You need to know JIT Debugging

If you do not know what is the dump file, you do not know when to dump files, please refer to the dump file first article in the series - dump file Know .

Foreword

I you need to know to crawl dump N kinds of tools  tools this article, to introduce the use of simple tools and can fetch several dump files. I do not know if you remember, with administrator privileges to run procdump -ican register procdumpfor postmortem debugger. Do you understand the implementation principle? Today, let us together to uncover its mystery.

Promise

JIT Debugger, Just In Time Debugger, JIT 调试器, Postmortem Debugger, 事后调试器, I refer to the same concept - a postmortem debugger . If Debuggerreplaced Debugging, express postmortem debugging . I sometimes say JIT 调试器, sometimes say 事后调试器that we should not be confused by the wording of my confusion.

Principle inquiry

Running process monitor, open the monitor. Then with administrator privileges to perform procdump.exe -i, successfully, to stop monitoring. In order to facilitate everyone, I deliberately recorded the whole process, the junior partner interested can point to open to see, but I suggest that you personally get real about it, after all 纸上来的终觉浅， 绝知此事要躬行.

Inquiry process procdump installed as JIT debugger

If you did not watch the video, you can reference a direct result of my shots after filtration (reservation Resultis Successthe 注册表 写event, excluding non-registry related events):

I highlighted in yellow and the red procdumpregistry key operations. What conclusions do you draw from the figure?

• procdumpIt will also write HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugand HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebugregistry entries.

  I believe there is little experience in the development of partnerships child know that in 64the next bit systems, some registry keys have two sets: a set is available 64(yellow highlights) bit process used is for a set 32(highlighted in red bits used by the process part with Wow6432Node).

• If AeDebugunder the AutoChild and Debuggerchild has a value, procdumpit will be back up, and then modify. (Execution procdump -utime will restore the original system settings)

• AutoAnd Debuggerdata types are REG_SZ. (Although we have seen Autothe value is 1)

• I guess, 32bit process crashes when the band will use Wow6432Nodethe registry key, 64bit process crashes when use without a Wow6432Noderegistry key. Is it really? Do you know how to verify it? I believe you will be able to come up with clever ways to verify.

In fact, these conclusions in procdump -ithe output of the results has been given a prompt (in addition to the backup operation). Note that the yellow and red part highlighted in the figures look.

procdump-i

Tips:

Some antivirus software can protect this registry key, if you set fails, check whether it is caused by antivirus software.

So far, we know that procdumpby setting AeDebugin Autoand Debuggerrealization of children JIT Debugging. So these two have what use is it?

AeDebug inquiry

Use googlethe search AeDebug, the search to Microsoft's official description ^[1] , are interested in small partner must be read, a lot of valuable information.

• AutoItem: Specifies whether to display an error message box to the user, if the value "0", message box is displayed. For the "1"prompt box is not displayed, direct registration of additional postmortem debugger to a target process.

• DebuggerItem: Specifies the postmortem debugger path, and afterwards the parameters passed to the debugger. We found that procdump -ithe parameter setting is -accepteula -j "E:\dumps" %ld %ld %p. among them:

• -accepteula Accepted the user agreement.

• -jIt represents a parameter pointing JIT_DEBUG_INFOpointers (parent passed %pthe corresponding content).

• "E:\dumps"Expressed saved file path (if running procdump -itime, there is no path to save the dump file is specified, the default will take the current path).

• The first %ldtarget process of representation ID.

• The second %ldrepresents the event handler. This event handler is WERcopied to the post-debugger. If the postmortem debugger activate the event (by SetEvent()post), WERwe will continue to target process execution, without waiting for postmortem debugger is terminated. If the postmortem debugger is terminated without activating the event, WERwe will continue to gather information about the target process.

• %pTo the target process space JIT_DEBUG_INFOstructure pointer. It contains an exception sources and contextual information related exceptions.

If the dump file is saved in JIT_DEBUG_INFO, use windbgdebugging, you can .jdinfo addressview information when an exception occurs. For example, the use of windbgopen procdumpsaved the dump file, you should see the following prompt.

procdump 在转储文件中添加的注释

我们可以根据提示，输入.jdinfo 0x1afd59e0000 来查看异常来源及上下文信息。

jdinfo 结果

说明：

在运行 procdump -i 的时候，如果没有指定转储选项，会默认使用 -mm 选项。该选项只包含 Process, Thread, Module, Handle and Address Space info. 信息，不会包含 %p 对应的内存数据。如果我们在调试 使用 -mm 选项保存的转储文件的时候执行 .jdinfo address，会得到如下错误：Unable to process JIT_DEBUG_INFO, Win32 error 0n30

我们可以简单的通过指定 -ma 或 -mp来生成包含内存数据的转储文件，这样我们在调试器里执行 .jdinfo address的时候就不会报错了。

据我观察，对于 procdump 来说 -j和 %p 选项需要同时传递，缺一不可。

排除进程

如果我们真的不想让某些进程出现未处理异常的时候中断到 JIT 调试器中，有没有办法呢？从 vista 开始，我们可以显示排除某些进程，不让这些进程在出现未处理异常的时候中断到 JIT 调试器中。对应的注册表项如下：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList

下面是我机器上的该注册表项的值：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList]
"DWM.exe"=dword:00000001
"demo.exe"=dword:00000001

上面的 demo.exe 是我为了测试手动添加的，而 DWM.exe 是系统添加的。windows 为什么要默认把 DWM.exe 添加到排除列表呢？我也不太清楚，不过我在 Excluding an Application from Automatic Debugging^[2] 看到这样一句话：

By default, the Desktop Window Manager (Dwm.exe) is excluded from automatic debugging because otherwise a system deadlock can occur if Dwm.exe stops responding (the user cannot see the interface displayed by the debugger because Dwm.exe isn't responding, and Dwm.exe cannot terminate because it is held by the debugger).

