Debugging a problem which happens on logging off

Recently, I got an error report of access violation which happens only when the current user is logging off from the session.

It was difficult to attach a debugger because the debugger was shutdown along with the target process on logging off. In other words, the problem did not reproduce if the debugger was attached – the problem process was terminated before the access violation along with the debugger.

The trick I used was running the debugger on local system account.

Windows does not shutdown a process which is running as local system account. Therefore, the debugger kept alive and I could monitor how the access violation exception happened.

A way to run debugger on local system account is to use psexec.exe from Sysinternals (

% psexec -i 0 -s -d cdb -p [targetProcessID]

"-i 0" indicates that cdb is interacting with the console session. It’s useful especially when you are debugging the service process. "-s" specifies that cdb.exe should run in local system account so that cdb is not shutdown on user logoff. "-d" shutdown psexec.exe even though cdb.exe is still running.

BTW, the actual problem was due to SetConsoleCtrlHandler ( which was called one of 3rd party DLL. The registered callback function was located in the DLL – unfortunately, at the event of CTRL_LOGOFF_EVENT, the DLL has been unloaded and caused the access violation.


About Moto

Engineer who likes coding
This entry was posted in Advanced Debugging. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s