winapi – 如何在不获取WER对话框的情况下在Windows-7上崩溃进程?

是否可以在 Windows-7上崩溃常规用户模式进程而无需获取Windows错误报告(WER)对话框? (当WER正常启用且未应用特定标志时.)


在Windows XP上,编写一个C或C应用程序(在用户模式下)是非常简单的,它会以这样的方式混淆自己的地址空间:当最终引发访问冲突(或其他未处理的Win32异常)时,Windows XP将只是地终止进程而不通知用户

void stackbreaker() {
    // global/static buffer
    static char buf[128] = "In a hole in the ground there lived a hobbit. And it burrowed through your stack. It even built a round door into you function.";
    // Get address on the stack
    char local;
    char* stack = &local;
    // nuke the stack:
    memcpy(stack - 64,buf,sizeof(buf));
    // Kaboom. No user defined unhandled exception filter will be called. Stack nuked.
    // Process will terminate silently on Windows XP.
    // But on Windows-7 you still get the WER dialog.

一个简单的C项目中调用上述函数(在发布模式下 – 在测试时注意那些编译器优化 – 而不是在调试器下运行)将:


我现在想知道的是 – 在Windows 7下 – 是否已经实现了WER机制,我总是在我的应用程序中获得崩溃[a]的错误对话框,或者即使在Windows 7中是否存在进程损坏情况,这会阻止WER对话框弹出?


Windows via C/C++ (5th ed by Richter,Nasarre)书中,他们描述了“错误过程”中发生的事情(第711页):

  1. Exception filters.
  2. kernel detects unhandled exception
  3. blocking ALPC call to Wer Service
  4. WER reporting kicks in.

现在,他们指出Win7与Windows XP的不同之处(引用本书第710页:)

… Starting with Windows Vista,the UnhandledExceptionFilter function no longer sends an error report to MS’ servers. Instead. The kernel detects that the exception is not handled by the user-mode thread (Step 4)…


[a]:显然,通过调用各种* exit或terminate *函数之一,可以很容易地“杀死”一个进程而没有任何痕迹.问题是,如果你可以排除这样的终止原因,(怎么样)可能会以一种阻止WER对话框显示的方式在Win7上“崩溃”用户模式进程.

我看了一下我的Windows Internals版本,但是在这主题上没有太多可说的.在早期版本中,Windows错误报告例程发生在崩溃线程的上下文中.这意味着如果堆栈被删除(如您的示例中所示),则可能无法运行.


据Windows Internals称,这些变化解决了消失的流程问题.我只能听取他们的意见.显然,如果WER服务本身受损(或停止),您仍然会发生无声崩溃.


从Windows Internals,第5版,第122页:

Until Windows Vista,all the [WER] operations we’ve described had to occur within the crashing thread’s context… In certain types of crashes … the unhandled exception filter itself crashed. This “silent process death” was not logged anywhere. … Windows Vista and later versions improved the WER mechanism by performing this work externally from the crashed thread,if the unhandled exception filter itself crashes.


…all Windows processes Now have an error port that is actually an ALPC port object registered by the WER service. The kernel … will use this port to send a message to the WER service,which will then analyze the crashing process. … This solves all the problems of silent process death…


