Вопрос
I have received a WinDbg log and a Process Monitor log. Some of the items are shown in WinDbg and in Process Monitor, i.e. Module Load events.
I think I would also be able to trace Thread Exit events if I use sxe -c ".echo Thread Exit;g" et or something similar. However, I cannot think of an easy solution to trace Registry access and file load events.
Is there a way to trace Registry calls in WinDbg like Process Monitor does?
Preferably it would trace all ETW calls, so I also have the file accesses in my WinDbg log.
Решение
I can only think of seting breakpoints on Registry Functions as:
https://stackoverflow.com/questions/21109946
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianbu ADVAPI32!RegQueryValueExW ".echo RegQueryValueExW; g;"
bu ADVAPI32!RegQueryValueExA ".echo RegQueryValueExA; g;"
The breakpoint command string echo the break point name and then continue the program.
Другие советы
see http://blogs.msdn.com/b/debuggingtoolbox/archive/2007/04/14/windbg-script-tracing-api-calls.aspx
unfortunately logexts has some bugs and does not work on some OS ( maybe you will need to turn off DEP )
