|
|
Convert user mode handle to event structure?
I have a user mode dump from which I was able to find a questionable handle
to an event and would like to view the event structure itself. Is there any
way in WinDbg to get from this handle to the actual event structure?
The reason I want to do this is because there is a list of 33 event handles
being passed in from Outlook to a ntdll!ZwWaitForMultipleObjects. An
exception is being thrown within this call that says to the effect that
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
I wanted to check the list of event handles to see which one was wonky.
Using !handle <handle> does not reveal anything questionable. It seems to
think that all of the handles are reasonably fit.
|
|
0
|
|
|
|
Reply
|
 Utf
|
12/4/2009 3:52:02 PM |
|
Well the simple thing is to use
!handle <handle number> f
This should display all you need.
--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
"Richard Lewis Haggard" <RichardLewisHaggard@discussions.microsoft.com>
wrote in message news:8A13ACEB-A4AB-4ED9-9024-DEC313E3BD94@microsoft.com...
>I have a user mode dump from which I was able to find a questionable
>handle
> to an event and would like to view the event structure itself. Is there
> any
> way in WinDbg to get from this handle to the actual event structure?
>
> The reason I want to do this is because there is a list of 33 event
> handles
> being passed in from Outlook to a ntdll!ZwWaitForMultipleObjects. An
> exception is being thrown within this call that says to the effect that
>
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
>
> I wanted to check the list of event handles to see which one was wonky.
> Using !handle <handle> does not reveal anything questionable. It seems to
> think that all of the handles are reasonably fit.
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4661 (20091204) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4661 (20091204) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
|
|
|
0
|
|
|
|
Reply
|
Don
|
12/4/2009 3:59:14 PM
|
|
>Is there any way in WinDbg to get from this handle to the actual event
>structure?
User mode dumps don't have kernel mode memory, so you can't get the actual
event object. So, anything you can get from !handle is about it.
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
0x80000003 is also the NTSTATUS code for STATUS_BREAKPOINT.
-scott
--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
"Richard Lewis Haggard" <RichardLewisHaggard@discussions.microsoft.com>
wrote in message news:8A13ACEB-A4AB-4ED9-9024-DEC313E3BD94@microsoft.com...
>I have a user mode dump from which I was able to find a questionable
>handle
> to an event and would like to view the event structure itself. Is there
> any
> way in WinDbg to get from this handle to the actual event structure?
>
> The reason I want to do this is because there is a list of 33 event
> handles
> being passed in from Outlook to a ntdll!ZwWaitForMultipleObjects. An
> exception is being thrown within this call that says to the effect that
>
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
>
> I wanted to check the list of event handles to see which one was wonky.
> Using !handle <handle> does not reveal anything questionable. It seems to
> think that all of the handles are reasonably fit.
|
|
|
0
|
|
|
|
Reply
|
Scott
|
12/4/2009 4:32:54 PM
|
|
Richard Lewis Haggard <RichardLewisHaggard@discussions.microsoft.com>
wrote:
>...
>The reason I want to do this is because there is a list of 33 event handles
>being passed in from Outlook to a ntdll!ZwWaitForMultipleObjects. An
>exception is being thrown within this call that says to the effect that
>
>EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
>are invalid
0x80000003 is not "invalid argument". It's a breakpoint, possibly from an
assert. How did you determine there was an invalid argument?
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
|
|
|
0
|
|
|
|
Reply
|
Tim
|
12/6/2009 6:17:38 AM
|
|
|
3 Replies
282 Views
(page loaded in 0.074 seconds)
Similiar Articles: Using IOCTL_ACPI_EVAL_METHOD - microsoft.public.development.device ...From my windows user-mode environment, I would like to ... I am able to get a handle to the thermal zone using ... you will see the temperature does not change. Or it ... OnClose Event and DoCmd.Close acForm - microsoft.public.access ...... actually, an element of a user-defined structure ... create another variable to handle this, but I'm still curious if the OnClose event ... process puts into single-user mode ... KMDF driver METHOD_NEITHER and high CPU usage questions ...No you cannot change the IOCTL's ... The user-mode buffer that the Buffer ... access method might pass a structure that contains an embedded pointer to a user-mode ... convert bound to unbound - microsoft.public.accessThe form will only save bound user-entered fields ... if I write code into the > Before Update event to convert ... ... ' Handle change in author selection Private Sub dcboAuthors ... To End Or Not To End. But How To End - microsoft.public.vb.general ...That is the way it is and I cannot change this structure. ... anywhere in code, but you may need to handle ... But most controls only fire events in response to user action. Change state of detached column of dataGridView. - microsoft ...How can I handle this case ... The user can then add, change or delete a row. "Andy O ... Combox not getting into edit mode - microsoft.public.access.forms ... Change ... Outline codes - microsoft.public.access.modulesdaovba... that are autonumbered. the user just downselects to his needed major events, then ... restartig the numbering at ach Event change ... > > > > For instance, in a BOM structure you might ... WithEvents and the Click event - microsoft.public.access.forms ...... you do with the form in design mode ... How to catch event onclick when user click on a ... keyword allows us to handle any ... The code section will be the event handler ... Exchange Mail Router with SMTP Relays - microsoft.public.crm ...Exchange Servers handle e-mails for 1400 users. Questions: 1. ... users to be handled by MS-CRM, is to change the MS-CRM user ... Exchange servers on a given domain structure ... Convert user mode handle to event structure? Windows 7I have a user mode dump from which I was able to find a questionable handle to an event and would like to view the event structure itself. Is there any w Convert user mode handle to event structure? - Windows Vista TipsI have a user mode dump from which I was able to find a questionable handle to an event and would like to view the event structure itself. Is there User-Mode Interactions: Guidelines for Kernel-Mode Drivers... to create the event in user mode and send the event handle ... passing a structure that contains the GUID and other event information. For a custom target device change ... Kernel User-Mode Debugging Support (Dbgk)/* Convert to user-mode structure */ ... case when a debug event is found, which will open the right handles that user-mode expects in the DbgUi structure ... Debugging Events - Microsoft Corporation: Software, Smartphones ...This structure includes a handle to the new process, a handle to the ... before the new thread begins to execute in user mode. The DEBUG_EVENT structure ... 7/28/2012 4:02:40 AM
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
2 followers. 