Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using gflags "Show loader snaps" with Visual Studio

Tags:

visual-studio

debugging

dll

windbg

gflags

I'm trying to set "Show Loader Snaps" system wide in order to see verbose logs when dll's are loading, but I don't see any additional logs in the Output Console.

'WindowsProject1.exe' (Win32): Unloaded 'C:\Windows\System32\rpcrt4.dll'
'WindowsProject1.exe' (Win32): Unloaded 'C:\Windows\System32\oleaut32.dll'

This is how I setup the option: enter image description here

Is this enough? There is the same option under the "Kernel Flags" but, in that tab, the option cannot be saved.(Though I have admin rights when running gflags).

Is there a way to check that loader snaps are enabled? What could be wrong?

like image 458
yonutix Avatar asked Mar 07 '26 19:03

yonutix

1 Answers

There's no mechanism that provides a log of system-wide DLL loader snaps.

"Show Loader Snaps" when applied system-wide only outputs something for kernel driver loading and unloading. (source)

For system-wide (registry or kernel flag), this flag displays information about driver loading and unloading operations.

Thus, you would need a kernel debugger attached to the system to see driver loading and unloading, but it won't work for DLLs.

On the other hand it works per-process:

For per-process (image file), this flag displays information about loading and unloading of DLLs.

As said in the documentation, it works for a single process. In gflags:

  • Go to the "image file" tab and enter the name of the executable (not a full path, just the name of the executable, e.g. foo.exe).

  • Press the tab key.

  • Check the "show loader snaps" checkbox.

  • Start the process with a debugger.

Concerning Visual Studio, you'll see the output in the Output pane:

'Test.exe' (Win32): Loaded 'G:\CPP\Test\x64\Debug\Test.exe'. Symbols loaded.
'Test.exe' (Win32): Loaded 'C:\Windows\System32\ntdll.dll'. Symbols loaded.
23ac:01f4 @ 610683718 - LdrpInitializeProcess - INFO: Beginning execution of Test.exe (G:\CPP\Test\x64\Debug\Test.exe)
    Current directory: G:\CPP\Test\
    Package directories: (null)
23ac:01f4 @ 610683718 - LdrLoadDll - ENTER: DLL name: KERNEL32.DLL
23ac:01f4 @ 610683718 - LdrpLoadDllInternal - ENTER: DLL name: KERNEL32.DLL
23ac:01f4 @ 610683718 - LdrpFindKnownDll - ENTER: DLL name: KERNEL32.DLL
23ac:01f4 @ 610683718 - LdrpFindKnownDll - RETURN: Status: 0x00000000
23ac:01f4 @ 610683718 - LdrpMinimalMapModule - ENTER: DLL name: C:\WINDOWS\System32\KERNEL32.DLL
'Test.exe' (Win32): Loaded 'C:\Windows\System32\kernel32.dll'. Symbols loaded.
23ac:01f4 @ 610683781 - LdrpMinimalMapModule - RETURN: Status: 0x00000000
23ac:01f4 @ 610683781 - LdrpPreprocessDllName - INFO: DLL api-ms-win-core-rtlsupport-l1-1-0.dll was redirected to C:\WINDOWS\SYSTEM32\ntdll.dll by API set
23ac:01f4 @ 610683781 - LdrpFindKnownDll - ENTER: DLL name: KERNELBASE.dll
23ac:01f4 @ 610683781 - LdrpFindKnownDll - RETURN: Status: 0x00000000
23ac:01f4 @ 610683781 - LdrpMinimalMapModule - ENTER: DLL name: C:\WINDOWS\System32\KERNELBASE.dll
'Test.exe' (Win32): Loaded 'C:\Windows\System32\KernelBase.dll'. Symbols loaded.
...
like image 101
Neitsa Avatar answered Mar 09 '26 16:03

Neitsa
Sign in to Comment

Related questions

Better way to access break-on-exception filter when debugging in Visual Studio?
.DLL comments included in the .XML
Taking a Projects Development to the Next Level [closed]
How to clone a specific branch from new git Visual Studio 2019 (not from command)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!