0

I'm quite new with analysing Windows processes, and have during the last week found Xperf very useful, and I have some questions about analysing DLLs.

I was wondering if it is possible to see which registry entries and file paths which are used by a specific DLL image used by a process, and with which tools I can achieve this.

If this is not possible I was wondering what are good strategies to find out which resouces a DLL is using, or alternative approaches.

olovholm
  • 1,362
  • 5
  • 16
  • 23
  • Operating system objects like registry key handles are owned by the process, not a DLL. So there's no mechanism to trace ownership back to a DLL, you at best could look at a call stack. – Hans Passant Mar 03 '14 at 16:33

2 Answers2

1

You can use Process Explorer for this. Most of the other SysInternals process tools are very useful, too - Process Explorer is just one with (complex) UI for showing a lot of data. Process Monitor shows real-time registry, file system, etc. access for processes.

xxbbcc
  • 16,930
  • 5
  • 50
  • 83
0

Process Monitor and xperf can both record call stacks for every access to a file. You can then examine those call stacks to look for particular DLLs on the call stack.

But your question is really not well formed. What do you mean "used by a specific DLL"? You could have process A which calls into DLL B which calls into DLL C which calls into DLL D when then reads from a file. Which DLL is 'using' that file? B, C, D, or all of them? The only sensible answer is that it depends.

As Hans Passant said, handles are owned by a process not a DLL, and at most you can come up with heuristics to assign 'ownership' to a particular DLL.

Bruce Dawson
  • 3,284
  • 29
  • 38