A tip, and a couple of questions

The tip first:
I want to display the contents of memory referenced by a local pointer
variable. Since the pointer is changing frequently, its far easier to deref
the pointer in the memory window than to copy the address and paste it into
the offset. If I paste the name of the pointer variable into the offset, I
get the contents of the local, which is the address of the memory I want to
see. It doesn’t get deref’d. So to deref the pointer, I used
poi(pVariable), and it worked. Cool! Caused a bazillion “Unable to verify
Timestamp” warnings, though.

Now the questions:
Is it possible to use WinDBG to trap system call exceptions? As an example,
I would like to trace into ZwCreateFile() to find out why I am unable to
open a file, no matter what combination of parameters I give it. I think it
may be an issue of not giving it a path it understands at a very early point
in the boot process, but I don’t know that until I can step through it, and
maybe not even then. ZwCreateFile() stuffs 0x20 into EAX, then loads a
pointer to the top of the stack into EDX, and then executes int 2E. So I
tried adding Exception 0x2E and Exception 46 to the event filters, but it
doesn’t do any good. When I try to trace into the exception handler, I end
up back at the routine that called ZwCreateFile. Any suggestions?

For those subscribed to the WinDBG list also, I apologize for posting the
following question on that list. I meant to post it only to ntdev.
FatFingers strikes again!

In case you were thinking to address the ZwCreateFile issue directly, I
welcome anyone’s suggestions, but here’s the situation: My driver is the
boot ATAPI driver, replacing atapi.sys, and I am trying to open a file from
the disk during initialization, which is the only time I am ever called at
any IRQL < DIRQL. So the runtime file system isn’t initialized yet, because
it is waiting for my driver to startup properly. I don’t know whether
ZwCreateFile will use the startup file loader or not, so I am trying
different forms of the file name, even tried Arc format several different
ways, without any success whatsoever. The error codes do change, so if I
pass known bogus parameters, I get error codes appropriate to the bad
parameter. But never does it actually succeed. I’m not sure it can, but I
would like to investigate further before I conclude that.

Thanks,

Phil

* Philip D. Barila | (503) 264-8386
* Intel Corp. | M/S JF2-53 Office JF2-2-G6
* Storage Architecture and Performance
* Internet Systems Lab


You are currently subscribed to windbg as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-windbg-$subst(‘Recip.MemberIDChar’)@lists.osr.com