Recently, I got an error report of access violation which happens only when the current user is logging off from the session.
It was difficult to attach a debugger because the debugger was shutdown along with the target process on logging off. In other words, the problem did not reproduce if the debugger was attached – the problem process was terminated before the access violation along with the debugger.
The trick I used was running the debugger on local system account.
Windows does not shutdown a process which is running as local system account. Therefore, the debugger kept alive and I could monitor how the access violation exception happened.
A way to run debugger on local system account is to use psexec.exe from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx).
% psexec -i 0 -s -d cdb -p [targetProcessID]
"-i 0" indicates that cdb is interacting with the console session. It’s useful especially when you are debugging the service process. "-s" specifies that cdb.exe should run in local system account so that cdb is not shutdown on user logoff. "-d" shutdown psexec.exe even though cdb.exe is still running.
BTW, the actual problem was due to SetConsoleCtrlHandler (http://msdn.microsoft.com/en-us/library/ms686016(VS.85).aspx) which was called one of 3rd party DLL. The registered callback function was located in the DLL – unfortunately, at the event of CTRL_LOGOFF_EVENT, the DLL has been unloaded and caused the access violation.