Freigeben über

How to enable pageheap against a process such as Print Spooler

  • Artikel

From time to time, you will see Print Spooler crashes (spoolsv.exe) and the initial analysis shows heap corruption.

In the past, we used to use a tool called pageheap.exe.  At present time (newer than 2008) instead of using pageheap.exe we have two different tools:

Microsoft Application Verifier (AppVerif.exe) (Preferred)
and
Microsoft Global Flags Editor (GFlags.exe) (Alternate)

 

Where could I download AppVerifier?
https://www.microsoft.com/downloads/en/default.aspx, use keyword: application verifier

Microsoft Application Verifier
https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c4a25ab9-649d-4a1b-b4a7-c9d8b095df18

Once you install it Start, All Programs, Application Verifier (x64)\Application Verifier (x64)

or C:\Program Files\Application Verifier (x64)\Application Verifier (x64)

which is a shortcut to C:\Windows\System32\appverif.exe

 

To enable pageheap using AppVerifier (Preferred):

--

Click on File, Add Application, And go to to the path where the .exe lives.

For example:

C:\Windows\System32\spoolsv.exe

 

By default, it checks almost everything under “Basics” except for InputOutput.

If you are troubleshooting the Print Spooler service, uncheck the box for “TLS”.  If you don’t uncheck TLS, you could end up getting a dump that is not needed.

Stop and restart the process.

If this was the Print Spooler service.

Click on Start, CMD (Run as administrator)
Net Stop Spooler

Net Start Spooler

Once you are done troubleshooting:

You want to make sure to disable it by doing the following:

Start, All Programs, Application Verifier (x64)\Application Verifier (x64)

or C:\Program Files\Application Verifier (x64)\Application Verifier (x64)

which is a shortcut to C:\Windows\System32\appverif.exe

Under “Applications” (Image Name)

Right click on the .exe

Click on “Delete Application”

Stop and restart the process.

 

Where could I download GFlags?
https://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#b
https://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx

To enable pageheap using GFlags (Alternate):
--
For example:
gflags.exe /p /enable ServiceorExecutableName.exe /full /decommit

Note: Where ServiceorExecutableName.exe is the actual process such as spoolsv.exe

Stop and restart the process.

If this was the Print Spooler service.

Click on Start, CMD (Run as administrator)
Net Stop Spooler

Net Start Spooler

Note: If the crash does not occur after enabling pageheap, then you will have to use this additional command:
/backwards              Catch backwards overruns.
Caution:  Keep an eye on Virtual memory, you might have to increase pagefile size.

For example: gflags.exe /p /enable ServiceExecutableName.exe /full /decommit /backwards

Other example: gflags.exe /p /enable ServiceExecutableName.exe /full +ust +hpa +02000000 /decommit

 

Once you are done troubleshooting:

You want to make sure to disable it by using the following command:

gflags.exe /p /disable ServiceExecutableName.exe

Stop and restart the process.

 

So what is it doing behind the scenes?  It is enabling the following registry key:

HKLM\Spftware\Microsoft\Windows Nt\CurrentVersion\Image File Execution Options

For more information:
286470 How to use Pageheap.exe in Windows XP, Windows 2000, and Windows Server 2003
https://support.microsoft.com/?id=286470