Break when ntdll.dll is mapped

When you debug a Win32 application, by default the debugger will stop after ntdll finishes initializing the application. (Initialization includes not not limited to loading the static dependencies of the applications and running the DllMain of those dlls.)

Usually this does not matter. But if you want to debug the process initialization, you will need something better.

You can use the following trick to break into debugger when ntdll.dll is mapped into the new process, and before any of ntdll’s process initialization runs.

cdb -xe ld:ntdll <your-application>

If you can’t remember the exact syntax, the following will also work:

cdb <your-application>
sxe ld ntdll.dll

You can even break before ntdll.dll is mapped.

cdb -xe cpr <your-application>

Comments (2)

  1. Nektar says:

    Yes but can you explain what exactly the above command and commandline switches are and do.

    What is -xe dl

    sxe or the rest.

  2. Dan says:

    The -xe option specifies that when the exception occurs, to break into the debugger. The ld exception is triggered when a module loads. The documentation supplied with the Debugging Tools for Windows explains each option in further detail.

    The tools.ini file can also be used with cdb as it supports the use of sxe. Another option is to use the BreakOnDllLoad registry setting for ntdll.dll under Image File Execution Options. On a retail build the use of BreakOnDllLoad will cause an exception to be raised for any process that has a debugger attached and loads ntdll.dll.