- #ERROR IN INITIALIZING PROCESS MONITOR MODULE DRIVER#
- #ERROR IN INITIALIZING PROCESS MONITOR MODULE WINDOWS#
Loader snaps instruct the loader to print out short debugging messages (“snaps”) which trace all parts of the link-loading process: import resolution, DLL loading, manifest file parsing, SxS redirection, even down to calls of GetProcAddress. In the screenshot below, you can see how we enabled this debugging feature for Calculator.exe
#ERROR IN INITIALIZING PROCESS MONITOR MODULE WINDOWS#
You can enable system-wide global flags (either kernel or user ones) as well as per-process global flags through a handy utility that ships with the Windows Debugging Tools, unoriginally also called Global Flags ( Gflags.exe).
These flags are set either in the kernel ( nt!NtGlobalFlag - and recently, nt!NtGlobalFlag2) or in user-space, in the Process Environment Block (PEB) of every process, as Peb->NtGlobalFlag (or again, recently, Peb->NtGlobalFlag2 as well). This is usually a sign of a loader issue – such as an import library not being present, failing to load, or missing some required import.Ī really useful way to debug such issues is to enable “Loader Snaps”, which is a Windows debugging feature that leverages “Global Flags”. We then launched it in the debugger, taking advantage of the fact that the WinDbg Preview on the Microsoft Store can now easily launch Application Packages (which is needed, since Calc.exe is now simply a launcher for the real Calculator.exe - which essentially just does a ShellExecute of calculator://). Unfortunately, as soon as the debugger “attached”, the process had already died. So, we relaunched our IDA and WinDbg and went hunting for more bugs.Īs we were playing around, we noticed that another process that wasn’t working was the new Windows Calculator. We tried other applications, which ran fine but still, the machine was pretty much unusable. But as soon as we clicked on the Start Menu, we noticed things had gone awry – it wasn’t starting up at all, and when we launched Process Monitor from SysInternals, we could see ShellExperienceHost.exe crashing.
We got really excited thinking we were done.
#ERROR IN INITIALIZING PROCESS MONITOR MODULE DRIVER#
After getting the driver in Part 3 of our blog to load and adding a DbgPrintEx statement in our hook, we managed to get all the paths that were being opened without crashing the machine.
0 kommentar(er)
