| Debugging Tools for Windows |
The Client Server Run-Time Subsystem (CSRSS) is the executable that controls the underlying layer for the Windows environment. There are a number of problems that make it necessary to debug CSRSS itself.
Debugging CSRSS is also useful when the Windows subsystem terminates unexpectedly with a Bug Check 0xC000021A (STATUS_SYSTEM_PROCESS_TERMINATED). In this case, debugging CSRSS will catch the failure before it gets to an "unexpected" point.
Although CSRSS is an integral part of the Windows operating system, it is actually a user-mode process.
Generally, user-mode processes can be debugged equally well by CDB or NTSD. However, to debug CSRSS, it is necessary to use NTSD and control it from the kernel debugger.
The reason for this is that when its output is redirected, NTSD will run without generating any console window on the target computer. CDB would require a console window, which would require the CSRSS process to be active.
CSRSS debugging must be enabled before you can proceed. If the target computer is running a checked build of Windows, CSRSS debugging is always enabled. If the target computer is running a free build of Windows, you will have to enable CSRSS debugging through the Global Flags Utility (GFlags).
To do this, start the GFlags utility, select the System Registry radio button, and select Enable debugging of Win32 subsystem.
Alternatively, you can use the following GFlags command-line:
Or, if you prefer, you can edit the registry key manually instead of using GFlags. Open the following registry key:
Edit the GlobalFlag value entry (of type REG_DWORD) and set the bit 0x00020000.
After using GFlags or manually editing the registry, you must reboot for the changes to take effect.
Because you will be controlling the user-mode debugger from the kernel debugger, you will need to set up a kernel debugging connection. See Kernel-Mode Setup for details.
After the registry has been properly configured, it is a simple matter of starting NTSD as follows:
This command is simply shorthand for the following:
(Note that the process ID of CSRSS is always -1. The -pd parameter specifies that the debugger should detach from CSRSS after debugging is finished; this only works on Windows XP and later versions of Windows.)
See Controlling the User-Mode Debugger from the Kernel Debugger for an explanation of how to proceed.
You will have to set your symbol path to a location on your host computer or to some other location on your network. When CSRSS is being debugged, network authentication on the target computer will not work properly.
Note that you may see an "in page io error" message. This is another manifestation of a hardware failure.