Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Is it possible to set a cond breakpoint which checks the value of eax every time any ret occurs?

BenStanifordBenStaniford Member Posts: 16

I'm trying to debug a strange issue where a 3rd party piece of software fails to connect to a named pipe when our software is installed (our software can create security tokens). The software gets STATUS_ACCESS_DENIED when trying to attach to the pipe. The token we've provided is an admin token which looks almost identical to a normal admin token with the addition of one deny ACE. The DACLs on the named pipe appear to show that administrators can connect to it (and I have done so with our token and a test program despite the real software failing in NtCreateFile).

I initially thought that this STATUS_ACCESS_DENIED must be coming from SeAccessCheck or one of its new undocumented brothers like SeAccessCheckWithHint. However, I've investigated all the access checks which occur on the thread and found they all return TRUE despite NtCreateFile returning that status.

I'm now puzzled because I don't know any other functions that use STATUS_ACCESS_DENIED so I can't work out where it's coming from. I wondered if it was possible to simply trace every function call and break if any function returns that NTSTATUS. Is that possible in WinDBG?


  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,373

    Well, sort of. You can do "step out" to break when the current function returns. I guess you can start doing that when you get into the last access check.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • BenStanifordBenStaniford Member Posts: 16

    @Tim_Roberts Right, that's basically what I was doing to check the results of the access checks. Stepping out and then checking eax. I was just thinking that in theory, I could check the return code of all the functions in that particular code path automatically to work out the origin of the failure (assuming it actually gets returned rather than passed out as an argument). I guess it's not supported directly, but maybe I can come up with something in WinDBG/javascript or something.

  • Nathan_KiddNathan_Kidd Member - All Emails Posts: 25

    It looks like you could do your investigation from user mode, in which case windbg has this functionality built in with the wt command's -oR option.

    -oR (User mode only) Displays the return register values of the called function, in the appropriate type for each return value.

    0:007> bp USER32!GetWindowInfo
    0:007> g
    Breakpoint 0 hit
    00007fff`831205c0 48895c2418      mov     qword ptr [rsp+18h],rbx ss:0000008a`d8e7ee60=0000008ad8e7f320
    0:000> wt -l 3 -oR
    Tracing USER32!GetWindowInfo to return address 00007fff`7debcdde
      172     0 [  0] USER32!GetWindowInfo
       26     0 [  1]   USER32!GetSystemMetricsForDpi
       11     0 [  2]     ntdll!LdrpDispatchUserCallTarget
       13     0 [  2]     uxtheme!ThemeGetSystemMetricsForDpi
       11     0 [  3]       ntdll!LdrpDispatchUserCallTarget
       22     0 [  3]       USER32!RealGetSystemMetricsForDpi rax = 6
       17    33 [  2]     uxtheme!ThemeGetSystemMetricsForDpi = int 0n6
       39    61 [  1]   USER32!GetSystemMetricsForDpi rax = 6
      203   100 [  0] USER32!GetWindowInfo
        6     0 [  1]   USER32!_security_check_cookie rax = 1
      213   106 [  0] USER32!GetWindowInfo

    (P.S. This discussion better fits the forum.)

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,514

    Is the open making it to Npfs!NpFsdCreate?


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online