Don’t use ntsd in this case. It is a limited way to debug the startup of user-mode processes. To debug the startup of user-mode processes when using the kernel-mode debugger you can use the following steps:
- bcdedit /set halbreakpoint on
x86
- ad /q ImageFileName; bp nt!PspInsertProcess “aS /ma ${/v:ImageFileName} @@c++(((nt!_EPROCESS *) @ecx)->ImageFileName); .block { .if ($spat("${ImageFileName}", "winlogon*")) { } .else { gc }}”; g
- .process /r /p @ecx; eb @$peb+2 1; g
- .reload /user; bu winlogon!WinMain; g
x64
- ad /q ImageFileName; bp nt!PspInsertProcess “aS /ma ${/v:ImageFileName} @@c++(((nt!_EPROCESS *) @rcx)->ImageFileName); .block { .if ($spat("${ImageFileName}", "winlogon*")) { } .else { gc }}”; g
- .process /r /p @rcx; eb @$peb+2 1; g
- .reload /user; bu winlogon!WinMain; g
Enjoy!