MiniDumpAuxiliaryDlls and KnownManagedDebuggingDlls


 I accidentally stumble on these two registry keys. And the expert in Windows Debugger team answers my question.



—–Original Message—–
From:
Subject: RE: managed minidump


Auxiliary DLLs are loaded inside of MiniDumpWriteDump when it finds a registered auxiliary DLL for a module in the target process. The lookup is to take the full path of the module and see if there’s a registered auxiliary DLL. You can’t have multiple aux DLLs for a single module path.


—–Original Message—–


From: Junfeng Zhang


Subject: RE: managed minidump


When are auxiliary dlls loaded?


What is the behavior when there are multiple entries under each key?


—–Original Message—–


From:


Subject: RE: managed minidump


Both are filled with string values of the form <full DLL path> = <full DLL path>. MiniDumpAuxiliaryDlls lists helper DLLs that the minidump code can use to get additional data during dump generation. For example, mscorwks.dll has a registered auxiliary of mscordacwks.dll, which provides extra CLR memory data for a minidump.


KnownManagedDebuggingDlls is a security measure so that a debugger, when attempting to load extra support DLLs for managed debugging, can know what DLLs are approved for use on the system. The CLR registers mscordacwks.dll here, for example.


Both are kept in HKLM so that they can only be written by an admin.


—–Original Message—–


From: Junfeng Zhang


Subject: managed minidump


How does OS use the following two registry keys?


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls