NTDebuggers Debug Puzzler 0x00000001 "Where did my process go?"

Hello NTDebuggers, in the spirit of Click and Clack (The Tappet brothers), a favorite troubleshooting show of mine, we thought it would be fun to offer up some Debug puzzlers for our readers.

 

That said, this week’s Debug Puzzler is in regard to Dr. Watson. I’m sure most of you have seen Dr. Watson errors. This typically means your application has crashed due to an unhandled exception. Sometimes however the process just seems to disappear. The Just-in-Time (JIT) debugging options configured via the AEDebug key does not catch the crash… Does anyone know why this may happen?  

 

We will post reader’s comments as they respond during the week, and next Monday will post our answer and recognize some of the best answers we received from our readers.

 

Good luck and happy debugging!

 

- Jeff Dailey


[Update: our answer, posted 4/11/2008]

Hello NTDebuggers. Let me start of by saying that we were very impressed by our reader’s answers. Our two favorite answers were submitted by Skywing and molotov.

When a thread starts, the ntdll Run Time Library (RTL) for the process inserts an exception hander before it calls the BaseThreadInit code to hand control over to the executable or DLL running in the process (notepad in the example below). If anything goes wrong with the chain of exception handlers, the process can’t make it back to the RTL exception handler and the process will simply terminate. See https://www.microsoft.com/msj/0197/Exception/Exception.aspx for details.

ChildEBP RetAddr 

000ef7ac 75fbf837 ntdll!KiFastSystemCallRet

000ef7b0 75fbf86a USER32!NtUserGetMessage+0xc

000ef7cc 00b21418 USER32!GetMessageW+0x33

000ef80c 00b2195d notepad!WinMain+0xec

000ef89c 76e24911 notepad!_initterm_e+0x1a1

000ef8a8 7704e4b6 kernel32!BaseThreadInitThunk+0xe

000ef8e8 7704e489 ntdll!__RtlUserThreadStart+0x23 << Exception Handler is inserted here.

000ef900 00000000 ntdll!_RtlUserThreadStart+0x1b

 

Secondly, the process that crashes is actually responsible for starting the debugger via the RTL exception handler. The debugger is registered under the AeDebug registry key. Even if you are able to unwind to the RTL exception handler you may still run into trouble. If the computer is low on system resources such as desktop heap, you may not be able to create a new process and thus will not be able to launch the debugger. As SkyWing stated, it’s a relatively heavyweight operation. Applications may also call TerminateProcess from within their own code based on an error condition. If we have a customer that sees this symptom on a regular basis we typically recommend having them attach a debugger to monitor the process. Simply run via ADPLUS -crash -p (PROCESSID).

Good work folks! We’ll have another puzzler ready next Monday.

Good Luck and happy debugging!

- Jeff