Ever wondered about it? There are like 100 knobs that you could turn and enable all kinds of cool things. But how does it work? What does it do? Is it some inner magic or does it rely on things that Windows provides out of the box? Time to find out 🙂
NOTE: If you’re not familiar with GFlags, here’s a quote from Microsoft docs: “GFlags, the Global Flags Editor, enables and disables advanced debugging, diagnostic, and troubleshooting features. It’s most often used to turn on indicators that other tools track, count, and log.”.
The good news is – GFlags doesn’t really do any magic. It’s really just a friendly UI around what Windows provides out of the box. And frankly, I learned this as part of my “suspending the process before it executes” exploration.
But here’s a question – assume that you don’t want to use GFlags, but you do want to enable something that it provides (e.g. set a Debugger to use when a specific process starts). How do you do that?
One option, which I frankly didn’t have that much luck with, is to dig through Documentation. Pretty much everything is written somewhere in Microsoft Docs or Stack Overflow. Or, at the end of the day, I’m sure some AI tool must know about it. But where’s the fun in that, eh? Here’s a better idea – use Process Monitor to sniff what GFlags is doing. Like so:
I filtered the output to Registry-related settings only, but obviously you can explore anything that is of interest. I believe most of the stuff is contained in Registry anyway. Oh, and here are the filters that I’ve used:
Nothing spectacular really. I just filtered it by process name and filtered out anything but Registry-related stuff. Pretty simple and convenient!
So, here are some useful paths:
- “Debugger” (i.e. which EXE to use as a Debugger before the Image gets loaded) is enabled by setting REG_SZ
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger
to path of debugger. In my case I used some custom-built exe called “DeepSleeper”, which is something I’ll write about in another blog post. But you’d usually specify path to WinDbg here. - “Enable Page Heap” sets REG_DWORD
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\PageHeapFlags
to “3” - etc.
My whole point is – if you want to see what specific GFlag flag does, you can simply fire up Process Monitor, filter out everything but Registry operations, and observe what happens when you enable (or disable) a specific setting.
Hey people!!!!!
Good mood and good luck to everyone!!!!!