Enhanced GFlags Tool

April 3, 2017

no comments

The well-known GFlags tool, part of the Debugging tools for Windows package allows manipulating a 32-bit flags value maintained by the kernel and per-process. Strictly speaking, Gflags allows changing more than just these flags, such as adding the Debugger value to an image file entry that indicates which executable should be activated whenever the original image is executed.

GFlags has a crude user interface that has not been updated for ages. The first annoyance with its UI is the lack of a minimize button. Here’s a screenshot:

image

The tool provides a way to change flags for three generic cases:

Registry, which means changing the Global Flags value in the registry, which becomes effective in the next boot.

Kernel, which means changing the Global Flags value effective immediately (but will not persist to the next boot unless set in the registry as well).

Image File, which means changing the flags on a per-image (executable) basis (affects new processes based on that image).

Not all flags can be set in Kernel (immediate) – the tool hides options that are invalid.

The other day I decided to create an enhanced version of the tool, dubbed GflagsX, that would have a more friendlier UI (and a minimize button!). Currently, not all functionality of the original GFlags is implemented, hopefully to be completed sometime in the future (or with community PRs). Here are two screenshots of the Registry and Image tabs:

image

image

With the tool, it’s easy to add new image file settings, as well as see all existing images in the Executables Combobox.

The global registry-based global flags are stored in HKLM\System\CurrentControlSet\Control\Session Manager in the GlobalFlag value.

The kernel runtime global flags variable can be queried with the native RtlGetNativeGlobalFlags function and set with NtSetSystemInformation (see NativeMethods.cs for the signatures of these functions).

The image-based flags and settings are under the well-known IFEO key at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options with a subkey for each image name (e.g. notepad.exe). The actual flags are in the GlobalFlag value.

The Debugging Tools for Windows documentation describes the various flags and their effects.

The tool’s code is at http://github.com/zodiacon/gflagsx and a compiled version can be downloaded from here.

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*