Inspecting a DialogBox’s message text

Posted on March 4, 2011 by chuanose

Today I had a problem where a cmd.exe process spawned by a windows service was hanging. To investigate this I attached to the cmd.exe process with windbg.

0:005> ~1 kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0146d27c 769d288a 004f012c 00000000 00000000 USER32!WaitMessage+0x15
0146d2a8 769d27b8 71800000 01c28f68 00000000 USER32!DialogBoxIndirectParamAorW+0x108
0146d2c8 769d2aa1 71800000 01c28f68 00000000 USER32!DialogBoxIndirectParamAorW+0x36
0146d2ec 7180c28f 71800000 00001140 00000000 USER32!DialogBoxParamW+0x3f
0146d310 71806be3 71800000 00001140 00000000 SHDOCVW!DllGetVersion+0x1707
0146d32c 71806ef1 00000000 00001140 0146d384 SHDOCVW!DllCanUnloadNow+0x39fd
0146f65c 74ff6f8a 00000000 0086c384 0086b228 SHDOCVW!Ordinal228+0x305
0146f688 74e3647e 0086c384 0086c384 0086b228 SHELL32!Ordinal733+0x250b0
0146f6a0 74e3545a 0086c384 0086b228 0086b230 SHELL32!ShellExecuteW+0x222e
0146f6bc 74e34da2 0086b230 00855228 0146f6ec SHELL32!ShellExecuteW+0x120a
0146f6cc 74e4f6f5 0086b230 00855228 0086b228 SHELL32!ShellExecuteW+0xb52
0146f6ec 74e34e94 0086b230 0085bbb4 00855230 SHELL32!Ordinal99+0x166
0146f710 74e4f777 00000000 00865210 7680342e SHELL32!ShellExecuteW+0xc44
0146f730 74e3532d 00855230 00000000 0085ded8 SHELL32!Ordinal99+0x1e8
0146f75c 74e41cf8 00865210 00000000 0085ded8 SHELL32!ShellExecuteW+0x10dd
0146f778 74e41f26 00000000 00851588 09d10b99 SHELL32!ShellExecuteExW+0x12c
0146f78c 768046bc 0085ded8 00000000 00000000 SHELL32!ShellExecuteExW+0x35a
0146f814 76333677 0040f17c 0146f860 771e9d42 SHLWAPI!IUnknown_QueryService+0x15b
0146f820 771e9d42 0040f17c 7655566c 00000000 kernel32!BaseThreadInitThunk+0x12
0146f860 771e9d15 768045e9 0040f17c 00000000 ntdll!RtlInitializeExceptionChain+0x63
0146f878 00000000 768045e9 0040f17c 00000000 ntdll!RtlInitializeExceptionChain+0x36

Looks like it is hanging on a DialogBox, we can inspect the arguments to check the windows message:

0:005> dc 01c28f68 L50
01c28f68 ffff0001 00000000 00000000 80c80ac0 ................
01c28f78 00000011 01090000 000000a9 00460000 ..............F.
01c28f88 006c0069 00200065 006f0044 006e0077 i.l.e. .D.o.w.n.
01c28f98 006f006c 00640061 00080000 00000000 l.o.a.d.........
01c28fa8 0053004d 00530020 00650068 006c006c M.S. .S.h.e.l.l.
01c28fb8 00440020 0067006c 00000000 00000000 .D.l.g.........
01c28fc8 00000000 50000080 000a000a 001400f5 .......P........
01c28fd8 00001141 0082ffff 006f0044 00790020 A.......D.o. .y.
01c28fe8 0075006f 00770020 006e0061 00200074 o.u. .w.a.n.t. .
01c28ff8 006f0074 006f0020 00650070 0020006e t.o. .o.p.e.n. .
01c29008 00680074 00730069 00660020 006c0069 t.h.i.s. .f.i.l.
01c29018 003f0065 00000000 00000000 00000000 e.?.............
01c29028 50000003 001e000a 00140015 00001142 ...P........B...
01c29038 0082ffff 00000000 00000000 00000000 ................
01c29048 50000082 001e002b 000c0020 0000ffff ...P+... .......
01c29058 0082ffff 0061004e 0065006d 0000003a ....N.a.m.e.:...
01c29068 00000000 00000000 00000000 50010004 ...............P
01c29078 001e0051 000c00ac 00001143 00790053 Q.......C...S.y.
01c29088 004c0073 006e0069 0000006b 00000000 s.L.i.n.k.......
01c29098 00000000 00000000 50000082 002a0029 ...........P).*.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a comment