Unstructed.tech

Structured thoughts of an unstructured life

What does GFlags do under the hood?

By Mihailo JoksimovicPosted on Tagged ,

Ever wondered about it? There are like 100 knobs that you could turn and enable all kinds of cool things. But how does it work? What does it do? Is it some inner magic or does it rely on things that Windows provides out of the box? Time to find out 🙂

Image File tab lets you tweak various knobs on the Image level (e.g. you can set it so that Debugger fires up every time you start notepad.exe)
Silent Process exit tab allows you to do all kinds of cool things when process exits. For example, you could start a new process every time notepad.exe exits.

NOTE: If you’re not familiar with GFlags, here’s a quote from Microsoft docs: “GFlags, the Global Flags Editor, enables and disables advanced debugging, diagnostic, and troubleshooting features. It’s most often used to turn on indicators that other tools track, count, and log.”.

The good news is – GFlags doesn’t really do any magic. It’s really just a friendly UI around what Windows provides out of the box. And frankly, I learned this as part of my “suspending the process before it executes” exploration.

But here’s a question – assume that you don’t want to use GFlags, but you do want to enable something that it provides (e.g. set a Debugger to use when a specific process starts). How do you do that?

One option, which I frankly didn’t have that much luck with, is to dig through Documentation. Pretty much everything is written somewhere in Microsoft Docs or Stack Overflow. Or, at the end of the day, I’m sure some AI tool must know about it. But where’s the fun in that, eh? Here’s a better idea – use Process Monitor to sniff what GFlags is doing. Like so:

Spot the third line from the bottom. That one updated “Debugger” to a “DeepSleeper.exe” image that I specified before.

I filtered the output to Registry-related settings only, but obviously you can explore anything that is of interest. I believe most of the stuff is contained in Registry anyway. Oh, and here are the filters that I’ve used:

Nothing spectacular really. I just filtered it by process name and filtered out anything but Registry-related stuff. Pretty simple and convenient!

So, here are some useful paths:

  1. “Debugger” (i.e. which EXE to use as a Debugger before the Image gets loaded) is enabled by setting REG_SZ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger to path of debugger. In my case I used some custom-built exe called “DeepSleeper”, which is something I’ll write about in another blog post. But you’d usually specify path to WinDbg here.
  2. “Enable Page Heap” sets REG_DWORD HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\PageHeapFlags to “3”
  3. etc.

My whole point is – if you want to see what specific GFlag flag does, you can simply fire up Process Monitor, filter out everything but Registry operations, and observe what happens when you enable (or disable) a specific setting.

One thought on “What does GFlags do under the hood?

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top