Home             Change View

Print

Forensics Example

Previous  Top  Next

To illustrate how Log Monitor can be used to delve into application problems, in this section uses an example to illustrate. Here cmd.exe is packaged with Thinstall and run with logging being recorded.

To simulate an application behaving incorrectly, a simple invalid command is issued. In this case, we have requested cmd.exe to execute the command "foobar," and cmd.exe prints out the message "'foobar' is not recognized as an internal or external command." By viewing the resulting trace file we can dig into what cmd.exe is doing in much greater detail and learn how it operates. All applications will manifest misbehavior in different ways, so there is no one set way to track down issues.



The first place to check in a log file is the section near the end labeled "---- Potential Errors Detected ---".

In this section, you can find all the API functions in which the GetLastError code was modified. The paths highlighted in bold indicate locations that cmd.exe was looking for foobar, and paths in red indicate locations in the virtual file system that were probed for these file system probes.

----  Potential Errors Detected ---
*** Unable to determine if any services need to be auto-started, error 2
001550 *** FindFirstFileW 'C:\test\cmd_test\bin\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\test\cmd_test\bin\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW ->HANDLE=ffffffffh .. *** GetLastError() returns 2 [203]: The system cannot find the file specified.
*** FindFirstFileW 'C:\test\cmd_test\bin\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %drive_C%\test\cmd_test\bin\foobar][fs entry not found %drive_C%\test\cmd_test\bin]
*** FindFirstFileW 'C:\WINDOWS\system32\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\WINDOWS\system32\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'C:\WINDOWS\system32\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %SystemSystem%\foobar]
*** FindFirstFileW 'C:\WINDOWS\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\WINDOWS\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'C:\WINDOWS\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %SystemRoot%\foobar]
*** FindFirstFileW 'C:\WINDOWS\System32\Wbem\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\WINDOWS\System32\Wbem\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'C:\WINDOWS\System32\Wbem\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %SystemSystem%\Wbem\foobar]
*** FindFirstFileW 'c:\program files\subversion\bin\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe c:\program files\subversion\bin\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'c:\program files\subversion\bin\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %ProgramFilesDir%\subversion\bin\foobar][fs entry not found %ProgramFilesDir%\subversion\bin]
*** FindFirstFileW 'c:\Program Files\Microsoft SQL Server\90\Tools\binn\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe c:\Program Files\Microsoft SQL Server\90\Tools\binn\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'c:\Program Files\Microsoft SQL Server\90\Tools\binn\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %ProgramFilesDir%\Microsoft SQL Server\90\Tools\binn\foobar][fs entry not found %ProgramFilesDir%\Microsoft SQL Server\90\Tools\binn]
*** FindFirstFileW 'c:\bin\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe c:\bin\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'c:\bin\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %drive_c%\bin\foobar][fs entry not found %drive_c%\bin]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\Common\Tools\WinNT\foobar][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\Common\Tools\WinNT]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\Common\MSDev98\Bin\foobar][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\Common\MSDev98\Bin]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\Common\Tools\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\Program Files\Microsoft Visual Studio\Common\Tools\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\Common\Tools\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\Common\Tools\foobar][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\Common\Tools]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\VC98\bin\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\Program Files\Microsoft Visual Studio\VC98\bin\foobar.* -> ffffffffh][no virtual or system matches]
*** FindFirstFileW 'C:\Program Files\Microsoft Visual Studio\VC98\bin\foobar' -> INVALID_HANDLE_VALUE *** failed [FS missing in view 0][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\VC98\bin\foobar][fs entry not found %ProgramFilesDir%\Microsoft Visual Studio\VC98\bin]

As you can see, the "potential errors" did a good job of highlighting possible areas where the application is failing.

