Debugging using API Monitor | Richard Rudek

http://rrudek.wordpress.com/2008/01/14/debugging-using-api-monitor/

Richard Rudek

Debugging using API Monitor

Posted on January 14, 2008

Ive been using BartPE in quite a lot of my maintenance and troubleshooting tasks for quite a while. But there was one thing lacking being able to Defragment. Sure there were some add-ons for things like O&O Defrag, but Im a naturally suspicious fellow. Plus, I was curious as to why nobody (at that stage) hadnt done it. Anyway, fast forward to the new year break, where I decided to give it crack it cant be that hard, right ? Well the short answer is to go and use Ultimate Boot CD. The long answer, take a look at the sorts of things youll need to be doing, as mentioned in this article. But in my usual fleeting style (I do have bills to pay), Im only going to steer you the right direction with regard to the process. Its not a tutorial. When working on stuff like this, its much easier to use a Virtual Machine. In this case I used VMWare Workstation, though you could just as easily have used Virtual PC 2007. I found a spare 256MB VPC with XPsp2, and booted up BartPE. I then started using the Debugging Tools, which I have on a Network share. Basically, you install the Debugging Tools on a host system, then copy its folder, in its entirety to the share the debugging tools help file has a topic on running on Windows 9x platforms, which is the basic process Im talking about here. The first problem with using the Debugging Tools under BartPE is that it didnt have enough of the Internet/Networking stack for Symbols to download fine, I could point it at a folder on the network, that another system can populate for me tedious, to say the least. Then there was the issue with the Defrag programs themselves they use COM Automation, both the GUI and command-line versions. So it didnt take long to realise that this was not going to be easy. I worked my way through to almost getting COM up and running under BartPE when I eventually found a discussion on one of the Ultimate Boot CD forums which effectively enumerated what I had done, so far, plus more. In their case, however, they used a shot gun approach, injecting whole swaths of the registry entries from a non PE system, and whittling down. Instead of my approach, which was to find whats needed, and then add it. Anyway, I downloaded the most recent version of UBCD and saw that they had the full MS Defrag, GUI and Command-line working. With that, I was just about to pack it in when I remembered API Monitor and thought, geeze, I probably could have saved myself a whole lot of pain by using that. So I quickly extracted it to a Network folder, and gave it try. Heres a quick rundown on how I used it. Accessing the Program, from a PE disk This is easy, once the Networking is setup, I just open a command prompt and just type in:

1 of 5

27/04/2013 7:21

Debugging using API Monitor | Richard Rudek

http://rrudek.wordpress.com/2008/01/14/debugging-using-api-monitor/

net use z: \\{server}\{share}

where {server} and {share} are the particular server and share names on your network. That then initiates a login, asking me for a username and password. Note that using the /user command-line option does not work on my Network. It obviously has something to do with the login method (NTLMv2, etc). Once I have my z: drive, I can just run it using the Go (Start), Run menu option: z:\tools\apimon\apimonitor.exe

OK, with API Monitor up and running, lets set it up to log all of the user-mode API calls made by defrag.exe. 1. Setup the process filters Here, I know that defrag.exe will startup dfrgntfs.exe. so I add them to the include list. That is, I click the spanner and hammer icon in the toolbar, click Include Filter option, then type defrag into the Process text-box, enter key, dfrgntfs, enter, and then click the OK button to dismiss the dialog:

2. Setup the API Filter Were only interested in the User-mode APIs, so after clicking the funnel (with filter paper) icon from the toolbar, select all of Win32 API items (Select All at bottom):

2 of 5

27/04/2013 7:21

Debugging using API Monitor | Richard Rudek

http://rrudek.wordpress.com/2008/01/14/debugging-using-api-monitor/

3. Start capturing Click the camera icon in the toolbar.

4. Run defrag.exe Now run defrag.exe by using the Load Process option in the Capture menu.

3 of 5

27/04/2013 7:21

Debugging using API Monitor | Richard Rudek

http://rrudek.wordpress.com/2008/01/14/debugging-using-api-monitor/

5. Examine the results

Double-clicking an entry, as shown above, will get an API Details dialog. Obviously the documentation icon is not going to work from a PE environment (the Help icon button next to the API Called panel). But if you save the log, you can reopen it (using API Monitor) on a system that has the old MSDN Library installed (the one not using DExplorer), and API Monitor will take you to the appropriate page.

4 of 5

27/04/2013 7:21

Debugging using API Monitor | Richard Rudek

http://rrudek.wordpress.com/2008/01/14/debugging-using-api-monitor/

Have fun

Be the first to like this. This entry was posted in Uncategorized. Bookmark the permalink.

Richard Rudek
Theme: Twenty Ten Blog at WordPress.com.

5 of 5

27/04/2013 7:21