Image File Execution Options
There is well-known (or not so well-known, depending on what you do) feature in NT family system, called “Image File Execution Options”.
It is really in the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Create a sub key, with the name as your executable without the path (i.e. notepad.exe). When your application starts, OS will look for specific registry values under that reg key, and act accordingly.
Regmon (https://www.sysinternals.com/ntw2k/source/regmon.shtml) trace of a helloworld app shows the following registry value is queried:
Debugger,
DisableHeapLookaside,
ShutdownFlags,
MinimumStackCommitInBytes,
ExecuteOptions,
GlobalFlag,
DebugProcessHeapOnly,
ApplicationGoo,
RpcThreadPoolThrottle,
“Debugger” is discussed in many articles, like this one https://support.microsoft.com/default.aspx?kbid=238788. It is a way to automatically launch a debugger when an application starts.
“DisableHeapLookaside” is discussed here https://support.microsoft.com/default.aspx?scid=https://support.microsoft.com:80/support/kb/articles/Q195/0/09.ASP&NoWebContent=1&NoWebContent=1. A way to fall back to ancient heap manager.
“ShutdownFlags” is discussed here https://msdn.microsoft.com/library/default.asp?url=/library/en-us/appendix/hh/appendix/enhancements5_5ppv.asp. A way to detect heap leak.
“RpcThreadPoolThrottle” is discussed here https://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fbin%2Fkbsearch.asp%3FArticle%3D267255.
“GlobalFlag” is controlled by a tool called gflags.exe, which is documented in MSDN https://msdn.microsoft.com/library/default.asp?url=/library/en-us/ddtools/hh/ddtools/gflags_00s3.asp. It is bundled with windows debugger (https://www.microsoft.com/whdc/devtools/debugging/default.mspx), which in my opinion, the best debugger ever created.
If you play with gflags.exe more, you will found more interesting registry values under Image File Execution Options.
I can’t find anything for “ApplicationGoo”. But you can see that in a vanilla WindowsXP system, several reg keys are already presented in Image File Execution Options with ApplicationGoo set to random binaries. I suspect this is something to do with AppCompat.
I can’t find anything for “MinimumStackCommitInBytes”, “ExecuteOptions” and “DebugProcessHeapOnly”. But it is very easy to decipher their meaning from their name (except ExecuteOptions, which I suspect is yet another AppCompat goo).
There is another one “BreakOnDllLoad”, which is discussed here https://www.west-wind.com/presentations/iis5Debug.htm. But with the “sxe ld” command in windows debugger, I think it is much less useful. Of course if you are using something other than windows debugger, it will help you to determine why (and when) a certain dll is loaded.
Comments
Anonymous
May 07, 2004
Handy registry key for debugging.Anonymous
May 07, 2004
Handy registry key for debugging.Anonymous
May 15, 2004
You are right - the ApplicationGoo key is for AppCompat. I don't know how its binary value gets interpreted.Anonymous
May 26, 2004
I'd be more impressed by WinDbg if it handled paths with spaces in them.Anonymous
February 07, 2006
The comment has been removedAnonymous
February 16, 2006
The comment has been removedAnonymous
February 08, 2007
Every now and than while debugging I need to either determine when a dll/module is loaded or need toAnonymous
February 08, 2007
Every now and than while debugging I need to either determine when a dll/module is loaded or need toAnonymous
February 20, 2007
I was spamming asking around earlier this week about how to monitor process creation in windows. I wasAnonymous
July 18, 2007
PingBack from http://www.debugtricks.com/?p=15Anonymous
August 10, 2007
In the last installment, we had a workaround, so people could get on with their lives. BUT , there'sAnonymous
August 10, 2007
In the last installment, we had a workaround, so people could get on with their lives. BUT , there'sAnonymous
August 10, 2007
PingBack from http://msdnrss.thecoderblogs.com/2007/08/10/root-causing-a-quotnot-reproduciblequot-kmdf-installation-issue-part-2-not-stupid-merely-human/Anonymous
January 09, 2008
PingBack from http://blog.not-a-kernel-guy.com/2008/01/09/277Anonymous
January 20, 2009
PingBack from http://www.hilpers.com/268314-offnen-mit-weitergabeAnonymous
March 08, 2009
PingBack from http://thetweaker.wordpress.com/2009/03/09/debugging-a-process-launch/