Updating the symevent
Updating the symevent
" This basically means finding a single point in the system that is always called as a result of an API failure.
Because I'm trying to confirm or deny that a failing API call is to blame, what I want to know is, "Which API calls are failing during the failure case?
While the first type can also be tracked down this way, there is a trick you can go to in an attempt to quickly track the problem.
The trick is based on this assumption: most applications written for Windows use the Win32 API either directly or indirectly.
And, as luck would have it, they all call the same API: Rtl Nt Status To Dos Error.
This used to be undocumented, but a Google search shows that MSDN has provided the API: What I want to do then is set a breakpoint on Rtl Nt Status To Dos Error in the faulty application.
When the breakpoint fires, I want to see the failure status and the call stack of the failing call.
If all goes well, I'll see some obvious API failing and that will lead the rest of my analysis. We'll trace trying to save a read only file in Notepad running on our target machine.Rtl Nt Status To Dos Error0007fa40 7c81109a kernel32! Dispatch Client Message 0xa30007fea0 7c90eae3 USER32! xxx Send Message Timeout 0x1a6f7ee3c9c bf8e14ac win32k! xxx Translate Accelerator 0x264f7ee3d50 8054060c win32k! Nt User Translate Accelerator 0x85f7ee3d50 7c90eb94 nt!Base Set Last NTError 0xf0007fab0 01004ede kernel32! Ki Fast Call Entry 0xfc For example, say I want to inspect every time the floppy disk driver completes an IRP with Io Complete Request.These bugs are hard, especially when the application in question is complex and you don't have source for it (Office applications are a particular pain point here). Typically you either get a silent failure or a not very helpful error message such as, "Error Saving File".Failures of this type generally fall into one of two categories: By far the second type of failure is much more difficult to track down, typically requiring quite a bit of time analyzing the application, trace logs, and information from utilities such as File Spy or Irp Tracker.What I find is that people who debug often have a core set of tools and commands they use to get their job done and everyone's is slightly different.