Microsoft Windows Internals (4th Edition): Microsoft Windows Server 2003, Windows XP, and Windows 2000

 < Day Day Up > 

Windows has a set of flags stored in a systemwide global variable named NtGlobalFlag that enable various internal debugging, tracing, and validation support in the operating system. The system variable NtGlobalFlag is initialized from the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager in the value GlobalFlag at system boot time. By default, this registry value is 0, so it's likely that on your systems, you're not using any global flags. In addition, each image has a set of global flags that also turn on internal tracing and validation code (although the bit layout of these flags is entirely different than the systemwide global flags). These flags aren't documented or supported for customer use, but they can be useful tools for exploring the internal operation of Windows.

Fortunately, the Platform SDK and the debugging tools contain a utility named Gflags.exe that allows you to view and change the system global flags (either in the registry or in the running system) as well as image global flags. Gflags has both a command-line and a GUI interface. To see the command-line flags, type gflags /?. If you run the utility without any switches, the dialog box shown in Figure 3-28 is displayed.

Figure 3-28. Setting system debugging options with Gflags

You can toggle between the settings in the registry (by clicking System Registry) and the current value of the variable in system memory (by clicking Kernel Mode). You must click the Apply button to make the changes. (You'll exit if you click the OK button.) Although you can change flag settings on a running system, most flags require a reboot to take effect, and there's no documentation on which flags do and which don't require rebooting. So when in doubt, reboot after changing a global flag.

The Image File Options choice requires that you fill in the filename of a valid executable image. This option is used to change a set of global flags that apply to an individual image (rather than to the whole system). In Figure 3-29, notice that the flags are different than the operating system ones shown in Figure 3-28.

Figure 3-29. Setting image global flags with Gflags

EXPERIMENT: Enabling Image Loader Tracing and Viewing NtGlobalFlag

To see an example of the detailed tracing information you can obtain by setting global flags, try running Gflags on a system booted with the kernel debugger that is connected to a host system running Kd or Windbg.

As an example, try enabling the Show Loader Snaps flag. To do this, choose Kernel Mode, select the Show Loader Snaps check box, and click the Apply button. Then run an image on this machine, and in the kernel debugger you'll see volumes of output like the following:

LDR: PID: 0xb8 started 'notepad' LDR: NEWPROCESS Image Path:C:\Windows\system32\notepad.exe(notepad.exe) CurrentDirectory:C:\ddk\bin SearchPath: C:\Windows\System32;C:\Windows\system;C:\Windows LDR: notepad.exebound to comdlg32.dll LDR: ntdll.dll usedbycomdlg32.dll LDR: Snapping imports for comdlg32.dllfrom ntdll.dll § LDR: KERNEL32.dll loaded. -Calling initroutineat77f01000 LDR: RPCRT4.dllloaded. Callinginitroutine at 77e1b6d5 LDR: ADVAPI32.dll loaded. -Calling initroutineat77dc1000 LDR: USER32.dllloaded. Callinginitroutine at 77e78037

You can use the !gflags and !gflag kernel debugger commands to view the state of the NtGlobalFlag kernel variable. The !gflags command lists all the flags, indicating which ones are enabled, whereas !gflag reports only the flags that are enabled.

kd> !gflags NT!NtGlobalFlag 0x4400 STOP_ON_EXCEPTION SHOW_LDR_SNAPS DEBUG_INITIAL_COMMAND STOP_ON_HUNG_GUI HEAP_ENABLE_TAIL_CHECK HEAP_ENABLE_FREE_CHECK HEAP_VALIDATE_PARAMETERS HEAP_VALIDATE_ALL *POOL_ENABLE_TAGGING HEAP_ENABLE_TAGGING USER_STACK_TRACE_DB KERNEL_STACK_TRACE_DB *MAINTAIN_OBJECT_TYPELIST HEAP_ENABLE_TAG_BY_DLL ENABLE_CSRDEBUG ENABLE_KDEBUG_SYMBOL_LOAD DISABLE_PAGE_KERNEL_STACKS HEAP_DISABLE_COALESCING ENABLE_CLOSE_EXCEPTIONS ENABLE_EXCEPTION_LOGGING ENABLE_HANDLE_TYPE_TAGGING HEAP_PAGE_ALLOCS DEBUG_INITIAL_COMMAND_EX DISABLE_DBGPRINT kd> !gflag NtGlobalFlagat 8046a164 Current NtGlobalFlag contents: 0x00004400 ptg -Enablepool tagging otl -Maintain alist ofobjects for eachtype

     < Day Day Up > 
    Related

    Категории