Windows 7 - No "show loader snaps" output

Asked By johan2sso on 01-Sep-07 08:20 PM

Hi,

I've tried getting some output from the loader in a few scenarios,
including locally on a 32-bit Vista system with WinDBG and DbgView and
in a virtual machine (XP SP2) being kernel debugged. I must be missing
something very basic, because regardless of whether I set the flag
globally or for a particular image I can't get any output.

The below should give some specifics wrt settings and versions.

Microsoft (R) Windows Debugger  Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.

...

Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp2_qfe.070227-2300
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805535a0

...

kd> !gflag
Current NtGlobalFlag contents: 0x00000002
sls - Show Loader Snaps

Thanks for any help,
Johan

Pavel Lebedinsky [MSFT] replied on 06-Sep-07 11:54 PM

+sls is a per-process flag so you need to set it from a user mode
debugger (cdb/ntsd) or using gflags -i. It might also require a user
mode debugger to be attached, though I'm not entirely sure about
that.

C:\Debuggers>cdb notepad

0:000> !gflag +sls
New NtGlobalFlag contents: 0x00000072
sls - Show Loader Snaps
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking

0:000> g
LDR: LdrLoadDll, loading ShimEng.dll from
LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\WINDOWS\system32\ShimEng.dll

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

johan2sso replied on 07-Sep-07 03:43 PM

On Sep 7, 5:54 am, "Pavel Lebedinsky [MSFT]"

Thanks, the user mode debugger "works" even though I was kind of
hoping to see output from the loading of the first dlls as well (not
ntdll.dll obviously). I also think this almost entirely contradicts
the help entry for Show loader snaps (and the gflags gui):
----
Show loader snaps
The Show loader snaps flag captures detailed information about the
loading and unloading of executable images and their supporting
library modules and displays the data in the -->kernel debugger
console<--.

Destination -->System-wide registry entry, kernel flag<--, image file
registry entry

Comments
For system-wide (registry or kernel flag), this flag displays
information about driver loading and unloading operations.

For per-process (image file), this flag displays information about
loading and unloading of DLLs.
----

Thanks again,
j

Previous Windows 7 Discussion: How can I do source debug in Kernel for my device driver?

Access over 40 UI widgets with everything from interactive menus to rich charts.