Category Archives: Windows

Windbg Cookbook: Attach to a PPL Process from UM

Posted on June 9, 2023 by snowkoan

Debugging PPL processes is quite possible even without attaching a kernel debugger. My favorite post on the subject is here. This is just a quick recipe for cases where you have a kernel debugger attached and you want to debug … Continue reading →

Posted in Windbg, Windows | Leave a comment

Creating a process without starting it

Posted on May 19, 2023 by snowkoan

I looked at a case today where our process was not starting for some reason. It had one thread and the thread stack looked very much like this: The thread is clearly suspended. My first thought was that someone manually … Continue reading →

Posted in Debugging, Windbg, Windows | Leave a comment

Compiler:1, Filter Verifier:0 –OR– Why Your Mother Told You that Stackwalking is Dangerous

Posted on January 27, 2023 by snowkoan

Update: I reported this to the Filter Manager team at Microsoft. Of course, they already knew about it but maybe my report tipped the scales, because it is now documented on the Filter Verifier page. One of our excellent testers … Continue reading →

Posted in Debugging, Kernel, Windows | Leave a comment

Decoding Kernel ETLs More Easily!

Posted on July 30, 2021 by snowkoan

I’ve been using WPP tracing in the kernel for many years. On the upside, WPP tracing uses a mechanism which is super fast and space efficient. On the downside, the output is in a binary format and it’s cumbersome to … Continue reading →

Posted in Debugging, TipsAndTricks, Windows | Tagged ETL, WPP | 2 Comments

File ID Cheat Sheet

Posted on September 22, 2020 by snowkoan

The Problem With Filenames (Summary) In recent years, identifying a file by a filename has become less and less attractive. Here’s an incomplete list of problems. Problem Comments Per-folder case sensitivity New in Windows 10 1803/RS4, on NTFS and NTFS … Continue reading →

Posted in Cheatsheet, File System, Windows | 2 Comments

Re-Purposing the Calculator Button on my Keyboard

Posted on August 28, 2019 by snowkoan

When I was your age, keyboards didn’t have any of these fancy buttons for calculators and searches and such. Not a chance. If I wanted to calculate something, I launched mspaint and did the calculation by hand in a text … Continue reading →

Posted in TipsAndTricks, Windows | Leave a comment

Oplock Cheat Sheet

Posted on April 16, 2019 by snowkoan

I am happy to say that I deal with oplock issues very rarely. The one problem with this is that I forget the subtleties of oplocks without fail. Here’s a cheat sheet, with the warning that I am not an … Continue reading →

Posted in Cheatsheet, File System, Windows | Leave a comment

Tracking Down a FILE_OBJECT leak

Posted on February 6, 2019 by snowkoan

I recently looked at an an issue where a kernel component was leaking FILE_OBJECTs. The handle count on the objects was zero but they all had outstanding references keeping them open. Note: This is not new territory but I had … Continue reading →

Posted in Debugging, File System, GFlags, Windbg, Windows | 1 Comment

64-bit HANDLEs can be truncated to 32-bits

Posted on February 2, 2019 by snowkoan

I came across this bit of code thanks to a compiler warning (obviously, error checking has been removed): HANDLE handle = CreateFileW(…) INT lzHandle = LzInit((INT) handle); On 64-bit Windows, this results in a truncation of ‘handle’, but it turns … Continue reading →

Posted in SDL, Windows | Leave a comment

IO_IGNORE_SHARE_ACCESS_CHECK

Posted on April 9, 2018 by snowkoan

Update (May 2019) The documentation for FltCreateFileEx2 has been updated to be less ambiguous. Thanks MS! Options flags Meaning IO_IGNORE_SHARE_ACCESS_CHECK Indicates that the I/O manager should not perform share-access checks on the file object after it is created. However, the … Continue reading →

Posted in File System, Reversing, Windows | Leave a comment