\n\nThis page has been machine-translated from the original page.
\n
This article is a follow-up to the Cheat Sheet for Dump Analysis and Live Debugging with WinDbg that I created the other day, and summarizes GFlags settings that are useful to remember when troubleshooting Windows.
\nI only included the settings that I personally find useful. This is also just a memo for myself, so I would like to add more settings in the future if I find others that prove useful in different situations.
\n\nAll of the content in this article is based only on publicly available information, published books, or results verified in a personal test environment.
\nRelated articles:
\nGFlags (Global Flags Editor) is a tool that can be used to enable or disable specific debugging features.
\nBecause it is included in Debugging Tools for Windows 10 (WinDbg), if you have the classic WinDbg installed, gflags.exe and gflags.dll are placed in the same folder as WinDbg (for example, C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64).
Reference: GFlags - Windows drivers | Microsoft Learn
\nGFlags can be used from both the CLI and the GUI, and lets you manipulate global flags for the system or for individual images (programs).
\nThe command-based way to operate GFlags is described here.
\nReference: GFlags Commands - Windows drivers | Microsoft Learn
\nGlobal flags are variables that support debugging and tracing of Windows systems and images.
\nSystem global flags are managed by two global variables: NtGlobalFlag and NtGlobalFlag2.
These system variables are defined under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager and are initialized when the system starts. (The default value of both is 0, meaning no global flags are set.)
You can inspect system-side global flags during kernel debugging by using the !gflag extension.
However, at present this extension appears to support only the value configured in NtGlobalFlag.
Running the !gflag -? command displays help for global flags.
Each image (program) also has its own global flag settings.
\nThe global flags for each image file are defined under HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\<Application>.
Under this registry key you can find the Debugger option, which specifies the application to open when the target application starts, and SilentProcessExit, which can be abused to launch a process when the application exits.
These Image File Execution Options (IFEO) settings are known to be abused by malware for persistence, not only for debugging purposes.
\nGlobal flags for each image are processed by user-mode components such as the loader and Windows Error Reporting (WER).
\nFor example, when the loader handles global flags, it processes them while initializing the process and loading dependencies so that the program can start.
\nAt that time, the loader function LdrpInitializeExecutionOptions looks up the IFEO registry key based on the image file name and retrieves the global flags.
The global flag information retrieved by the loader from the registry is stored in NtGlobalFlag and NtGlobalFlag2 inside the PEB.
When I actually inspected the PEB of a Notepad process for which global flags had been set with GFlags, I was able to confirm that a value was set in NtGlobalFlag as shown below.
> !ped\nNo export ped found\n0:000> !peb\nPEB at 00000030dbc1e000\n InheritedAddressSpace: No\n ReadImageFileExecOptions: No\n BeingDebugged: Yes\n ImageBaseAddress: 00007ff689330000\n NtGlobalFlag: 70\n NtGlobalFlag2: 0\n Ldr 00007ffcf7f9c4c0\n Ldr.Initialized: Yes\n Ldr.InInitializationOrderModuleList: 000001744bbe2a10 . 000001744bbe3130\n Ldr.InLoadOrderModuleList: 000001744bbe2bc0 . 000001744bbf04e0\n Ldr.InMemoryOrderModuleList: 000001744bbe2bd0 . 000001744bbf04f0Reference: Inside Windows, 7th Edition Part 2
\nBy setting the Disable paging of kernel stacks global flag in GFlags, you can disable paging of kernel-mode stacks.
Disable paging of kernel stacks is configured with FLG_DISABLE_PAGE_KERNEL_STACKS(0x80000).
As described in the documentation below, kernel-mode stacks are normally not paged and are guaranteed to remain resident in memory.
\nHowever, in rare cases, the kernel stacks of inactive threads may be paged out.
\nIf a kernel stack is paged out, you may no longer be able to inspect information related to the target thread during kernel debugging or full dump analysis.
\nFor that reason, setting this global flag is useful, for example, when debugging deadlocks or when you need to track every thread.
