I am trying to eliminate the slow start of a third-party binary (without source). This is a 32-bit application running on 64-bit Windows 7.
I used a debugger to crack the application when it hung when using 0% CPU at startup, and it seems to be waiting for ReadFile return. The first argument to ReadFile is the value of the handle, 000000f0. The windbg !handle Handle command tells me:
Handle f0 Type File Attributes 0 GrantedAccess 0x120189: ReadControl,Synch Read/List,ReadEA,ReadAttr,WriteAttr HandleCount 2 PointerCount 4 No Object Specific Information available
I want to know which device this matches. But Sysinternals Process Explorer does not include this descriptor in its list of process handlers.
I used windbg to track all ntdll!NtCreateFile and printed the path and return descriptor: this descriptor is not among them. Breakpoints on kernel32!CreateNamedPipeW , kernel32!CallNamedPipeW and kernel32!WaitNamedPipeW never start (which is odd because Process Explorer does show a different handle with the \Device\NamedPipe\ ).
For reference, here is the NtCreateFile trace NtCreateFile (akak ZwCreateFile ) on Windows x64:
bp ntdll!NtCreateFile "!ustr poi(@r8+10) ; r $t0 = @rcx ; gu ; dd @$t0 L1 ; gc"
Thanks to Skywing for pointing me in the right direction .
Where else can a file type HANDLE appear? Could other functions create HANDLE NtCreateFile for the actual syscall (I think not)?
source share