Digging Deeper

001550 *** FindFirstFileW 'C:\test\cmd_test\bin\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe 

Let's suppose we want to find out why cmd.exe is probing the location c:\test\cmd_test\bin
We can search the log for this line of text using the log entry number and find out what is occuring before this call. In the bold excerpts below you can two possible places where cmd.exe obtained the path c:\test\cmd_test. The first is by calling GetCurrentDirectoryW, and the second is from it calling GetFullPathNameW with "." as the path specified. In both cases, this returns the path for the current working directory - so now we know exactly how cmd.exe is obtaining this path. You can even see in the log file how cmd.exe creates the "c:\test\cmd_test\bin>" prompt - it does this by querying the environment variable "PROMPT" which returns "$P$G" and then uses the API function WriteConsoleW to print the prompt to the screen after internally expanding "$P$G" to "c:\test\cmd_test\bin>"


000824 0a88 cmd.exe :4ad0697a<-ADVAPI32.dll:77dd038f FormatMessageW ->DWORD=29h (OUT LPWSTR lpBuffer=*4AD38BA0h->L"(C) Copyright 1985-2001 Microsoft Corp.\0Dh\0Ah")
000825 0a88 cmd.exe :4ad069d1->ADVAPI32.dll:77dd038f FormatMessageW (IN DWORD dwFlags=1800h, IN LPCVOID lpSource=*0h, IN DWORD dwMessageId=2334h, IN DWORD dwLanguageId=0h, IN DWORD nSize=2000h, IN *Arguments=*13DD40h->...)
000826 0a88 FormatMessageW FORMAT_MESSAGE_FROM_HMODULE FORMAT_MESSAGE_FROM_SYSTEM line_width=unlimited lpSource=0x0, dwMessageId=0x2334, dwLanguageId=0x0
-> 0x29 ((C) Copyright 1985-2001 Microsoft Corp.

