Using Time Travel Debugging with WinDbgX, how to start it even elevated?
With WinDbg Preview (aka WinDbgX) -- i.e. the store app -- we have the option of using Time Travel Debugging (TTD). I have used the corresponding feature in GDB on Linux before and only tried the walkthrough once on an older Windows 10 point release.
Now I was trying to do it on Windows 10 20H2 (latest patches applied), and of course it requires elevation. However, for the life of me I cannot figure out how to start it elevated for the purpose of using TTD.
When I try I get the following error:
---------------------------
Fatal error
---------------------------
WindowsDebugger.WindowsDebuggerException: Could not load dbghelp.dll from C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2103.1004.0_neutral__8wekyb3d8bbwe\amd64 : System.ComponentModel.Win32Exception (0x80004005): Access is denied
at DbgX.DbgEngModule.LoadLibraryFromDirectory(String directory, String library)
at DbgX.DbgEngModule.LoadDbgEngModule()
at DbgX.EngineThread.ThreadProc()
---------------------------
OK
---------------------------
... which "sort of" makes sense because C:\Program Files\WindowsApps has restrictive ACLs set. However, I am member of the local administrators group, so I would have expected that to work.
How can fix this issue, being able to use TTD on Windows 10 20H2?
For anyone else encountering this issue, there is a workaround which - however - undermines the whole idea of app containers (but it works). If you use a tool such as psexec to start a command prompt as nt authority\system, you can copy the WinDbgX subdirectory from underneath C:\Program Files\WindowsApps to another location, adjust its ACLs and run it from the new location (elevation works just like for any desktop app then, launching DbgX.Shell.exe).
0xC0000022L1 Answer
this used to work haven't tried ttd lately
hit windows key + s
type windbg preview
right click runas administrator
edit
you can also try using runas /user:{machine}\Administrator windbgx as below
you can read some gory details about the reparsepoints and addition of these ExecutionAlias path in %userpath% here
a sample code to dump the reparse points using DeviceIoControl()
you can also use fsutil reparsepoints query filename to get this data
main()
#include <windows.h>
#include <stdio.h>
void hexdump(unsigned char *buff, int size);
int main(int argc, char *argv[])
{
if (argc == 2)
{
if (GetFileAttributesA(argv[1]) & FILE_ATTRIBUTE_REPARSE_POINT)
{
HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OPEN_REPARSE_POINT, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
printf("opened the reparse point %p\n", hFile);
unsigned char reparsebuff[0x1000] = {0};
DWORD bytesreturned = 0;
BOOL dcret = DeviceIoControl(hFile, FSCTL_GET_REPARSE_POINT, NULL, 0,
reparsebuff, 0x1000, &bytesreturned, NULL);
if (dcret)
{
printf("returned %x bytes\n", bytesreturned);
hexdump(reparsebuff, bytesreturned);
}
}
}
return 0;
}
printf("usage %s <path to a reparse file like windbgx.exe>", argv[0]);
ExitProcess(0);
}
hexdump()
void hexdump(unsigned char *buff, int size)
{
int j = 0;
while (j < size)
{
for (int i = j; i < j + 16; i++)
{
printf("%02x ", buff[i]);
}
printf("\t");
for (int i = j; i < j + 16; i++)
{
if (buff[i] < 32 || buff[i] > 126)
{
printf(". ");
}
else
{
printf("%c ", buff[i]);
}
}
printf("\n");
j = j + 16;
}
}
compiled linked and executed with vs2017 community
:\>cl /Zi /analyze /W4 /EHsc /Od /nologo reparsedumper.cpp /link /release
reparsedumper.cpp
:\>reparsedumper.exe
usage reparsedumper.exe <path to a reparse file like windbgx.exe>
:\>reparsedumper.exe "c:\Users\xxxxx\AppData\Local\Microsoft\WindowsApps\WinDbgX.exe"
opened the reparse point 00000000000000A8
returned 172 bytes
1b 00 00 80 6a 01 00 00 03 00 00 00 4d 00 69 00 . . . . j . . . . . . . M . i .
63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 c . r . o . s . o . f . t . . .
57 00 69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 W . i . n . D . b . g . _ . 8 .
77 00 65 00 6b 00 79 00 62 00 33 00 64 00 38 00 w . e . k . y . b . 3 . d . 8 .
62 00 62 00 77 00 65 00 00 00 4d 00 69 00 63 00 b . b . w . e . . . M . i . c .
72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 r . o . s . o . f . t . . . W .
69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 77 00 i . n . D . b . g . _ . 8 . w .
65 00 6b 00 79 00 62 00 33 00 64 00 38 00 62 00 e . k . y . b . 3 . d . 8 . b .
62 00 77 00 65 00 21 00 4d 00 69 00 63 00 72 00 b . w . e . ! . M . i . c . r .
6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 69 00 o . s . o . f . t . . . W . i .
6e 00 44 00 62 00 67 00 00 00 43 00 3a 00 5c 00 n . D . b . g . . . C . : . \ .
50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 P . r . o . g . r . a . m . .
46 00 69 00 6c 00 65 00 73 00 5c 00 57 00 69 00 F . i . l . e . s . \ . W . i .
6e 00 64 00 6f 00 77 00 73 00 41 00 70 00 70 00 n . d . o . w . s . A . p . p .
73 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 s . \ . M . i . c . r . o . s .
6f 00 66 00 74 00 2e 00 57 00 69 00 6e 00 44 00 o . f . t . . . W . i . n . D .
62 00 67 00 5f 00 31 00 2e 00 32 00 30 00 30 00 b . g . _ . 1 . . . 2 . 0 . 0 .
37 00 2e 00 36 00 30 00 30 00 31 00 2e 00 30 00 7 . . . 6 . 0 . 0 . 1 . . . 0 .
5f 00 6e 00 65 00 75 00 74 00 72 00 61 00 6c 00 _ . n . e . u . t . r . a . l .
5f 00 5f 00 38 00 77 00 65 00 6b 00 79 00 62 00 _ . _ . 8 . w . e . k . y . b .
33 00 64 00 38 00 62 00 62 00 77 00 65 00 5c 00 3 . d . 8 . b . b . w . e . \ .
44 00 62 00 67 00 58 00 2e 00 53 00 68 00 65 00 D . b . g . X . . . S . h . e .
6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 30 00 l . l . . . e . x . e . . . 0 .
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . . . . . . . . . .
:\>
blabbUser contributions licensed under CC BY-SA 3.0