt!NtCreateProcess* to watch for processes
getting created, after which you can try and get control of yours. As
you're in control of your app a simpler option is to have your app make a
system call at startup. You can then set a breakpoint on the kernel side
of the system routine to break when your app calls it. The more unique a
system call you pick the fewer hits you get to wade through.
Post by Sorin Rusu
Hello,
How am I supossed to debug a native Windows application launched by
CSRSS.EXE during windows startup process?
I copied my application to C:\windows\system32 and I changed the
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute value from
"Autocheck Autochk *" to "myapp Autocheck Autochk *".
The application works fine but I don't know how to debug it. (I tried with
windbg in kernel mode but I didn't managed to 'catch' it.
Loading...