Wednesday, July 4, 2007

Visual Studio 2003 Debugging Problem

One clear sunny day, when I was tried to debug on to the remote computer using MS Visual Studio 2003, I came across this message :




The error message says, verify that you are an administrator or a member of the 'Debugger Users' group on the machine you are trying to debug.

Clearly, as member of administrator it is not an option, because of the server nature and also restricted priviledge given to the Application Developer Group, or also it violates the priviledge efficiency, to give the priviledge as required, not more than that, in this case, the priviledge to do the debugging of the application.

So, I followed the instruction to add my domain id to the Debugger Users Group on that remote computer, fire up the debugging windows, and still no success, the error is still as above.
After doing an indepth check using WinDBG and appropriate symbol files from Microsoft, I came to know that the problem resides in the routine sdm2!CDebugManager::GetMachine that is giving the 0x80040021 error code, which is ridiculous, because I ALREADY add my domain id to the member of "Debugger Users".

OK, now in the routine sdm2!CDebugManager::GetMachine gives error message 0x80040021, but exactly when it is happened ? The problem came up upon calling the routine :

518a84b8 e8393b0000 call sdm2!ATL::CComBSTR::operator+=+0x1e (518abff6)

Which in return calls :

518ac066 ff1538118951 call dword ptr [sdm2!_imp__CoCreateInstanceEx (51891138)]
518ac06c 689cc08a51 push 0x518ac09c
518ac071 8bf8 mov edi,eax


Which gives eax=0x80070005, and this means "Access Denied", and DEVENV.EXE then doing the additional checking and returns 0x80040021 with misleading above.

But, at exactly what sdm2!_imp__CoCreateInstanceEx that causes the "Access Denied" ?

518ac056 8d45f4 lea eax,[ebp-0xc]
518ac059 50 push eax ;;pResults
518ac05a 6a01 push 0x1 ;;cmq
518ac05c 8d45e4 lea eax,[ebp-0x1c]
518ac05f 50 push eax ;;pServerInfo
518ac060 6a14 push 0x14 ;;dwClsCtx
518ac062 56 push esi ;;punkOuter
518ac063 ff750c push dword ptr [ebp+0xc] ;;refClassID
518ac066 ff1538118951 call dword ptr [sdm2!_imp__CoCreateInstanceEx (51891138)]
518ac063 ff750c push dword ptr [ebp+0xc]{sdm2!CLSID_MsMachineDebugManager (5189742c)}
ss:0023:0012f270=5189742c
0023:5189742c fd 5f b2 73-01 f5-7b 43-8b 11-7f 0d e3 83 96 4f -> Reference Class ID
73B25FFD-F501-437B-118B-7F0DE383964F -> MDM.EXE (Machine Debug Manager)
0:000> d ds:eax
0023:0012f248 00 00 00 00 08 5a cb 06-2c f2 12 00 00 00 00 00 .....Z..,.......
0023:0012f258 78 ef 89 51 00 00 00 00-00 00 00 00 90 f2 12 00 x..Q............
0023:0012f268 bd 84 8a 51 08 5a cb 06-2c 74 89 51 78 ef 89 51 ...Q.Z..,t.Qx..Q
0023:0012f278 8c f2 12 00 01 00 00 00-74 f5 12 00 00 00 00 00 ........t.......
0023:0012f288 a8 7f 83 01 00 00 00 00-ac f2 12 00 9d 7b 89 51 .............{.Q
00000000 -> dwReserved1
06CB5A08 -> Machine Name
0012F22C -> pAuthInfo
Authentication Info Structure :
0023:0012f22c 0a 00 00 00 - 00 00 00 00 - 00 00 00 00 - 02 00 00 00
0023:0012f23c 03 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00 00 00 0A -> RPC_C_AUTHN_WINNT (Authentication Service to Use)
00 00 00 00 -> RPC_C_AUTHZ_NONE (Authorization Service to Use)
00 00 00 00 -> Server Principal Name (Must be NULL) if using RPC_C_AUTHN_WINNT
00 00 00 02 -> RPC_C_AUTHN_LEVEL_CONNECT (Authenticates the credentials of the client only when the client establishes a relationship with the server)
00 00 00 03 -> Impersonation Level (must be RPC_C_IMP_LEVEL_IMPERSONATE)
00 00 00 00 -> Client Identity (If NULL, the actual identity of the client is used)

This happens when the client tries to create the RPC to the server using COM Interface. So, using the WinDBG, what happens at the server is :