)
000827 0a88 cmd.exe :4ad069d1<-ADVAPI32.dll:77dd038f FormatMessageW ->DWORD=29h (OUT LPWSTR lpBuffer=*4AD38BA0h->L"(C) Copyright 1985-2001 Microsoft Corp.\0Dh\0Ah")
000828 0a88 cmd.exe :4ad08d01->kernel32.dll:7c835484 WriteConsoleW (IN HANDLE hConsoleOutput=7h, IN const *lpBuffer=*4AD38BA0h, IN DWORD nNumberOfCharsToWrite=29h, IN LPVOID lpReserved=*0h)
000829 0a88 cmd.exe :4ad08d01<-kernel32.dll:7c835484 WriteConsoleW ->BOOL=1h (OUT LPDWORD lpNumberOfCharsWritten=*13DD24h->29h)
000830 0a88 cmd.exe :4ad048f4->msctfime.ime:755c039b GetModuleHandleW (IN LPCWSTR lpModuleName=*4AD0498Ch->L"KERNEL32.DLL")
000831 0a88 GetModuleHandleW 'KERNEL32.DLL' -> 7c800000
000832 0a88 cmd.exe :4ad048f4<-msctfime.ime:755c039b GetModuleHandleW ->HMODULE=7c800000h ()
000833 0a88 cmd.exe :4ad04907->AcGenral.DLL:6f880364 GetProcAddress (IN HMODULE hModule=7c800000h, IN LPCSTR lpProcName=*4AD04980h->"CopyFileExW")
000834 0a88 GetProcAddress mod=7c800000/C:\WINDOWS\system32\kernel32.dll () 'CopyFileExW' -> 7feb1fcf
000835 0a88 cmd.exe :4ad04907<-AcGenral.DLL:6f880364 GetProcAddress ->FARPROC=*7FEB1FCFh ()
000836 0a88 cmd.exe :4ad04919->AcGenral.DLL:6f880364 GetProcAddress (IN HMODULE hModule=7c800000h, IN LPCSTR lpProcName=*4AD0496Ch->"IsDebuggerPresent")
000837 0a88 GetProcAddress mod=7c800000/C:\WINDOWS\system32\kernel32.dll () 'IsDebuggerPresent' -> 7fec0dfa
000838 0a88 cmd.exe :4ad04919<-AcGenral.DLL:6f880364 GetProcAddress ->FARPROC=*7FEC0DFAh ()
000839 0a88 cmd.exe :4ad0492b->AcGenral.DLL:6f880364 GetProcAddress (IN HMODULE hModule=7c800000h, IN LPCSTR lpProcName=*4AD04954h->"SetConsoleInputExeNameW")
000840 0a88 GetProcAddress mod=7c800000/C:\WINDOWS\system32\kernel32.dll () 'SetConsoleInputExeNameW' -> 7fe90c21
000841 0a88 cmd.exe :4ad0492b<-AcGenral.DLL:6f880364 GetProcAddress ->FARPROC=*7FE90C21h ()
000842 0a88 cmd.exe :4ad02c97->ole32.dll :774e03f0 GetFileType (IN HANDLE hFile=3h)
000843 0a88 GetFileType 3 -> 0x2
000844 0a88 cmd.exe :4ad02c97<-ole32.dll :774e03f0 GetFileType ->DWORD=2h ()
000845 0a88 cmd.exe :4ad02cc0->kernel32.dll:7c812f39 GetStdHandle (IN DWORD nStdHandle=FFFFFFF6h)
000846 0a88 cmd.exe :4ad02cc0<-kernel32.dll:7c812f39 GetStdHandle ->HANDLE=3h ()
000847 0a88 cmd.exe :4ad02ccd->kernel32.dll:7c81af14 GetConsoleMode (IN HANDLE hConsoleHandle=3h)
000848 0a88 cmd.exe :4ad02ccd<-kernel32.dll:7c81af14 GetConsoleMode ->BOOL=1h (OUT LPDWORD lpMode=*13DDCCh->A7h)
000849 0a88 cmd.exe :4ad05b74->ole32.dll :774e03f0 GetFileType (IN HANDLE hFile=7h)
000850 0a88 GetFileType 7 -> 0x2
000851 0a88 cmd.exe :4ad05b74<-ole32.dll :774e03f0 GetFileType ->DWORD=2h ()
000852 0a88 cmd.exe :4ad05b9d->kernel32.dll:7c812f39 GetStdHandle (IN DWORD nStdHandle=FFFFFFF5h)
000853 0a88 cmd.exe :4ad05b9d<-kernel32.dll:7c812f39 GetStdHandle ->HANDLE=7h ()
000854 0a88 cmd.exe :4ad05baa->kernel32.dll:7c81af14 GetConsoleMode (IN HANDLE hConsoleHandle=7h)
000855 0a88 cmd.exe :4ad05baa<-kernel32.dll:7c81af14 GetConsoleMode ->BOOL=1h (OUT LPDWORD lpMode=*13DA80h->3h)
000856 0a88 cmd.exe :4ad05dec->kernel32.dll:7c835484 WriteConsoleW (IN HANDLE hConsoleOutput=7h, IN const *lpBuffer=*4AD38BA0h, IN DWORD nNumberOfCharsToWrite=2h, IN LPVOID lpReserved=*0h)
000857 0a88 cmd.exe :4ad05dec<-kernel32.dll:7c835484 WriteConsoleW ->BOOL=1h (OUT LPDWORD lpNumberOfCharsWritten=*13DAACh->2h)
000858 0a88 cmd.exe :4ad01ba8->USERENV.dll :769c03b9 GetEnvironmentVariableW (IN LPCWSTR lpName=*4AD34624h->L"PROMPT", IN DWORD nSize=2000h)
000859 0a88 GetEnvironmentVariable PROMPT -> $P$G
000860 0a88 cmd.exe :4ad01ba8<-USERENV.dll :769c03b9 GetEnvironmentVariableW ->DWORD=4h (OUT LPWSTR lpBuffer=*4AD2BA20h->L"$P$G")
000861 0a88 cmd.exe :4ad01580->USERENV.dll :769c0396 GetCurrentDirectoryW (IN DWORD nBufferLength=104h)
000862 0a88 GetCurrentDirectoryW -> 0x14 (C:\test\cmd_test\bin)
000863 0a88 cmd.exe :4ad01580<-USERENV.dll :769c0396 GetCurrentDirectoryW ->DWORD=14h (OUT LPWSTR lpBuffer=*4AD34400h->L"C:\test\cmd_test\bin")
000864 0a88 cmd.exe :4ad05b74->ole32.dll :774e03f0 GetFileType (IN HANDLE hFile=7h)
000865 0a88 GetFileType 7 -> 0x2
000866 0a88 cmd.exe :4ad05b74<-ole32.dll :774e03f0 GetFileType ->DWORD=2h ()
000867 0a88 cmd.exe :4ad05b9d->kernel32.dll:7c812f39 GetStdHandle (IN DWORD nStdHandle=FFFFFFF5h)
000868 0a88 cmd.exe :4ad05b9d<-kernel32.dll:7c812f39 GetStdHandle ->HANDLE=7h ()
000869 0a88 cmd.exe :4ad05baa->kernel32.dll:7c81af14 GetConsoleMode (IN HANDLE hConsoleHandle=7h)
000870 0a88 cmd.exe :4ad05baa<-kernel32.dll:7c81af14 GetConsoleMode ->BOOL=1h (OUT LPDWORD lpMode=*13DA84h->3h)
000871 0a88 cmd.exe :4ad05dec->kernel32.dll:7c835484 WriteConsoleW (IN HANDLE hConsoleOutput=7h, IN const *lpBuffer=*4AD2B1E0h, IN DWORD nNumberOfCharsToWrite=15h, IN LPVOID lpReserved=*0h)
000872 0a88 cmd.exe :4ad05dec<-kernel32.dll:7c835484 WriteConsoleW ->BOOL=1h (OUT LPDWORD lpNumberOfCharsWritten=*13DAB0h->15h)
000873 0a88 cmd.exe :4ad0bf00->ole32.dll :774e03f0 GetFileType (IN HANDLE hFile=3h)
000874 0a88 GetFileType 3 -> 0x2
000875 0a88 cmd.exe :4ad0bf00<-ole32.dll :774e03f0 GetFileType ->DWORD=2h ()
000876 0a88 cmd.exe :4ad02c97->ole32.dll :774e03f0 GetFileType (IN HANDLE hFile=3h)
000877 0a88 GetFileType 3 -> 0x2
000878 0a88 cmd.exe :4ad02c97<-ole32.dll :774e03f0 GetFileType ->DWORD=2h ()
000879 0a88 cmd.exe :4ad02cc0->kernel32.dll:7c812f39 GetStdHandle (IN DWORD nStdHandle=FFFFFFF6h)
000880 0a88 cmd.exe :4ad02cc0<-kernel32.dll:7c812f39 GetStdHandle ->HANDLE=3h ()
000881 0a88 cmd.exe :4ad02ccd->kernel32.dll:7c81af14 GetConsoleMode (IN HANDLE hConsoleHandle=3h)
000882 0a88 cmd.exe :4ad02ccd<-kernel32.dll:7c81af14 GetConsoleMode ->BOOL=1h (OUT LPDWORD lpMode=*13DD50h->A7h)
000883 0a88 cmd.exe :4ad02c97->ole32.dll :774e03f0 GetFileType (IN HANDLE hFile=3h)
000884 0a88 GetFileType 3 -> 0x2
000885 0a88 cmd.exe :4ad02c97<-ole32.dll :774e03f0 GetFileType ->DWORD=2h ()
000886 0a88 cmd.exe :4ad02cc0->kernel32.dll:7c812f39 GetStdHandle (IN DWORD nStdHandle=FFFFFFF6h)
000887 0a88 cmd.exe :4ad02cc0<-kernel32.dll:7c812f39 GetStdHandle ->HANDLE=3h ()
000888 0a88 cmd.exe :4ad02ccd->kernel32.dll:7c81af14 GetConsoleMode (IN HANDLE hConsoleHandle=3h)
000889 0a88 cmd.exe :4ad02ccd<-kernel32.dll:7c81af14 GetConsoleMode ->BOOL=1h (OUT LPDWORD lpMode=*13DD50h->A7h)
000890 0a88 cmd.exe :4ad0b9d4->kernel32.dll:7c812f39 GetStdHandle (IN DWORD nStdHandle=FFFFFFF5h)
000891 0a88 cmd.exe :4ad0b9d4<-kernel32.dll:7c812f39 GetStdHandle ->HANDLE=7h ()
000892 0a88 cmd.exe :4ad0ba16->kernel32.dll:7c81bc2b GetConsoleScreenBufferInfo (IN HANDLE hConsoleOutput=7h)
000893 0a88 cmd.exe :4ad0ba16<-kernel32.dll:7c81bc2b GetConsoleScreenBufferInfo ->BOOL=1h (OUT PCONSOLE_SCREEN_BUFFER_INFO lpConsoleScreenBufferInfo=*13DD08h->struct {COORD dwSize=struct {SHORT X=50h, SHORT Y=12Ch}, COORD dwCursorPosition=struct {SHORT X=15h, SHORT Y=5h}, WORD wAttributes=7h, SMALL_RECT srWindow=struct {SHORT Left=0h, SHORT Top=0h, SHORT Right=4Fh, SHORT Bottom=18h}, COORD dwMaximumWindowSize=struct {SHORT X=50h, SHORT Y=53h}})
000894 0a88 cmd.exe :4ad0ba71->kernel32.dll:7c871a6c ReadConsoleW (IN HANDLE hConsoleInput=3h, IN DWORD nNumberOfCharsToRead=2000h, IN LPVOID lpReserved=*13DD20h)
001518 0a88 cmd.exe :4ad0ba71<-kernel32.dll:7c871a6c ReadConsoleW ->BOOL=1h (OUT LPVOID lpBuffer=*4AD2FAE0h, OUT LPDWORD lpNumberOfCharsRead=*13DD70h->8h)
001519 0a88 cmd.exe :4ad02c97->ole32.dll :774e03f0 GetFileType (IN HANDLE hFile=3h)
001520 0a88 GetFileType 3 -> 0x2
001521 0a88 cmd.exe :4ad02c97<-ole32.dll :774e03f0 GetFileType ->DWORD=2h ()
001522 0a88 cmd.exe :4ad02cc0->kernel32.dll:7c812f39 GetStdHandle (IN DWORD nStdHandle=FFFFFFF6h)
001523 0a88 cmd.exe :4ad02cc0<-kernel32.dll:7c812f39 GetStdHandle ->HANDLE=3h ()
001524 0a88 cmd.exe :4ad02ccd->kernel32.dll:7c81af14 GetConsoleMode (IN HANDLE hConsoleHandle=3h)
001525 0a88 cmd.exe :4ad02ccd<-kernel32.dll:7c81af14 GetConsoleMode ->BOOL=1h (OUT LPDWORD lpMode=*13DD50h->A7h)
001526 0a88 cmd.exe :4ad0bb9c->kernel32.dll:7c81b18f GetConsoleOutputCP ()
001527 0a88 cmd.exe :4ad0bb9c<-kernel32.dll:7c81b18f GetConsoleOutputCP ->UINT=1B5h ()
001528 0a88 cmd.exe :4ad0bbad->kernel32.dll:7c812e76 GetCPInfo (IN UINT CodePage=1B5h)
001529 0a88 cmd.exe :4ad0bbad<-kernel32.dll:7c812e76 GetCPInfo ->BOOL=1h (OUT LPCPINFO lpCPInfo=*4AD33BA0h->struct {UINT MaxCharSize=1h, char[2] DefaultChar=['?', '\00h'], char[12] LeadByte=['\00h', '\00h', '\00h', '\00h', '\00h', '\00h', '\00h', '\00h', '\00h', '\00h', '\00h', '\00h']})
001530 0a88 cmd.exe :4ad01680->kernel32.dll:7c81b258 SetThreadUILanguage (== no prototype available ==)
001531 0a88 cmd.exe :4ad01680<-kernel32.dll:7c81b258 SetThreadUILanguage (== no prototype available ==)
001532 0a88 cmd.exe :4ad01b0d->kernel32.dll:7c80ac0f SetErrorMode (IN UINT uMode=0h)
001533 0a88 cmd.exe :4ad01b0d<-kernel32.dll:7c80ac0f SetErrorMode ->UINT=0h ()
001534 0a88 cmd.exe :4ad01b13->kernel32.dll:7c80ac0f SetErrorMode (IN UINT uMode=1h)
001535 0a88 cmd.exe :4ad01b13<-kernel32.dll:7c80ac0f SetErrorMode ->UINT=0h ()
001536 0a88 cmd.exe :4ad01b24->IMM32.DLL :7639039b GetFullPathNameW (IN LPCWSTR lpFileName=*1638C0h->L".", IN DWORD nBufferLength=208h)
001537 0a88 GetFullPathNameW . -> 20 (buf=C:\test\cmd_test\bin, file_part=bin)
001538 0a88 cmd.exe :4ad01b24<-IMM32.DLL :7639039b GetFullPathNameW ->DWORD=14h (OUT LPWSTR lpBuffer=*163D60h->L"C:\test\cmd_test\bin", OUT *lpFilePart=*13D8D4h->*163D82h->L"bin")
001539 0a88 cmd.exe :4ad01b29->kernel32.dll:7c80ac0f SetErrorMode (IN UINT uMode=0h)
001540 0a88 cmd.exe :4ad01b29<-kernel32.dll:7c80ac0f SetErrorMode ->UINT=1h ()
001541 0a88 cmd.exe :4ad01ba8->USERENV.dll :769c03b9 GetEnvironmentVariableW (IN LPCWSTR lpName=*4AD34618h->L"PATH", IN DWORD nSize=2000h)
001542 0a88 GetEnvironmentVariable PATH -> C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\program files\subversion\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;c:\bin;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
001543 0a88 cmd.exe :4ad01ba8<-USERENV.dll :769c03b9 GetEnvironmentVariableW ->DWORD=173h (OUT LPWSTR lpBuffer=*4AD2BA20h->L"C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\program files\su.. ")
001544 0a88 cmd.exe :4ad01ba8->USERENV.dll :769c03b9 GetEnvironmentVariableW (IN LPCWSTR lpName=*4AD34608h->L"PATHEXT", IN DWORD nSize=2000h)
001545 0a88 GetEnvironmentVariable PATHEXT -> .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
001546 0a88 cmd.exe :4ad01ba8<-USERENV.dll :769c03b9 GetEnvironmentVariableW ->DWORD=30h (OUT LPWSTR lpBuffer=*4AD2BA20h->L".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH")
001547 0a88 cmd.exe :4ad02aaa->kernel32.dll:7c80b2d0 GetDriveTypeW (IN LPCWSTR lpRootPathName=*13D8C4h->L"C:\")
001548 0a88 cmd.exe :4ad02aaa<-kernel32.dll:7c80b2d0 GetDriveTypeW ->UINT=3h ()
001549 0a88 cmd.exe :4ad01b5f->USERENV.dll :769c03fa FindFirstFileW (IN LPCWSTR lpFileName=*1638C0h->L"C:\test\cmd_test\bin\foobar.*")
001550 0a88 FindFirstFileW 'C:\test\cmd_test\bin\foobar.*' -> INVALID_HANDLE_VALUE *** failed [system probe C:\test\cmd_test\bin\foobar.* -> ffffffffh][no virtual or system matches]