使用 WinDbgX 的时间旅行调试,如何启动它甚至提升?

Using Time Travel Debugging with WinDbgX, how to start it even elevated?

使用 WinDbg Preview(又名 WinDbgX)——即商店应用程序——我们可以选择在较旧的 Windows 10 点版本上使用 Time Travel Debugging (TTD). I have used the corresponding feature in GDB on Linux before and only tried the walkthrough 一次。

现在我正尝试在 Windows 10 20H2(已应用最新补丁)上执行此操作,当然它需要提升。然而,对于我的生活,我无法弄清楚如何为了使用 TTD 而启动它。

当我尝试时出现以下错误:

---------------------------
Fatal error
---------------------------
WindowsDebugger.WindowsDebuggerException: Could not load dbghelp.dll from C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2103.1004.0_neutral__8wekyb3d8bbwe\amd64 : System.ComponentModel.Win32Exception (0x80004005): Access is denied

   at DbgX.DbgEngModule.LoadLibraryFromDirectory(String directory, String library)

   at DbgX.DbgEngModule.LoadDbgEngModule()

   at DbgX.EngineThread.ThreadProc()
---------------------------
OK   
---------------------------

... 哪个“有点”有意义,因为 C:\Program Files\WindowsApps 设置了限制性 ACL。但是,我是本地管理员组的成员,所以我希望它能工作。

如何解决 这个问题,才能在 Windows 10 20H2 上使用 TTD?


对于遇到此问题的任何其他人,有一个解决方法 - 但是 - 破坏了应用程序容器的整个想法(但它有效)。如果您使用 psexec 等工具以 nt authority\system 启动命令提示符,您可以将 WinDbgX 子目录从 C:\Program Files\WindowsApps 下复制到另一个位置,调整其 ACL 和 运行它来自新位置(海拔就像任何桌面应用程序一样,然后启动 DbgX.Shell.exe)。

这曾经有效但最近没有尝试过 ttd
按 windows 键 + s
输入 windbg 预览
右键单击 runas administrator

编辑

您也可以尝试使用 runas /user:{machine}\Administrator windbgx,如下所示

您可以在 %userpath% here

中阅读有关这些 ExecutionAlias 路径的重新分析点和添加的详细信息

使用 DeviceIoControl() 转储重分析点的示例代码
您还可以使用 fsutil reparsepoints query filename 来获取此数据

main()

#include <windows.h>
#include <stdio.h>
void hexdump(unsigned char *buff, int size);
int main(int argc, char *argv[])
{
    if (argc == 2)
    {
        if (GetFileAttributesA(argv[1]) & FILE_ATTRIBUTE_REPARSE_POINT)
        {
            HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING,
                 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OPEN_REPARSE_POINT, NULL);
            if (hFile != INVALID_HANDLE_VALUE)
            {
                printf("opened the reparse point %p\n", hFile);
                unsigned char reparsebuff[0x1000] = {0};
                DWORD bytesreturned = 0;
                BOOL dcret = DeviceIoControl(hFile, FSCTL_GET_REPARSE_POINT, NULL, 0,
                                             reparsebuff, 0x1000, &bytesreturned, NULL);
                if (dcret)
                {
                    printf("returned %x bytes\n", bytesreturned);
                    hexdump(reparsebuff, bytesreturned);
                }
            }
        }
        return 0;
    }
    printf("usage %s <path to a reparse file like windbgx.exe>", argv[0]);
    ExitProcess(0);
} 

hexdump()

void hexdump(unsigned char *buff, int size)
{
    int j = 0;
    while (j < size)
    {
        for (int i = j; i < j + 16; i++)
        {
            printf("%02x ", buff[i]);
        }
        printf("\t");
        for (int i = j; i < j + 16; i++)
        {
            if (buff[i] < 32 || buff[i] > 126)
            {
                printf(". ");
            }
            else
            {
                printf("%c ", buff[i]);
            }
        }
        printf("\n");
        j = j + 16;
    }
}

与 vs2017 社区编译链接并执行

:\>cl /Zi /analyze /W4 /EHsc /Od /nologo reparsedumper.cpp /link /release
reparsedumper.cpp

:\>reparsedumper.exe
usage reparsedumper.exe <path to a reparse file like windbgx.exe>
:\>reparsedumper.exe "c:\Users\xxxxx\AppData\Local\Microsoft\WindowsApps\WinDbgX.exe"
opened the reparse point 00000000000000A8
returned 172 bytes
1b 00 00 80 6a 01 00 00 03 00 00 00 4d 00 69 00         . . . . j . . . . . . . M . i .
63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00         c . r . o . s . o . f . t . . .
57 00 69 00 6e 00 44 00 62 00 67 00 5f 00 38 00         W . i . n . D . b . g . _ . 8 .
77 00 65 00 6b 00 79 00 62 00 33 00 64 00 38 00         w . e . k . y . b . 3 . d . 8 .
62 00 62 00 77 00 65 00 00 00 4d 00 69 00 63 00         b . b . w . e . . . M . i . c .
72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00         r . o . s . o . f . t . . . W . 
69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 77 00         i . n . D . b . g . _ . 8 . w .
65 00 6b 00 79 00 62 00 33 00 64 00 38 00 62 00         e . k . y . b . 3 . d . 8 . b .
62 00 77 00 65 00 21 00 4d 00 69 00 63 00 72 00         b . w . e . ! . M . i . c . r . 
6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 69 00         o . s . o . f . t . . . W . i .
6e 00 44 00 62 00 67 00 00 00 43 00 3a 00 5c 00         n . D . b . g . . . C . : . \ .
50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00         P . r . o . g . r . a . m .   .
46 00 69 00 6c 00 65 00 73 00 5c 00 57 00 69 00         F . i . l . e . s . \ . W . i .
6e 00 64 00 6f 00 77 00 73 00 41 00 70 00 70 00         n . d . o . w . s . A . p . p .
73 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00         s . \ . M . i . c . r . o . s .
6f 00 66 00 74 00 2e 00 57 00 69 00 6e 00 44 00         o . f . t . . . W . i . n . D .
62 00 67 00 5f 00 31 00 2e 00 32 00 30 00 30 00         b . g . _ . 1 . . . 2 . 0 . 0 .
37 00 2e 00 36 00 30 00 30 00 31 00 2e 00 30 00         7 . . . 6 . 0 . 0 . 1 . . . 0 .
5f 00 6e 00 65 00 75 00 74 00 72 00 61 00 6c 00         _ . n . e . u . t . r . a . l .
5f 00 5f 00 38 00 77 00 65 00 6b 00 79 00 62 00         _ . _ . 8 . w . e . k . y . b .
33 00 64 00 38 00 62 00 62 00 77 00 65 00 5c 00         3 . d . 8 . b . b . w . e . \ .
44 00 62 00 67 00 58 00 2e 00 53 00 68 00 65 00         D . b . g . X . . . S . h . e .
6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 30 00         l . l . . . e . x . e . . . 0 .
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         . . . . . . . . . . . . . . . .

:\>