7c822583 cc int 3
0:014> bm /a rpcss!RemoteInterfaceOnlySecCallback
breakpoint 1 redefined
1: 76d6595d @!"rpcss!RemoteInterfaceOnlySecCallback"
0:014> g
ModLoad: 76c90000 76cb7000 C:\WINDOWS\system32\msv1_0.dll
ModLoad: 76cf0000 76d0a000 C:\WINDOWS\system32\iphlpapi.dll
Breakpoint 1 hit
eax=0063fd70 ebx=0009b4a8 ecx=0009b5a4 edx=00000002 esi=0009b5a4 edi=0063fd80
eip=76d6595d esp=0063fd4c ebp=0063fda0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
rpcss!RemoteInterfaceOnlySecCallback:
76d6595d 8bff mov edi,edi
0:009> bp 76d35026
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
0:009> bp 76d35050
0:009> g
Breakpoint 0 hit
eax=0063fce8 ebx=0008f870 ecx=000004f4 edx=7c82ed54 esi=000edd18 edi=00000000
eip=76d35026 esp=0063fcb8 ebp=0063fcf0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
rpcss!CheckForAccess+0x1f:
76d35026 50 push eax
0:009> d ds:eax
0023:0063fce8 30 3d 08 00 01 16 d3 76-48 fd 63 00 66 5a d6 76 0=.....vH.c.fZ.v
0023:0063fcf8 f4 04 00 00 e8 f7 08 00-04 00 00 00 a8 b4 09 00 ................
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> g
Breakpoint 2 hit
eax=00000001 ebx=0008f870 ecx=0063fcd8 edx=0063fce8 esi=00000001 edi=00000000
eip=76d35050 esp=0063fcbc ebp=0063fcf0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
rpcss!CheckForAccess+0x49:
76d35050 85c0 test eax,eax
0:009> d ds:0063fce8
0023:0063fce8 fc f7 08 00 01 00 00 00-48 fd 63 00 66 5a d6 76 ........H.c.fZ.v
0023:0063fcf8 f4 04 00 00 e8 f7 08 00-04 00 00 00 a8 b4 09 00 ................
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> !acl 0008f7fc
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1 : 0x0
ACL is: ->AclSize : 0x48
ACL is: ->AceCount : 0x3
ACL is: ->Sbz2 : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x14
ACL is: ->Ace[0]: ->Mask : 0x00000007
ACL is: ->Ace[0]: ->SID: S-1-5-7
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x18
ACL is: ->Ace[1]: ->Mask : 0x00000007
ACL is: ->Ace[1]: ->SID: S-1-5-32-562
ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[2]: ->AceFlags: 0x0
ACL is: ->Ace[2]: ->AceSize: 0x14
ACL is: ->Ace[2]: ->Mask : 0x00000007
ACL is: ->Ace[2]: ->SID: S-1-1-0
0:009> !acl 0008f7fc 1
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1 : 0x0
ACL is: ->AclSize : 0x48
ACL is: ->AceCount : 0x3
ACL is: ->Sbz2 : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x14
ACL is: ->Ace[0]: ->Mask : 0x00000007
ACL is: ->Ace[0]: ->SID: S-1-5-7 (Well Known Group: NT AUTHORITY\ANONYMOUS LOGON)
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x18
ACL is: ->Ace[1]: ->Mask : 0x00000007
ACL is: ->Ace[1]: ->SID: S-1-5-32-562 (Alias: BUILTIN\Distributed COM Users)
ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[2]: ->AceFlags: 0x0
ACL is: ->Ace[2]: ->AceSize: 0x14
ACL is: ->Ace[2]: ->Mask : 0x00000007
ACL is: ->Ace[2]: ->SID: S-1-1-0 (Well Known Group: localhost\Everyone)
0:009> g
Breakpoint 0 hit
eax=0063fce8 ebx=0008f7d0 ecx=000004f4 edx=7c82ed54 esi=0063fd80 edi=00000000
eip=76d35026 esp=0063fcb8 ebp=0063fcf0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
rpcss!CheckForAccess+0x1f:
76d35026 50 push eax
0:009> d ds:eax
0023:0063fce8 30 3d 08 00 01 16 d3 76-48 fd 63 00 fa 5a d6 76 0=.....vH.c..Z.v
0023:0063fcf8 f4 04 00 00 60 f7 08 00-10 00 00 00 a8 b4 09 00 ....`...........
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> g
Breakpoint 2 hit
eax=00000001 ebx=0008f7d0 ecx=0063fcd8 edx=0063fce8 esi=00000001 edi=00000000
eip=76d35050 esp=0063fcbc ebp=0063fcf0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
rpcss!CheckForAccess+0x49:
76d35050 85c0 test eax,eax
0:009> d ds:0063fce8
0023:0063fce8 74 f7 08 00 01 00 00 00-48 fd 63 00 fa 5a d6 76 t.......H.c..Z.v
0023:0063fcf8 f4 04 00 00 60 f7 08 00-10 00 00 00 a8 b4 09 00 ....`...........
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> !acl 0008f774 1
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1 : 0x0
ACL is: ->AclSize : 0x34
ACL is: ->AceCount : 0x2
ACL is: ->Sbz2 : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x18
ACL is: ->Ace[0]: ->Mask : 0x0000001f
ACL is: ->Ace[0]: ->SID: S-1-5-32-562 (Alias: BUILTIN\Distributed COM Users)
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x14
ACL is: ->Ace[1]: ->Mask : 0x0000000b
ACL is: ->Ace[1]: ->SID: S-1-1-0 (Well Known Group: localhost\Everyone)


Conclusion, at least in this case :

Error message from DEVENV.EXE is misleading, and it is not conform to the fact on operational side. That COM service is handled by RPCSS.EXE on server side, and RPCSS.EXE checks to BUILTIN\Distributed COM Users, NOT BUILTIN\Debugger Users.

The relevant information about DCOM Security and its relationshipb with CoCreateInstanceEx is here :

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1917834c-5216-4ef3-a0c2-d8ca63cef53d.asp

Summary of important command in WinDBG as below :

x (examine symbol)
kv (view callstack)
uf (dissasemble function)
!dh (Display Header, it is used to get information of executable property of certaion module in action)
!acl (Display Access Control List of Given Access Control List Pointer)