SHELL32!_SHCreateProcess
in [Win32 Kernel]
|
Prev: Keyboard Filter and kbfiltr
Next: Detours
From: knowledgeseeker on 10 Oct 2006 08:24 I've a executable - myb.exe created using Wise package studio. [input to Wise is the script file. I've specified to execute program Z:\fw.exe in script file. So role of the myb.exe is to launch Z:\fw.exe process] For some reason myb.exe is not able to launch fw.exe process. So I attached windbg to myb.exe process & placed a breakpoint at "kernel32!CreateProcessW" to see the arguments of CreateProcessW. I've also written process4 program in visual studio. process4 calls CreateProcessW(L"Z:\\fw.exe",.....) Process4 runs fine in my case, wherein myb.exe doesnt. I found that myb.exe creates a process using SHELL32!_SHCreateProcess (in turn CreateProcessW). What is the WIN32 API that calls SHELL32!_SHCreateProcess, instead of CreateProcessW. Below is the callstack for myb.exe & process4 CALLSTACK FOR myb.exe ----------------------------------------- ChildEBP RetAddr Args to Child 0012bfd4 7739569c 0016c43c 0016a1a4 00000000 kernel32!CreateProcessW 0012ca30 77395585 000a01d6 00000000 00000000 SHELL32!_SHCreateProcess+0x28e 0012ca84 7739503e 0012cae8 00168f50 77394fb2 SHELL32!CShellExecute::_DoExecCommand+0xb0 0012ca90 77394fb2 00000001 00164b90 00168f50 SHELL32!CShellExecute::_TryInvokeApplication+0x42 0012caa4 7739507f 00164580 00164b90 0012cae8 SHELL32!CShellExecute::ExecuteNormal+0xaf 0012cab4 77395129 0012cae8 00000000 00164b90 SHELL32!ShellExecuteNormal+0x2c 0012cad0 77396a6e 0012cae8 00000000 0012db90 SHELL32!ShellExecuteExW+0x8b *** WARNING: Unable to verify checksum for C:\WINDOWS\TEMP\GLC53.tmp *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\TEMP\GLC53.tmp - 0012db78 1000d9e2 0012e8e8 77e5b162 77e4241f SHELL32!ShellExecuteExA+0x1b0 WARNING: Stack unwind information not available. Following frames may be wrong. 0012e92c 100171a7 0016101d 00000100 73440000 GLC53!f38+0x8b6 0012e94c 77f4c861 0012e970 0012e9a8 0012e994 GLC53!DD+0x5bf 0012e998 77f4db9e 00000003 00000000 00131420 ntdll!RtlFindActivationContextSectionString+0xdd 0012ea6c 77f4cb70 0012ebbc 00000000 00000001 ntdll!RtlpWow64EnableFsRedirection+0x9aa 0012eacc 77f47cf2 00000041 001412b8 00140000 ntdll!RtlpFindUnicodeStringInSection+0x79 0012eb54 77f473b3 77f473f3 00000009 0012ee18 ntdll!RtlpAllocateFromHeapLookaside+0x42 0012ed9c 77d0ef77 00140000 00000000 00160170 ntdll!RtlAllocateHeap+0x1c2 0012ef2c 77d0f176 00000400 00000000 00000000 USER32!RegisterClassExWOWA+0x281 0012efb0 77f47dc9 73440000 00000001 00000000 USER32!RegisterClassA+0x37 0012efd0 77f54401 73441040 0012f0d0 77f54546 ntdll!LdrpCallInitRoutine+0x14 0012f0d4 77f52725 00000000 0014233a 00000000 ntdll!LdrpRunInitializeRoutines+0x34e 0012f3cc 77d1dc95 77d1dc9d 00690057 00650073 ntdll!LdrpLoadDll+0x406 CALLSTACK FOR PROCESS4 --------------------------------------------- *** WARNING: Unable to verify checksum for Z:\Process4.exe *** ERROR: Module load completed but symbols could not be loaded for Z:\Process4.exe ChildEBP RetAddr Args to Child 0012fd0c 0040eef9 0042405c 0012fe30 00000000 kernel32!CreateProcessW WARNING: Stack unwind information not available. Following frames may be wrong. 0012fed4 004011d1 00000005 00000032 00000000 Process4+0xeef9 0012ff30 00401563 00400000 00000000 00142347 Process4+0x11d1 0012ffc0 77e4f38c 00000000 00000000 7ffdf000 Process4+0x1563 0012fff0 00000000 00401450 00000000 78746341 kernel32!BaseProcessStart+0x23
From: Jochen Kalmbach [MVP] on 10 Oct 2006 08:33 Hi knowledgeseeker! > What is the WIN32 API that calls SHELL32!_SHCreateProcess, instead of > CreateProcessW. > SHELL32!_SHCreateProcess+0x28e > 0012ca84 7739503e 0012cae8 00168f50 77394fb2 .... > SHELL32!ShellExecuteExA+0x1b0 ShellExecute(Ex) !? Greetings Jochen
|
Pages: 1 Prev: Keyboard Filter and kbfiltr Next: Detours |