프로그램 시작 시 디버거에 바로 붙이는 방법

부팅되자마자 실행되는 프로세스를 디버깅해야 하는 경우나

자식 프로세스를 디버깅해야 한다거나

뭐 기타등등 디버거를 붙이기 곤란한 경우에 사용할 수 있는 방법

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>

여기에 프로그램명으로 키를 만들고

ex ) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

그 밑에 string value 를 만든다. 이름은 Debugger, 내용은 경로로.

Debugger : REG_SZ : <full path of debugger>

x64 에서 돌아가는 x32 프로세스의 경우 경로가 좀 다르다

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>

--

http://blogs.msdn.com/b/mithuns/archive/2010/03/24/image-file-execution-options-ifeo.aspx

How does IFEO work?    

Kernel32!CreateProcess when called without the DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESScreation flags, checks the registry to see if IFEO has been set on the executable that it is launching. If yes, then it simply prepends the debugger path to the executable name, effectively getting the executable to launch under the debugger. If you do not specify the correct path to the debugger, then you'll probably get greeted with a "file not found" error. In our notepad/ntsd example above, Kernel32!CreateProcess ends up invoking -

"c:\dbg\ntsd.exe -g  notepad.exe"    

Now ntsd eventually launches notepad under the debugger by calling Kernel32!CreateProcess with one of the following creation flags - DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS. The presence of any of these creation flags forces Kernel32!CreateProcess to bypass IFEO options this time around (else we would have been running into an endless loop) and actually launch the executable under the debugger.    

   

IFEO and 64 bit -    

A word of caution - For 32 bit executable running in the WOW on X64 machines, your natural tendency might be to create the registry key in the syswow node -

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>"    

However Gregg Miskelly notes that you should set the IFEO corresponding to the bit-ness to the application calling into kernel32!CreateProcess to launch the executable -    

"On Win 64, there are two copies of HKEY_LOCAL_MACHINE\Software (one for 32-bit apps, and one for 64-bit apps), and therefore there are two copies of these options. However, where the operating system looks isn't dependant on the bit-ness of the application that is going to be debugged (which is what you would probably expect). Instead, it is dependent on the bit-ness of the application that called CreateProcess."

  

Other IFEO caveats - 

Raymond Chen notes the following caveat in his blog entry  -

"If you passed special parameters via the STARTUPINFO structure, those parameters get passed to the debugger. And the PROCESS_INFO that is returned by the CreateProcess function describes the debugger, not the process being debugged."