Having the debugger attach to a process as soon as it is created is something that I always end up needing to do, but don’t do every day and sometimes forget how to do it. Today I needed to do it again, so one of my coworkers reminded me how to do it.
One way is to just debug with the kernel debugger which is the more hardcore way to always debug. Once you have attached remotely to your test machine with the kernel debugger, you can go to any process you want. I think this is the best way if you regularly write kernel code.
I don’t write kernel code all that often, so I normally use windbg on the machine directly. If you need to debug two processes because the talk to each other via DCOM or RPC directly, you will need to attach windbg to each process. If the other process launches on demand, you will need a way to automatically launch windbg to attach to the process. There is a mechanism built into Windows for just the thing. You can read this MSDN blog post about it.
The short of it is to add the value “Debugger” to a key that is the name of your executable at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
So, the common case would be to add the key “dllhost.exe” and then give that key a new string value called “Debugger” with “windbg.exe” as the data.