Windows 2000 has a set of flags stored in a systemwide global variable named NtGlobalFlag that enable various internal debugging, tracing, and validation support in the operating system. The system variable NtGlobalFlag is initialized from the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager in the value GlobalFlag at system boot time. By default, this registry value is 0, so it's likely that on your systems, you're not using any global flags. In addition, each image has a set of global flags that also turn on internal tracing and validation code (though the bit layout of these flags is entirely different than the systemwide global flags). These flags aren't documented or supported for customer use, but they can be useful tools for exploring the internal operation of Windows 2000.
Fortunately, the Platform SDK and the debugging tools contain a utility named Gflags.exe that allows you to view and change the system global flags (either in the registry or in the running system) as well as image global flags. Gflags has both a command-line and a GUI interface. To see the command-line flags, type gflags /?. If you run the utility without any switches, the dialog box shown in Figure 3-22 is displayed.
Figure 3-22 Setting system debugging options with Gflags
You can toggle between the settings in the registry (by clicking System Registry) and the current value of the variable in system memory (by clicking Kernel Mode). You must press the Apply button to make the changes. (You'll exit if you press the OK button.) Although you can change flag settings on a running system, most flags require a reboot to take effect, and there's no documentation on which do and which don't require rebooting. So when in doubt, reboot after changing a global flag.
The Image File Options choice requires that you fill in the filename of a valid executable image. This option is used to change a set of global flags that apply to an individual image (rather than to the whole system). In Figure 3-23, notice that the flags are different than the operating system ones shown in Figure 3-22.
Figure 3-23 Setting image global flags with Gflags
Enabling Image Loader Tracing and Viewing NtGlobalFlag
To see an example of the detailed tracing information you can obtain by setting global flags, try running Gflags on a system booted with the kernel debugger that is connected to a host system running Kd or Windbg, or that is running LiveKd.
As an example, try enabling the Show Loader Snaps flag. To do this, select Kernel Mode, click the Show Loader Snaps check box, and click the Apply button. Then run an image on this machine, and in the kernel debugger you'll see volumes of output like the following:
LDR: PID: 0xb8 started - 'notepad' LDR: NEW PROCESS Image Path: C:\WINNT\system32\notepad.exe (notepad.exe) Current Directory: C:\ddk\bin Search Path: C:\WINNT\System32;C:\WINNT\system;C:\WINNT LDR: notepad.exe bound to comdlg32.dll LDR: ntdll.dll used by comdlg32.dll LDR: Snapping imports for comdlg32.dll from ntdll.dll LDR: KERNEL32.dll loaded. - Calling init routine at 77f01000 LDR: RPCRT4.dll loaded. - Calling init routine at 77e1b6d5 LDR: ADVAPI32.dll loaded. - Calling init routine at 77dc1000 LDR: USER32.dll loaded. - Calling init routine at 77e78037
You can use the !gflags and !gflag kernel debugger commands to view the state of the NtGlobalFlag kernel variable. The !gflags command lists all the flags, indicating which ones are enabled, whereas !gflag reports only the flags that are enabled.
kd> !gflags NT!NtGlobalFlag 0x4400 STOP_ON_EXCEPTION SHOW_LDR_SNAPS DEBUG_INITIAL_COMMAND STOP_ON_HUNG_GUI HEAP_ENABLE_TAIL_CHECK HEAP_ENABLE_FREE_CHECK HEAP_VALIDATE_PARAMETERS HEAP_VALIDATE_ALL *POOL_ENABLE_TAGGING HEAP_ENABLE_TAGGING USER_STACK_TRACE_DB KERNEL_STACK_TRACE_DB *MAINTAIN_OBJECT_TYPELIST HEAP_ENABLE_TAG_BY_DLL ENABLE_CSRDEBUG ENABLE_KDEBUG_SYMBOL_LOAD DISABLE_PAGE_KERNEL_STACKS HEAP_DISABLE_COALESCING ENABLE_CLOSE_EXCEPTIONS ENABLE_EXCEPTION_LOGGING ENABLE_HANDLE_TYPE_TAGGING HEAP_PAGE_ALLOCS DEBUG_INITIAL_COMMAND_EX DISABLE_DBGPRINT kd> !gflag NtGlobalFlag at 8046a164 Current NtGlobalFlag contents: 0x00004400 ptg - Enable pool tagging otl - Maintain a list of objects for each type