Reputation: 1356
Windows native development: debuggee tries to load werkernel.sys from system32
I'm investigating the Windows Native API now, Nt*/Zw* methods. I downloaded the WDK, installed it and successfully compiled an application (x64, under Win 8.1 x64, VS2013). The only thing it does is a call to NtOpenFile().
To successfully compile/link it, I had to make the following changes to project properties (template Application For Drivers):
- Add includes folder from WDK
- Add Lib folder from WDK
- Tell linker to use ntoskrnl.lib
Unexpectedly, upon running a debugger, I'm presented with error message "The program can't start because C:\Windows\SYSTEM32\werkernel.sys is missing from your computer. Try reinstalling the program to fix this problem." The werkernel.sys obviously exists in system32\drivers.
EDIT: To be clear, the mentioned error also occurs when launching the app by doubleclicking the icon.
This load happens before any of my code, I can't find anything anywhere in internet nor in project properties on the file in question. So, to summarize, I have the following questions so far:
- Why werkernel.sys is being loaded at all for my application?
- Why is it being loaded from System32?
I understand that it is possible to mklink werkernel.sys drivers\werkernel.sys, but it feels like I'm doing somethig terribly wrong.
Upvotes: 2
Views: 551
Answers (2)
Reputation: 1911
NtOpenFile is what Microsoft calls "internal API", it should not be used for productional software, neither should it be used for experimentation or be used at all, these functions are subject to change between each SP-release or major windows-version.
If you want to open files in user-mode (WDK and usermode? Does not compute ... unless you're actually writing for UMDF) you are advised to use OpenFile :
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365430(v=vs.85).aspx
or in your driver :
https://msdn.microsoft.com/en-us/library/windows/hardware/ff567011(v=vs.85).aspx.
tl;dr : dont use these old functions, they arent meant to be used.
Microsoft statement on "internal" API : https://msdn.microsoft.com/en-us/library/bb432200(v=vs.85).aspx
Upvotes: 1
Reputation: 6224
Linking ntdll.lib rather than ntoskrnl.lib worked for me when I had a similar problem.
Upvotes: 2
Related Questions
- UWP - A debugger is attached to .exe but not configured
- UWP debug/release error with ntdll.dll for LED detection
- Why does my program ask for api-ms-win-crt-runtime-l1-1-0.dll after the runtime debugging?
- UWP Unable to debug .NET compilation code (Release)
- Suppress DebugWrite : "(CoreCLR: CoreCLR_UWP_Domain): Loaded .Cannot find or open the PDB file."
- UWP - .NET Native tool chain compilation error
- Error ILT0005 during compilation with .NET Native tool chain
- Debugging a native dll using rundll32.exe , fail to load symbols
- Unable to load Win32 Native DLL file from C#.NET
- Accessing Windows Native API from User-Mode