3

How to detect the process that caused a GPF?

skaffman
  • 398,947
  • 96
  • 818
  • 769
vikram
  • 41
  • 3
  • What are you running? A windows pre-Win2k? – Yann Ramin May 11 '10 at 05:48
  • I am trying to running a exe in Windows XP, which causes CPU usage high and wants to know whether it causes GPF or not. – vikram May 11 '10 at 06:17
  • 1
    GPF is a kind of old term from 16-bit windows. It tends not to be used on Win32 with terms like Access Violation meaning the same thing. A process which is using a lot of CPU time has also obviously not crashed. It is not clear to me what you are asking here. – Stewart May 12 '10 at 02:12

1 Answers1

1

I'm not sure I understand your question. GPF - is the situation where a processor issues an interrupt.

If this happens in the user-mode - it's translated into a SEH exception, which in turn may be handled by the process. If it's not handled - the process "crashes". Means - an ugly message box is displayed and the process is terminated (depending on the settings the process may also be debugged, debug dump generated and etc.)

IF this happens in the kernel-mode - there're two possibilities. If this happened in a context of where exceptions are allowed - SEH exception is raised and handled (similarly to user-mode). If however the exception is not handled, or the context in which GPF happened doesn't allow exceptions - the OS shuts down, displaying the so-called BSOD (blue screen of death).

Now about your question, I see several possibilities:

  • OS dies, and you want to know which process made the system call which caused the GPF in the kernel mode. This is possible to discover with kernel debugger attached. You'll also see the driver that caused the error.
  • The GPF happens in the user-mode inside a process, and it's not handled. This process will crash, and you'll definitely know which process was that.
  • The GPS happens inside the process, handled, and the process continues to run. And you want to be notified about this. For this you can attach to the process with a debugger. Whenever a SEH exception occurs inside a process - the debugger is notified by the OS.
valdo
  • 12,632
  • 2
  • 37
  • 67