Is there a way to trigger a kernel breakpoint/bugcheck from a user-mode
app? In my case I want to halt the system on an error code returned
from WriteFile.
TIA!
-Zach
Sure, dynamically load a driver that bugchecks on load. AFAIK, that’s
how OSR’s “Bang” utility works (with the added joy of the driver being
embedded as a resource, IIRC).
If you find some other way, report it as a bug.
Gray, Zachary C wrote:
Is there a way to trigger a kernel breakpoint/bugcheck from a user-mode
app? In my case I want to halt the system on an error code returned
from WriteFile.TIA!
-Zach
–
Ray
(If you want to reply to me off list, please remove “spamblock.” from my
email address)
Ray Trent wrote:
Sure, dynamically load a driver that bugchecks on load. AFAIK, that’s
how OSR’s “Bang” utility works (with the added joy of the driver being
embedded as a resource, IIRC).If you find some other way, report it as a bug.
Well, if all he wants is to break into the debugger, he can insert an
int 3 or int 1 into his user-mode code. That will break into the
debugger, if it is attached.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
“Tim Roberts” wrote:
Ray Trent wrote:
> Sure, dynamically load a driver that bugchecks on load. AFAIK, that’s
> how OSR’s “Bang” utility works (with the added joy of the driver being
> embedded as a resource, IIRC).
>
> If you find some other way, report it as a bug.Well, if all he wants is to break into the debugger, he can insert an
int 3 or int 1 into his user-mode code. That will break into the
debugger, if it is attached.
Since he was asking about how to force a kernel stop after an error code
was reported, I was wondering what value he thought he would get from that?
Bottom line he isn’t going to have anything useful on why the error
occurred for most drivers. And given the nature of the kernel with all the
threads and asynchronous I/O I don’t see he will even have anything
predictable.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
Wow, a rush of comments!
I agree this should not be possible from user mode in a production
environment, but I wasn’t sure if there was a way to do it in a test/dev
environment… Kind of like disabling WFP, something the customer
shouldn’t do but a developer might.
A user-mode breakpoint is not what I am after, I want to halt the kernel
when a condition in a usermode app is met. I realize there is latency
and lack of precision due to the asynchronous nature of the OS, and I
don’t really want to debate the usefulness of this feature, I was just
wondering if someone know of a way. Suffice to say it is not a driver
that I am debugging…
-Zach
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-270543-
xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, November 20, 2006 1:03 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] kernel-mode breakpoint from user app?“Tim Roberts” wrote:
> Ray Trent wrote:
>> Sure, dynamically load a driver that bugchecks on load. AFAIK,
that’s
>> how OSR’s “Bang” utility works (with the added joy of the driver
being
>> embedded as a resource, IIRC).
>>
>> If you find some other way, report it as a bug.
>
> Well, if all he wants is to break into the debugger, he can insert an
> int 3 or int 1 into his user-mode code. That will break into the
> debugger, if it is attached.
>
Since he was asking about how to force a kernel stop after an error
code
was reported, I was wondering what value he thought he would get from
that?
Bottom line he isn’t going to have anything useful on why the error
occurred for most drivers. And given the nature of the kernel with all
the
threads and asynchronous I/O I don’t see he will even have anything
predictable.–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Disabling WFP has no effect but you can kill csrss process if you want BSOD.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Gray, Zachary C[SMTP:xxxxx@intel.com]
Reply To: Windows System Software Devs Interest List
Sent: Monday, November 20, 2006 11:13 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] kernel-mode breakpoint from user app?Wow, a rush of comments!
I agree this should not be possible from user mode in a production
environment, but I wasn’t sure if there was a way to do it in a test/dev
environment… Kind of like disabling WFP, something the customer
shouldn’t do but a developer might.A user-mode breakpoint is not what I am after, I want to halt the kernel
when a condition in a usermode app is met. I realize there is latency
and lack of precision due to the asynchronous nature of the OS, and I
don’t really want to debate the usefulness of this feature, I was just
wondering if someone know of a way. Suffice to say it is not a driver
that I am debugging…-Zach
>-----Original Message-----
>From: xxxxx@lists.osr.com [mailto:bounce-270543-
>xxxxx@lists.osr.com] On Behalf Of Don Burn
>Sent: Monday, November 20, 2006 1:03 PM
>To: Windows System Software Devs Interest List
>Subject: Re:[ntdev] kernel-mode breakpoint from user app?
>
>
>“Tim Roberts” wrote:
>> Ray Trent wrote:
>>> Sure, dynamically load a driver that bugchecks on load. AFAIK,
that’s
>>> how OSR’s “Bang” utility works (with the added joy of the driver
being
>>> embedded as a resource, IIRC).
>>>
>>> If you find some other way, report it as a bug.
>>
>> Well, if all he wants is to break into the debugger, he can insert an
>> int 3 or int 1 into his user-mode code. That will break into the
>> debugger, if it is attached.
>>
>Since he was asking about how to force a kernel stop after an error
code
>was reported, I was wondering what value he thought he would get from
that?
