Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Kernel Debugging | 9-13 Sept 2024 | Live, Online |
Developing Minifilters | 15-19 July 2024 | Live, Online |
Internals & Software Drivers | 11-15 Mar 2024 | Live, Online |
Writing WDF Drivers | 20-24 May 2024 | Live, Online |
Comments
> On Win2012R2 I have a winlogon.exe thread that calls CreateWindowStation().
>
> USERMODE: break at user32!NtUserCreateWindowStation
> USERMODE: !gle: 0
> USERMODE: step over syscall for NtUserCreateWindowStation
>
> KERNMODE: break at win32k!NtUserCreateWindowStation
> KERNMODE: !gle: 0
> KERNMODE: step out of win32k!NtUserCreateWindowStation
> KERNMODE: !gle: 0
>
> USERMODE: break on instruction after syscall (ret)
> USERMODE: !gle: 8 (ERROR_NO_MEMORY)
>
>> LastErrorValue: (Win32) 0x8 (8) - Not enough storage is available to process this command.
>> LastStatusValue: (NTSTATUS) 0xc0000017 - {Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
>
> Can anyone give a pointer or otherwise shed light on how or where this
> error occurs?
Answer: !gle isn't strictly reliable in kernel mode. Instead break on
win32k!UserSetLastError and look at rcx. (Which, curiously, may cause
!gle to return the expected error value.)
-Nathan