\nReference: Disable paging of kernel stacks - Windows drivers | Microsoft Learn
\nYou can configure Disable paging of kernel stacks from the following location.
In addition, the following blog mentioned that during real debugging, it is also useful to set the global flag FLG_POOL_ENABLE_TAGGING(0x400), which lets you calculate statistics related to pool memory allocation, along with preventing kernel stack paging described above.
Reference: How to Prevent Kernel-Mode Stacks from Being Paged Out | Mado no Kusuribako
\nReference: Enable pool tagging - Windows drivers | Microsoft Learn
\nBy using GFlags to set the global flag that enables the Show Loader Snaps debugging feature, you can inspect the image loader’s debug output when the target application starts.
This lets you output information about loading and unloading executables and libraries to the debugger.
\nShow Loader Snaps is FLG_SHOW_LDR_SNAPS(0x2). If it is set system-wide, it outputs information about driver loading and unloading.
If it is set only for a specific image file, it outputs information about DLL loading and unloading when the application starts.
\nReference: Show loader snaps - Windows drivers | Microsoft Learn
\nFor example, if you start gflags.exe and configure it from [Image File] as shown below, Show Loader Snaps and the Debugger flag are set for Notepad.exe.
Applying this setting writes the WinDbg path to Debugger under HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Notepad.exe.
It also sets the value 2 in GlobalFlag. (In this environment, no other GlobalFlag values were set for Notepad.exe, so the hexadecimal value for Show Loader Snaps, 0x2, is applied as-is.)
With the Debugger flag now set for Notepad.exe, trying to start Notepad automatically attaches WinDbg and records output like the following.
ModLoad: 00007ff7`8c3b0000 00007ff7`8c3e8000 notepad.exe\nModLoad: 00007ffd`1f2d0000 00007ffd`1f4c8000 ntdll.dll\n22e0:0710 @ 00503718 - LdrpInitializeProcess - INFO: Beginning execution of notepad.exe (C:\\WINDOWS\\system32\\notepad.exe)\nCurrent directory: C:\\Users\\Tadpole01\\\nPackage directories: (null)\n22e0:0710 @ 00503718 - LdrLoadDll - ENTER: DLL name: KERNEL32.DLL\n22e0:0710 @ 00503718 - LdrpLoadDllInternal - ENTER: DLL name: KERNEL32.DLL\n22e0:0710 @ 00503718 - LdrpFindKnownDll - ENTER: DLL name: KERNEL32.DLL\n22e0:0710 @ 00503718 - LdrpFindKnownDll - RETURN: Status: 0x00000000\n22e0:0710 @ 00503718 - LdrpMinimalMapModule - ENTER: DLL name: C:\\WINDOWS\\System32\\KERNEL32.DLL\nModLoad: 00007ffd`1d390000 00007ffd`1d44f000 C:\\WINDOWS\\System32\\KERNEL32.DLL\n22e0:0710 @ 00503718 - LdrpMinimalMapModule - RETURN: Status: 0x00000000\n22e0:0710 @ 00503718 - LdrpPreprocessDllName - INFO: DLL api-ms-win-core-rtlsupport-l1-1-0.dll was redirected to C:\\WINDOWS\\SYSTEM32\\ntdll.dll by API set\n22e0:0710 @ 00503718 - LdrpFindKnownDll - ENTER: DLL name: KERNELBASE.dll\n22e0:0710 @ 00503718 - LdrpFindKnownDll - RETURN: Status: 0x00000000\n22e0:0710 @ 00503718 - LdrpMinimalMapModule - ENTER: DLL name: C:\\WINDOWS\\System32\\KERNELBASE.dll\nModLoad: 00007ffd`1ca10000 00007ffd`1cd06000 C:\\WINDOWS\\System32\\KERNELBASE.dll\n22e0:0710 @ 00503718 - LdrpMinimalMapModule - RETURN: Status: 0x00000000\n22e0:0710 @ 00503718 - LdrpPreprocessDllName - INFO: DLL api-ms-win-eventing-provider-l1-1-0.dll was redirected to C:\\WINDOWS\\SYSTEM32\\kernelbase.dll by API set\n22e0:0710 @ 00503718 - LdrpPreprocessDllName - INFO: DLL api-ms-win-core-apiquery-l1-1-0.dll was redirected to C:\\WINDOWS\\SYSTEM32\\ntdll.dll by API set\n22e0:0710 @ 00503718 - LdrpPreprocessDllName - INFO: DLL api-ms-win-core-apiquery-l1-1-1.dll was redirected to C:\\WINDOWS\\SYSTEM32\\ntdll.dll by API setThe output is quite large (around 120 KB in my environment), so depending on your needs it is probably a good idea to write it to a log file.
