Windows Global Flags

Previous page
Table of content
Next page
 < Day Day Up > 

Windows has a set of flags stored in a systemwide global variable named NtGlobalFlag that enable various internal debugging, tracing, and validation support in the operating system. The system variable NtGlobalFlag is initialized from the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager in the value GlobalFlag at system boot time. By default, this registry value is 0, so it's likely that on your systems, you're not using any global flags. In addition, each image has a set of global flags that also turn on internal tracing and validation code (although the bit layout of these flags is entirely different than the systemwide global flags). These flags aren't documented or supported for customer use, but they can be useful tools for exploring the internal operation of Windows.

Fortunately, the Platform SDK and the debugging tools contain a utility named Gflags.exe that allows you to view and change the system global flags (either in the registry or in the running system) as well as image global flags. Gflags has both a command-line and a GUI interface. To see the command-line flags, type gflags /?. If you run the utility without any switches, the dialog box shown in Figure 3-28 is displayed.

Figure 3-28. Setting system debugging options with Gflags


You can toggle between the settings in the registry (by clicking System Registry) and the current value of the variable in system memory (by clicking Kernel Mode). You must click the Apply button to make the changes. (You'll exit if you click the OK button.) Although you can change flag settings on a running system, most flags require a reboot to take effect, and there's no documentation on which flags do and which don't require rebooting. So when in doubt, reboot after changing a global flag.

The Image File Options choice requires that you fill in the filename of a valid executable image. This option is used to change a set of global flags that apply to an individual image (rather than to the whole system). In Figure 3-29, notice that the flags are different than the operating system ones shown in Figure 3-28.

Figure 3-29. Setting image global flags with Gflags


EXPERIMENT: Enabling Image Loader Tracing and Viewing NtGlobalFlag

To see an example of the detailed tracing information you can obtain by setting global flags, try running Gflags on a system booted with the kernel debugger that is connected to a host system running Kd or Windbg.

As an example, try enabling the Show Loader Snaps flag. To do this, choose Kernel Mode, select the Show Loader Snaps check box, and click the Apply button. Then run an image on this machine, and in the kernel debugger you'll see volumes of output like the following:

LDR: PID: 0xb8 started 'notepad' LDR: NEWPROCESS      Image  Path:C:\Windows\system32\notepad.exe(notepad.exe)      CurrentDirectory:C:\ddk\bin      SearchPath:  C:\Windows\System32;C:\Windows\system;C:\Windows LDR: notepad.exebound  to  comdlg32.dll LDR: ntdll.dll  usedbycomdlg32.dll LDR: Snapping  imports  for  comdlg32.dllfrom  ntdll.dll     § LDR: KERNEL32.dll  loaded.  -Calling initroutineat77f01000 LDR: RPCRT4.dllloaded. Callinginitroutine  at  77e1b6d5 LDR: ADVAPI32.dll  loaded.  -Calling initroutineat77dc1000 LDR: USER32.dllloaded. Callinginitroutine  at  77e78037

You can use the !gflags and !gflag kernel debugger commands to view the state of the NtGlobalFlag kernel variable. The !gflags command lists all the flags, indicating which ones are enabled, whereas !gflag reports only the flags that are enabled.

kd> !gflags NT!NtGlobalFlag  0x4400   STOP_ON_EXCEPTION               SHOW_LDR_SNAPS   DEBUG_INITIAL_COMMAND           STOP_ON_HUNG_GUI   HEAP_ENABLE_TAIL_CHECK          HEAP_ENABLE_FREE_CHECK   HEAP_VALIDATE_PARAMETERS        HEAP_VALIDATE_ALL  *POOL_ENABLE_TAGGING             HEAP_ENABLE_TAGGING   USER_STACK_TRACE_DB             KERNEL_STACK_TRACE_DB  *MAINTAIN_OBJECT_TYPELIST        HEAP_ENABLE_TAG_BY_DLL   ENABLE_CSRDEBUG                 ENABLE_KDEBUG_SYMBOL_LOAD   DISABLE_PAGE_KERNEL_STACKS      HEAP_DISABLE_COALESCING   ENABLE_CLOSE_EXCEPTIONS         ENABLE_EXCEPTION_LOGGING   ENABLE_HANDLE_TYPE_TAGGING      HEAP_PAGE_ALLOCS   DEBUG_INITIAL_COMMAND_EX        DISABLE_DBGPRINT kd> !gflag NtGlobalFlagat  8046a164 Current  NtGlobalFlag contents: 0x00004400     ptg  -Enablepool  tagging     otl  -Maintain  alist  ofobjects  for  eachtype


     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Microsoft Windows Internals
    Microsoft Windows Internals (4th Edition): Microsoft Windows Server 2003, Windows XP, and Windows 2000
    ISBN: 0735619174
    EAN: 2147483647
    Year: 2004
    Pages: 158
    Authors: Mark E. Russinovich, David A. Solomon
    BUY ON AMAZON
    OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
    Inside Network Security Assessment: Guarding Your IT Infrastructure
    Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
    Introducing Microsoft ASP.NET AJAX (Pro - Developer)
    HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
    Special Edition Using FileMaker 8
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy