How to enable pageheap against a process such as Print Spooler
From time to time, you will see Print Spooler crashes (spoolsv.exe) and the initial analysis shows heap corruption.
In the past, we used to use a tool called pageheap.exe. At present time (newer than 2008) instead of using pageheap.exe we have two different tools:
Microsoft Application Verifier (AppVerif.exe) (Preferred)
and
Microsoft Global Flags Editor (GFlags.exe) (Alternate)
Where could I download AppVerifier?
https://www.microsoft.com/downloads/en/default.aspx, use keyword: application verifier
Microsoft Application Verifier
https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c4a25ab9-649d-4a1b-b4a7-c9d8b095df18
Once you install it Start, All Programs, Application Verifier (x64)\Application Verifier (x64)
or C:\Program Files\Application Verifier (x64)\Application Verifier (x64)
which is a shortcut to C:\Windows\System32\appverif.exe
To enable pageheap using AppVerifier (Preferred):
--
Click on File, Add Application, And go to to the path where the .exe lives.
For example:
C:\Windows\System32\spoolsv.exe
By default, it checks almost everything under “Basics” except for InputOutput.
If you are troubleshooting the Print Spooler service, uncheck the box for “TLS”. If you don’t uncheck TLS, you could end up getting a dump that is not needed.
Stop and restart the process.
If this was the Print Spooler service.
Click on Start, CMD (Run as administrator)
Net Stop Spooler
Net Start Spooler
Once you are done troubleshooting:
You want to make sure to disable it by doing the following:
Start, All Programs, Application Verifier (x64)\Application Verifier (x64)
or C:\Program Files\Application Verifier (x64)\Application Verifier (x64)
which is a shortcut to C:\Windows\System32\appverif.exe
Under “Applications” (Image Name)
Right click on the .exe
Click on “Delete Application”
Stop and restart the process.
Where could I download GFlags?
https://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#b
https://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx
To enable pageheap using GFlags (Alternate):
--
For example:
gflags.exe /p /enable ServiceorExecutableName.exe /full /decommit
Note: Where ServiceorExecutableName.exe is the actual process such as spoolsv.exe
Stop and restart the process.
If this was the Print Spooler service.
Click on Start, CMD (Run as administrator)
Net Stop Spooler
Net Start Spooler
Note: If the crash does not occur after enabling pageheap, then you will have to use this additional command:
/backwards Catch backwards overruns.
Caution: Keep an eye on Virtual memory, you might have to increase pagefile size.
For example: gflags.exe /p /enable ServiceExecutableName.exe /full /decommit /backwards
Other example: gflags.exe /p /enable ServiceExecutableName.exe /full +ust +hpa +02000000 /decommit
Once you are done troubleshooting:
You want to make sure to disable it by using the following command:
gflags.exe /p /disable ServiceExecutableName.exe
Stop and restart the process.
So what is it doing behind the scenes? It is enabling the following registry key:
HKLM\Spftware\Microsoft\Windows Nt\CurrentVersion\Image File Execution Options
For more information:
286470 How to use Pageheap.exe in Windows XP, Windows 2000, and Windows Server 2003
https://support.microsoft.com/?id=286470