\nFor example, if you run the Debugger flag with a log file path included as shown below, you can write the startup log to a file.
C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\windbg.exe -logo C:\\Users\\Public\\debug.logWhen the Show Loader Snaps flag is enabled, WinDbg outputs events not only when the application starts but also when a module is loaded later as the result of some operation.
As mentioned above, setting the Debugger option for each image lets you attach a debugger when the program starts.
Strictly speaking, these Image File Execution Options (IFEO) settings are different from global flags, but they can still be configured from GFlags.
\nFor example, by setting it up as shown below, you can start Notepad under WinDbg and begin debugging immediately.
\nThis setting is extremely useful in scenarios where you need to debug something that cannot be launched directly, must be started through some interface or job, and does not remain resident long enough to attach a debugger manually.
\nReference: Image File Execution Options | Microsoft Learn
\nAlso, the path you specify in Debugger is not limited to the path of an actual debugger.
For example, if you specify an editor or some other arbitrary program as shown below, then starting Notepad automatically opens Notepad with that specified program.
\nBecause this behavior can be abused, it should be used with caution.
\nStrictly speaking, this is not a global flag either, but by enabling Silent Process Exit for each application, you can monitor when the application terminates.
The termination events you can monitor are limited to self-termination via ExitProcess (for example, clicking the close button in the top right) or termination by another application via TerminateProcess.
When Silent Process Exit is configured, you can output a crash dump when the application exits or send a notification to the host.
You can also launch an arbitrary application as a Monitor process. (This too can be abused, so caution is required.)
\nThese settings can be configured from Silent Process Exit in GFlags.
This makes it possible to collect dumps of programs that exited for reasons other than a crash during troubleshooting, or to identify what caused the program to terminate.
\nFor example, suppose you configure Silent Process Exit for the Notepad application with options like the following.
0x2, which is the value of MiniDumpWithFullMemory, is set.If you forcibly terminate Notepad from Task Manager in this state, a dump of the Task Manager process that performed the termination is also collected, as shown below.
\nAlso, if you terminate it from PowerShell with Stop-Process -Name notepad, a PowerShell dump is collected like this.
Reference: Monitoring Silent Process Exit - Windows drivers | Microsoft Learn
\nReference: Finding the Process That Terminated a Process - Information Site for Collecting Windows Materials
\nBy the way, even if you set the debugger path in the Monitor Process setting, unfortunately you cannot attach a debugger to the process immediately before it exits.
\nHowever, there seem to be many possible uses, such as launching a program that notifies you when a program exits or running a tool that collects system information immediately after the program ends.
\nThis time, I summarized GFlags settings that are useful to remember when troubleshooting Windows.
\nI only listed the settings that I personally find useful, but I would like to add more in the future if I discover others that prove useful in different situations.
","fields":{"slug":"/windbg-gflags-tutorial-en","tagSlugs":["/tag/win-dbg-en/","/tag/reversing-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-20","description":"This article summarizes useful GFlags settings to remember when troubleshooting Windows. It covers settings such as debugger flags and Silent Process Exit that can help when investigating issues on Windows.","tags":["WinDbg (en)","Reversing (en)","English"],"title":"Notes on Useful GFlags Settings for Troubleshooting Windows Environments","socialImage":{"publicURL":"/static/e60d0aaf5c216e959ec0071df61c29af/windbg-gflags-tutorial.png"}}}},"pageContext":{"slug":"/windbg-gflags-tutorial-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}