My experience is that it is often not worth to debug user mode applications from a kernel mode debugger. True, the official docus
propose to debug Winlogon just as you did. But hey, Winlogon is almost an ordinary user mode application and with a few simple tricks a user mode debugger will do it just fine.
First note that it is wise to debug Winlogon on a remote machine, because it is considered to be part of the OS. If Winlogon crashes or the debugger screws it up the whole system is taken down. Remote debugging is shortly described in WinDbg. From A to Z!
- "Remote Debugging with WinDbg" at slide 87. Basically you have to copy dbgsrv.exe
, dbgeng.dll and dbghelp.dll to the remote machine, run dbgsrv.exe on a given port, and connect to that port with WinDbg. The additional trick here is that dbgsrv.exe should run as a service
so one can connect to it even before any user logs on. There are two wonderful applications, namely Srvany.exe
, that help you to achieve just that. Just follow the steps described here: How To Create a User-Defined Service
. Once you set everything up you should see something like this in the registry of your target machine:
"Application"="C:\\dbgsrv\\dbgsrv.exe -t tcp:port=1222"
When you restart that machine dbgsrv.exe will be up and running waiting for WinDbg connections. Then attaching to Winlogon will be just one more click away..
Bottom line: I would only use the officially proposed solution with a kernel debugger if debugging a user mode application early in the boot process. In all other scenarios the above solution should yield more satisfactory results.
I hope this helps,