Using Time Travel Debugging with WinDbgX, how to start it even elevated?

-1

With WinDbg Preview (aka WinDbgX) -- i.e. the store app -- we have the option of using Time Travel Debugging (TTD). I have used the corresponding feature in GDB on Linux before and only tried the walkthrough once on an older Windows 10 point release.

Now I was trying to do it on Windows 10 20H2 (latest patches applied), and of course it requires elevation. However, for the life of me I cannot figure out how to start it elevated for the purpose of using TTD.

When I try I get the following error:

---------------------------
Fatal error
---------------------------
WindowsDebugger.WindowsDebuggerException: Could not load dbghelp.dll from C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2103.1004.0_neutral__8wekyb3d8bbwe\amd64 : System.ComponentModel.Win32Exception (0x80004005): Access is denied

   at DbgX.DbgEngModule.LoadLibraryFromDirectory(String directory, String library)

   at DbgX.DbgEngModule.LoadDbgEngModule()

   at DbgX.EngineThread.ThreadProc()
---------------------------
OK   
---------------------------

... which "sort of" makes sense because C:\Program Files\WindowsApps has restrictive ACLs set. However, I am member of the local administrators group, so I would have expected that to work.

How can fix this issue, being able to use TTD on Windows 10 20H2?


For anyone else encountering this issue, there is a workaround which - however - undermines the whole idea of app containers (but it works). If you use a tool such as psexec to start a command prompt as nt authority\system, you can copy the WinDbgX subdirectory from underneath C:\Program Files\WindowsApps to another location, adjust its ACLs and run it from the new location (elevation works just like for any desktop app then, launching DbgX.Shell.exe).

windows-10
windbg
asked on Stack Overflow Apr 15, 2021 by 0xC0000022L

1 Answer

0

this used to work haven't tried ttd lately
hit windows key + s
type windbg preview
right click runas administrator

enter image description here

edit

you can also try using runas /user:{machine}\Administrator windbgx as below

enter image description here

you can read some gory details about the reparsepoints and addition of these ExecutionAlias path in %userpath% here

a sample code to dump the reparse points using DeviceIoControl()
you can also use fsutil reparsepoints query filename to get this data

main()

#include <windows.h>
#include <stdio.h>
void hexdump(unsigned char *buff, int size);
int main(int argc, char *argv[])
{
    if (argc == 2)
    {
        if (GetFileAttributesA(argv[1]) & FILE_ATTRIBUTE_REPARSE_POINT)
        {
            HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING,
                 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OPEN_REPARSE_POINT, NULL);
            if (hFile != INVALID_HANDLE_VALUE)
            {
                printf("opened the reparse point %p\n", hFile);
                unsigned char reparsebuff[0x1000] = {0};
                DWORD bytesreturned = 0;
                BOOL dcret = DeviceIoControl(hFile, FSCTL_GET_REPARSE_POINT, NULL, 0,
                                             reparsebuff, 0x1000, &bytesreturned, NULL);
                if (dcret)
                {
                    printf("returned %x bytes\n", bytesreturned);
                    hexdump(reparsebuff, bytesreturned);
                }
            }
        }
        return 0;
    }
    printf("usage %s <path to a reparse file like windbgx.exe>", argv[0]);
    ExitProcess(0);
} 

hexdump()

void hexdump(unsigned char *buff, int size)
{
    int j = 0;
    while (j < size)
    {
        for (int i = j; i < j + 16; i++)
        {
            printf("%02x ", buff[i]);
        }
        printf("\t");
        for (int i = j; i < j + 16; i++)
        {
            if (buff[i] < 32 || buff[i] > 126)
            {
                printf(". ");
            }
            else
            {
                printf("%c ", buff[i]);
            }
        }
        printf("\n");
        j = j + 16;
    }
}

compiled linked and executed with vs2017 community

:\>cl /Zi /analyze /W4 /EHsc /Od /nologo reparsedumper.cpp /link /release
reparsedumper.cpp

:\>reparsedumper.exe
usage reparsedumper.exe <path to a reparse file like windbgx.exe>
:\>reparsedumper.exe "c:\Users\xxxxx\AppData\Local\Microsoft\WindowsApps\WinDbgX.exe"
opened the reparse point 00000000000000A8
returned 172 bytes
1b 00 00 80 6a 01 00 00 03 00 00 00 4d 00 69 00         . . . . j . . . . . . . M . i .
63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00         c . r . o . s . o . f . t . . .
57 00 69 00 6e 00 44 00 62 00 67 00 5f 00 38 00         W . i . n . D . b . g . _ . 8 .
77 00 65 00 6b 00 79 00 62 00 33 00 64 00 38 00         w . e . k . y . b . 3 . d . 8 .
62 00 62 00 77 00 65 00 00 00 4d 00 69 00 63 00         b . b . w . e . . . M . i . c .
72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00         r . o . s . o . f . t . . . W . 
69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 77 00         i . n . D . b . g . _ . 8 . w .
65 00 6b 00 79 00 62 00 33 00 64 00 38 00 62 00         e . k . y . b . 3 . d . 8 . b .
62 00 77 00 65 00 21 00 4d 00 69 00 63 00 72 00         b . w . e . ! . M . i . c . r . 
6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 69 00         o . s . o . f . t . . . W . i .
6e 00 44 00 62 00 67 00 00 00 43 00 3a 00 5c 00         n . D . b . g . . . C . : . \ .
50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00         P . r . o . g . r . a . m .   .
46 00 69 00 6c 00 65 00 73 00 5c 00 57 00 69 00         F . i . l . e . s . \ . W . i .
6e 00 64 00 6f 00 77 00 73 00 41 00 70 00 70 00         n . d . o . w . s . A . p . p .
73 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00         s . \ . M . i . c . r . o . s .
6f 00 66 00 74 00 2e 00 57 00 69 00 6e 00 44 00         o . f . t . . . W . i . n . D .
62 00 67 00 5f 00 31 00 2e 00 32 00 30 00 30 00         b . g . _ . 1 . . . 2 . 0 . 0 .
37 00 2e 00 36 00 30 00 30 00 31 00 2e 00 30 00         7 . . . 6 . 0 . 0 . 1 . . . 0 .
5f 00 6e 00 65 00 75 00 74 00 72 00 61 00 6c 00         _ . n . e . u . t . r . a . l .
5f 00 5f 00 38 00 77 00 65 00 6b 00 79 00 62 00         _ . _ . 8 . w . e . k . y . b .
33 00 64 00 38 00 62 00 62 00 77 00 65 00 5c 00         3 . d . 8 . b . b . w . e . \ .
44 00 62 00 67 00 58 00 2e 00 53 00 68 00 65 00         D . b . g . X . . . S . h . e .
6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 30 00         l . l . . . e . x . e . . . 0 .
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         . . . . . . . . . . . . . . . .

:\>
answered on Stack Overflow Apr 15, 2021 by blabb • edited Apr 16, 2021 by blabb

User contributions licensed under CC BY-SA 3.0