X64dbg: Can't start debug explorer.exe, attach works

Created on 14 Sep 2016  路  6Comments  路  Source: x64dbg/x64dbg

Windows 10 with UAC set to least prompting. X64Dbg running as administrator with working Debug Privilege. When I start explorer.exe from X64Dbg it breaks on the entry point and debugging works until something causes X64dbg to detach with a message "Debugging stopped". Explorer.exe continues to run like normal.

bug not reproduced

All 6 comments

Isnt this default behavior? Explorer.exe exits when there's more than 1 instance?

@Nukem9 I have killed Explorer beforehand. Anyway, I can't open Explorer.exe at all anymore - I get "Debugging stopped" and Explorer.exe starts as normal.

So I took a look at this and this isn't an issue with x64dbg, but rather the behavior of Explorer.exe.
The same behavior can be seen using OllyDbg.

In short, if Explorer.exe is already running, the new explorer.exe will call a function named StartExplorerWindow using ShellExecute and the verb "opennewwindow", this spawns a new explorer Window and then it exits the Explorer.exe process.

There are also some checks made in the registry before this happens which lead me to believe there is a way around this. This could be worth a try:
https://msdn.microsoft.com/en-us/library/windows/desktop/cc144064(v=vs.85).aspx

So it is just spawning a new process using ShellExecute and then exiting, which is why you're seeing the new Explorer Window but the debugger is reporting the process terminating.

If you want to see this behavior yourself, You can:

  1. Download Symbols for explorer under the debugger
  2. Go to Symbols Tab and Search for the StartExplorerWindow Export and set a BP
  3. Run Debugger.

@blaquee Thanks for clearing this up! Too bad the hidden menu doesn't work for Windows 10... Any other ways you could suggest except modifying Explorer to start the shell in suspended mode?

Assumed to be not an issue in x64dbg, comment if I'm wrong.

Was this page helpful?
0 / 5 - 0 ratings