Menu
I'm trying to troubleshoot slow startup of a third-party binary (no source). It is a 32-bit application running on 64-bit Windows 7.
I've used a debugger to break into the application while it's hung with 0% CPU usage during startup, and it appears to be waiting for ReadFile to return. The first argument to ReadFile is the handle value, 000000f0. windbg's !handle command tells me:
Handle f0 Type File Attributes 0 GrantedAccess 0x120189: ReadControl,Synch Read/List,ReadEA,ReadAttr,WriteAttr HandleCount 2 PointerCount 4 No Object Specific Information available
I want to know what device this corresponds to. But Sysinternals Process Explorer doesn't include this handle in its list of process handles.
I've used windbg to trace all calls to ntdll!NtCreateFile and printed the path and returned handle: This handle is not among them. Breakpoints on kernel32!CreateNamedPipeW, kernel32!CallNamedPipeW, and kernel32!WaitNamedPipeW are never triggered (which is odd because Process Explorer did show another handle with path \Device\NamedPipe\).
For reference, here is the command to trace NtCreateFile (akak ZwCreateFile) on Windows x64:
bp ntdll!NtCreateFile "!ustr poi(@r8+10) ; r $t0 = @rcx ; gu ; dd @$t0 L1 ; gc"
Thanks to Skywing for pointing me in the right direction on that.
Where else can a HANDLE of type File come from? Don't the other HANDLE creation functions delegate to NtCreateFile for the actual syscall (I guess not)?
740
It looks like you can only get the file handle information when doing a kernel debug. So there are 3 options.
87
Handles can be inherited and can also be created by DuplicateHandle(). You can try to calling GetFileInformationByHandleEx on the handle and query for FileNameInfo.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
