How to detect the process that caused a GPF?
A:
I'm not sure I understand your question. GPF - is the situation where a processor issues an interrupt.
If this happens in the user-mode - it's translated into a SEH exception, which in turn may be handled by the process. If it's not handled - the process "crashes". Means - an ugly message box is displayed and the process is terminated (depending on the settings the process may also be debugged, debug dump generated and etc.)
IF this happens in the kernel-mode - there're two possibilities. If this happened in a context of where exceptions are allowed - SEH exception is raised and handled (similarly to user-mode). If however the exception is not handled, or the context in which GPF happened doesn't allow exceptions - the OS shuts down, displaying the so-called BSOD (blue screen of death).
Now about your question, I see several possibilities:
- OS dies, and you want to know which process made the system call which caused the GPF in the kernel mode. This is possible to discover with kernel debugger attached. You'll also see the driver that caused the error.
- The GPF happens in the user-mode inside a process, and it's not handled. This process will crash, and you'll definitely know which process was that.
- The GPS happens inside the process, handled, and the process continues to run. And you want to be notified about this. For this you can attach to the process with a debugger. Whenever a SEH exception occurs inside a process - the debugger is notified by the OS.
valdo
2010-05-11 08:22:11