Using gflags "Show loader snaps" with Visual Studio

Question

I'm trying to set "Show Loader Snaps" system wide in order to see verbose logs when dll's are loading, but I don't see any additional logs in the Output Console.

'WindowsProject1.exe' (Win32): Unloaded 'C:\Windows\System32\rpcrt4.dll'
'WindowsProject1.exe' (Win32): Unloaded 'C:\Windows\System32\oleaut32.dll'

This is how I setup the option:

Is this enough? There is the same option under the "Kernel Flags" but, in that tab, the option cannot be saved.(Though I have admin rights when running gflags).

Is there a way to check that loader snaps are enabled? What could be wrong?

Answer 1

There's no mechanism that provides a log of system-wide DLL loader snaps.

"Show Loader Snaps" when applied system-wide only outputs something for kernel driver loading and unloading. (source)

For system-wide (registry or kernel flag), this flag displays information about driver loading and unloading operations.

Thus, you would need a kernel debugger attached to the system to see driver loading and unloading, but it won't work for DLLs.

On the other hand it works per-process:

For per-process (image file), this flag displays information about loading and unloading of DLLs.

As said in the documentation, it works for a single process. In gflags:

• Go to the "image file" tab and enter the name of the executable (not a full path, just the name of the executable, e.g. foo.exe).

• Press the tab key.

• Check the "show loader snaps" checkbox.

• Start the process with a debugger.

Concerning Visual Studio, you'll see the output in the Output pane:

'Test.exe' (Win32): Loaded 'G:\CPP\Test\x64\Debug\Test.exe'. Symbols loaded.
'Test.exe' (Win32): Loaded 'C:\Windows\System32\ntdll.dll'. Symbols loaded.
23ac:01f4 @ 610683718 - LdrpInitializeProcess - INFO: Beginning execution of Test.exe (G:\CPP\Test\x64\Debug\Test.exe)
    Current directory: G:\CPP\Test\
    Package directories: (null)
23ac:01f4 @ 610683718 - LdrLoadDll - ENTER: DLL name: KERNEL32.DLL
23ac:01f4 @ 610683718 - LdrpLoadDllInternal - ENTER: DLL name: KERNEL32.DLL
23ac:01f4 @ 610683718 - LdrpFindKnownDll - ENTER: DLL name: KERNEL32.DLL
23ac:01f4 @ 610683718 - LdrpFindKnownDll - RETURN: Status: 0x00000000
23ac:01f4 @ 610683718 - LdrpMinimalMapModule - ENTER: DLL name: C:\WINDOWS\System32\KERNEL32.DLL
'Test.exe' (Win32): Loaded 'C:\Windows\System32\kernel32.dll'. Symbols loaded.
23ac:01f4 @ 610683781 - LdrpMinimalMapModule - RETURN: Status: 0x00000000
23ac:01f4 @ 610683781 - LdrpPreprocessDllName - INFO: DLL api-ms-win-core-rtlsupport-l1-1-0.dll was redirected to C:\WINDOWS\SYSTEM32\ntdll.dll by API set
23ac:01f4 @ 610683781 - LdrpFindKnownDll - ENTER: DLL name: KERNELBASE.dll
23ac:01f4 @ 610683781 - LdrpFindKnownDll - RETURN: Status: 0x00000000
23ac:01f4 @ 610683781 - LdrpMinimalMapModule - ENTER: DLL name: C:\WINDOWS\System32\KERNELBASE.dll
'Test.exe' (Win32): Loaded 'C:\Windows\System32\KernelBase.dll'. Symbols loaded.
...