我想这就是 DWM.exe 会被排除的原因吧。

如果想通过代码的形式实现，除了直接操作注册表外，还可以通过 WerAddExcludedApplication() 来实现，对应的，可以通过 WerRemoveExcludedApplication() 来删除 。这两个函数的原型摘录如下：

HRESULT WerAddExcludedApplication(
  PCWSTR pwzExeName,
  BOOL   bAllUsers
);

HRESULT WerRemoveExcludedApplication(
  PCWSTR pwzExeName,
  BOOL   bAllUsers
);

第一个参数 pwzExeName 表示要排除的程序，不要带路径，只传递程序名称即可。比如，demo.exe。

第二个参数 bAllUsers 如果是 FALSE 的话，表示仅对当前用户有效，其它用户不受影响，修改的是 HKCU （HKEY_CURRENT_USER）下对应的注册表项。如果为 TRUE 的话，表示对所有用户都生效，修改的是 HKLM （HKEY_LOCAL_MACHINE）下对应的注册表项，为 TRUE 的时候，需要有管理员权限。

注意：

如果你手动调用代码操作注册表的话，务必注意 64 位系统下的注册表重定向问题。相信一定有小伙伴儿和我一样踩过这个坑。

JIT 调试的运作机制

整个运作机制，在张银奎张老师的《软件调试》（第一版）第 12 章：未处理异常和 JIT 调试 中做了非常非常详细的介绍。我就不摘录了，感兴趣的小伙伴一定要好好多读几遍。

AeDebug 中的 Ae 是什么意思？

AeDebug中的 Debug 很好理解，就是调试的意思。那 Ae 代表什么意义呢？有人说 AeDebug 是 Auto Exception Debug 的缩写，听上去挺有道理的。偶然的机会，google 到了 Ramond Chen写的一篇文章 —— What does the “Ae” stand for in AeDebug?^[3]。根据他的说法，Ae 表示 Application Error 的意思。我把原文截取如下，方便大家阅读。

Raymond-Chen-explain-AE

知道 AeDebug 是什么单词的缩写有助于帮助大家记忆，但没必要纠结。

总结

• 一般情况下，修改 HKLM 下的注册表项需要管理员权限。

• 注册为 JIT 调试器，需要管理员权限，因为需要写 HKLM 下的子键。

• procdump 可以通过 -i 选项注册为事后调试器，另外 windbg也可以通过 -I 选项注册为事后调试器。

• AeDebug 注册表项是 JIT 调试的关键，该注册项在 64 位系统下有对 32 位进程和 64 位进程分别有对应的注册表项。其中，带 Wow6432Node 的注册表项是给 32 位目标进程使用的。

• 64位系统下，除了AeDebug有两套，还有很多其它注册表项也有两套。

• 如果确实不希望自己的进程在出现未处理异常时中断到 JIT 调试器中，可以设置注册表进行排除（Vista 及之后的操作系统才支持）。

参考资料

• 《windows sysinternals 实战指南》

• 《软件调试》（第一版）

• Microsoft Document : Enabling Postmortem Debugging^[4]

• Raymond-Chen : What does the “Ae” stand for in AeDebug?^[5]

• Configuring Automatic Debugging^[6]

• WerAddExcludedApplication^[7]

• WerRemoveExcludedApplication^[8]

References:

[1]

微软的官方说明: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging

[2]

Excluding an Application from Automatic Debugging: https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging#excluding-an-application-from-automatic-debugging

[3]

What does the “Ae” stand for in AeDebug?: https://devblogs.microsoft.com/oldnewthing/20181017-00/?p=99995

[4]

Microsoft Document : Enabling Postmortem Debugging: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging

[5]

Raymond-Chen : What does the “Ae” stand for in AeDebug?: https://devblogs.microsoft.com/oldnewthing/20181017-00/?p=99995

[6]

Configuring Automatic Debugging: https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging#configuring-automatic-debugging-for-application-crashes

[7]

WerAddExcludedApplication: https://docs.microsoft.com/en-us/windows/win32/api/werapi/nf-werapi-weraddexcludedapplication

[8]

WerRemoveExcludedApplication: https://docs.microsoft.com/en-us/windows/win32/api/werapi/nf-werapi-werremoveexcludedapplication

猜你喜欢：

转储文件系列：

转储文件知多少

你需要知道的 N 种抓取 dump 的工具

你生成的转储文件有问题吗？

调试系列：

调试实战——你知道怎么使用DebugView查看调试信息吗？

调试实战——程序CPU占用率飙升，你知道如何快速定位吗？

调试实战——崩溃在ComFriendlyWaitMtaThreadProc

调试实战——使用windbg调试崩溃在ole32!CStdMarshal::DisconnectSrvIPIDs

调试实战——调试PInvoke导致的内存破坏

调试实战——调试excel启动时死锁

调试实战——调试DLL卸载时的死锁

调试实战——调试TerminateThread导致的死锁

排错系列：

排错实战——VS清空最近打开的工程记录

排错实战——拯救加载调试符号失败的IDA

排错实战——你知道拖动窗口时只显示虚框怎么设置吗？

排错实战——解决Tekla通过.tsep安装插件失败的问题

排错实战——使用process explorer替换任务管理器

排错实战——通过对比分析sysinternals事件修复程序功能异常

欢迎留言交流