Break when ntdll.dll is mapped

When you debug a Win32 application, by default the debugger will stop after ntdll finishes initializing the application. (Initialization includes not not limited to loading the static dependencies of the applications and running the DllMain of those dlls.)

Usually this does not matter. But if you want to debug the process initialization, you will need something better.

You can use the following trick to break into debugger when ntdll.dll is mapped into the new process, and before any of ntdll's process initialization runs.

cdb -xe ld:ntdll <your-application>

If you can't remember the exact syntax, the following will also work:

cdb <your-application>
sxe ld ntdll.dll
.restart

You can even break before ntdll.dll is mapped.

cdb -xe cpr <your-application>