>Bottom line he isn’t going to have anything useful on why the error
>occurred for most drivers. And given the nature of the kernel with all
the
>threads and asynchronous I/O I don’t see he will even have anything
>predictable.
>
>
>–
>Don Burn (MVP, Windows DDK)
>Windows 2k/XP/2k3 Filesystem and Driver Consulting
>http://www.windrvr.com
>Remove StopSpam from the email to reply
>
>
>
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
DbgBreakPoint is exported by ntdll.dll and is now, I believe,
documented. If you have a kernel debugger hooked up this will break
into it.
As you can understand there aren’t a lot of supported methods for
crashing the kernel from user-mode. You can always trigger a system
shutdown, or perhaps just restart your service if you’re trying to
handle an error condition.
-p
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gray, Zachary C
Sent: Monday, November 20, 2006 2:13 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] kernel-mode breakpoint from user app?
Wow, a rush of comments!
I agree this should not be possible from user mode in a production
environment, but I wasn’t sure if there was a way to do it in a test/dev
environment… Kind of like disabling WFP, something the customer
shouldn’t do but a developer might.
A user-mode breakpoint is not what I am after, I want to halt the kernel
when a condition in a usermode app is met. I realize there is latency
and lack of precision due to the asynchronous nature of the OS, and I
don’t really want to debate the usefulness of this feature, I was just
wondering if someone know of a way. Suffice to say it is not a driver
that I am debugging…
-Zach
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-270543-
xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, November 20, 2006 1:03 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] kernel-mode breakpoint from user app?“Tim Roberts” wrote:
> Ray Trent wrote:
>> Sure, dynamically load a driver that bugchecks on load. AFAIK,
that’s
>> how OSR’s “Bang” utility works (with the added joy of the driver
being
>> embedded as a resource, IIRC).
>>
>> If you find some other way, report it as a bug.
>
> Well, if all he wants is to break into the debugger, he can insert an
> int 3 or int 1 into his user-mode code. That will break into the
> debugger, if it is attached.
>
Since he was asking about how to force a kernel stop after an error
code
was reported, I was wondering what value he thought he would get from
that?
Bottom line he isn’t going to have anything useful on why the error
occurred for most drivers. And given the nature of the kernel with all
the
threads and asynchronous I/O I don’t see he will even have anything
predictable.–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
A “.breakin” will get you from the user-mode breakpoint to the
kernel-mode breakpoint. And a “g” after that will get you back to the
user-mode breakpoint.
Niraj
-----Original Message-----
From: Michal Vodicka [mailto:xxxxx@upek.com]
Sent: Monday, November 20, 2006 3:04 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] kernel-mode breakpoint from user app?
Disabling WFP has no effect but you can kill csrss process if you want
BSOD.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
] on behalf of Gray, Zachary C[SMTP:xxxxx@intel.com]
Reply To: Windows System Software Devs Interest List
Sent: Monday, November 20, 2006 11:13 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] kernel-mode breakpoint from user app?Wow, a rush of comments!
I agree this should not be possible from user mode in a production
environment, but I wasn’t sure if there was a way to do it in a
test/dev
environment… Kind of like disabling WFP, something the customer
shouldn’t do but a developer might.A user-mode breakpoint is not what I am after, I want to halt the
kernel
when a condition in a usermode app is met. I realize there is latency
and lack of precision due to the asynchronous nature of the OS, and I
don’t really want to debate the usefulness of this feature, I was just
wondering if someone know of a way. Suffice to say it is not a driver
that I am debugging…-Zach
>-----Original Message-----
>From: xxxxx@lists.osr.com [mailto:bounce-270543-
>xxxxx@lists.osr.com] On Behalf Of Don Burn
>Sent: Monday, November 20, 2006 1:03 PM
>To: Windows System Software Devs Interest List
>Subject: Re:[ntdev] kernel-mode breakpoint from user app?
>
>
>“Tim Roberts” wrote:
>> Ray Trent wrote:
>>> Sure, dynamically load a driver that bugchecks on load. AFAIK,
that’s
>>> how OSR’s “Bang” utility works (with the added joy of the driver
being
>>> embedded as a resource, IIRC).
>>>
>>> If you find some other way, report it as a bug.
>>
>> Well, if all he wants is to break into the debugger, he can insert
an
>> int 3 or int 1 into his user-mode code. That will break into the
>> debugger, if it is attached.
>>
>Since he was asking about how to force a kernel stop after an error
code
>was reported, I was wondering what value he thought he would get from
that?
>Bottom line he isn’t going to have anything useful on why the error
>occurred for most drivers. And given the nature of the kernel with
all
the
>threads and asynchronous I/O I don’t see he will even have anything
>predictable.
>
>
>–
>Don Burn (MVP, Windows DDK)
>Windows 2k/XP/2k3 Filesystem and Driver Consulting
>http://www.windrvr.com
>Remove StopSpam from the email to reply
>
>
>
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer