DLL Delay Load API Sets Umbrella Libs and Loader Snaps

[delay load]

Windows has the ability to delay load DLLs which can come in handy in a number of scenarios.  By default, the Windows loader will load all of a DLL's or EXE's dependencies right away.  It basically walks down the binary's unmapped function table and maps in all of the dependencies; then, it recursively maps in all of the dependencies' dependencies until all possible function calls are mapped into memory.  

The first most obvious use case for delay loading is to speed up the point in which your binary can start running.  For example, some of the DLLs could be large and might need to be loaded from disk.  If your binary doesn't need them to start, waiting for them to load is adding a lot of unnecessary delay.  The loader actually does a lot of smart things to mitigate long load times, but still, its good to delay load dependencies as much as possible. 

Another useful less-obvious reason is to handle missing components, and break dependencies.  

Handling missing components: your code references components but runs in different environments where they may or may not exist, by default, the loader tries to load them upfront.  In environments where the dependencies don't exist, that fails and your wmain or DllMain will never be called.  With delay load, your code can more gracefully handle missing features.  

For example, I once wrote a service that runs all versions of Windows.  One of the things it does is sort of acts like a user mode bus creating devnode tress.  I needed to remove devices and clean up the tree at some points.  The typical complete way to do this is DIF_REMOVE with SetupAPI because it evokes the full Desktop device installation.  The only problem is SetupAPI is not in every Windows SKU.  ConfigMgr32, CM_*, APIs are, but don't handle full Desktop device installation.  My solution was to delay load setupapi.dll.  My code has two implementations for cleaning devnode trees, one using SetupAPI calls, and one using CM API calls.  At runtime, I see if SetupAPI is available, here is some public documentation.  If it is, then I am on a Desktop-type SKU, and I use it.  If it is not, like on a OneCore based SKU, I use the CM version.  My service runs either way.

How does delay load work?  The loader still actually needs to resolve and load every referenced function when a binary is loaded into memory.  For a component to be able to delay loaded, it implements a delay load handler which implements the binary's exports.  Core OS components do this, and they are linked into kernel32 so they still will exist even when the actual implementation DLL is not in a OS image.  They typically return E_NOTIMPL or similar.  Kernel32 is always loaded, and the so the delay load handler can depend on it as a fallback implementation.  Later, when a binary actually uses one of these functions, it triggers the delay load handler to actually try to load the dll and map in the real function pointer.  

[API sets]

API sets work in a similar way, and allow the OS to handle versioning of DLLs and their exports.  In some cases, API sets work in a similar way to a dload handler, and might just return E_NOTIMPL.  In other cases, OS components can use them to implement handling to changes of the OS' ABI behavior.  For example, API might have fix that corrects some bug, call it foo-1-1, but for compatibility reasons, some callers depend on the buggy behavior, yes it happens often, call it foo-1-0.  The current version of foo.dll can implement handling both clients.  An API set, allows the OS to detect what the client is expecting, and, map in the correct behavior.

[comptonization and layering]

A lot of good work has gone it to componentizing Windows over the past 2 decades, but there used to be a time, say over 15 years ago, where some Windows OS components would assume anything on a Desktop-type SKU was fair game to use, so for example, a low level security API in Adavpi32 might have loaded the DLL from the shell (UI) because it had a useful function.  As a developer, it doesn't make sense that using low-level Advapi32 API would also cause a whole mess of seeming unrelated DLLs to get loaded just because a shell DLL happened to be used which then depended a bunch of other things completely unrelated to the security API you were trying to use.  Overtime this was componentized and split apart and the OS does a good job, um...a much better job, now not having circular dependencies or having low level components calling into, or using higher level components.  It is ok for the shell to call into ntdll but not ntdll to call into the shell.  Things Advapi32 used from higher levels, like the shell, had to be split out, and brought down to the lower level.  That allows low level Advapi32 APIs to use those old shell features without calling up to a higher OS layer.  There are still high level things that Adavapi32 does do that might only work on a full Desktop SKU, but for low level OS stuff, the APIs can work on a low level SKU without a shell or other high-level components.  This is made possible from all of the hard refactoring and componentization work, but also through the other OS building blocks I mentioned like API sets and dload, etc.  On a desktop SKU, the full Advapi32 will get loaded, and you can use all of its APIs.  On lower level SKUs, you can still use the low-level Advapi32 APIs, but using higher level APIs won't work.  If your component never actually uses the higher level features, then it is fine.  Depending on how it is implemented, it might fail in different ways at runtime, but generally it can be handled like in my example with SetupAPI and keep proper layering.

[umbrella libs]

These days, it is easy to do the right thing with umbrella libs.  In the old days, instead of linking the full Advapi32.lib, you'd have to link the lower level version of Advapi32 API set, eg. foo-onecore-1.lib instead of foo.lib., to not get loader errors on onecore SKUs as linking the full version will try to load the full Desktop version of the component.  Now, you can simply link onecore.lib and all API sets that work on OneCore are linked in.  If you then get linker errors compiling, the thing you are calling is not part of onecore and would cause loader error later if you run it on a onecore SKU.

[investigating loader failures]

Getting back to why I am writing this, investigating loader failures.  What the loader does is complicated.  That is why loader snaps exist.  This is how I investigate these kind of issues.

1. Enable loader snaps.  You can do that for your binary with: gflags.exe -i foo.dll -sls on the command line, or in the UM debugger windbg, or even KD with !gflags -sls

2. Run the scenario, watch for the loader error.  Note: there will be a verbose amount of output so maybe try to scope having it on to be as short as possible, or break in as soon as it hits, etc.

3. Analyze the error.  

It will point to a function and dll it is trying to resolve and load.

03a0:0704 @ 11616265 - LdrpInitializeNode - INFO: Calling init routine 00007FFE7A5D55D0 for DLL "C:\windows\SYSTEM32\kernel.appcore.dll"
03a0:0704 @ 11616265 - LdrpLoadDllInternal - RETURN: Status: 0x00000000
03a0:0704 @ 11616265 - LdrpLoadDllInternal - RETURN: 0
03a0:0704 @ 11616265 - LdrLoadDll - RETURN: Status: 0x00000000
03a0:0704 @ 11616265 - LdrLoadDll - RETURN: 0
03a0:0704 @ 11616265 - LdrpGetProcedureAddress - INFO: Locating procedure "AppPolicyGetProcessTerminationMethod" by name
03a0:0704 @ 11616265 - LdrGetDllHandleEx - ENTER: DLL name: mscoree.dll
03a0:0704 @ 11616265 - LdrGetDllHandleEx - ENTER: mscoree.dll
03a0:0704 @ 11616265 - LdrpFindLoadedDllInternal - RETURN: Status: 0xc0000135
03a0:0704 @ 11616265 - LdrpFindLoadedDllInternal - RETURN: c0000135
03a0:0704 @ 11616265 - LdrGetDllHandleEx - RETURN: Status: 0xc0000135
03a0:0704 @ 11616265 - LdrGetDllHandleEx - RETURN: c0000135

4. Resolve the missing dependency.  You now know what it is missing.  

If it is supposed to be there, like, if it were a DLL that you own, or is part of our package, etc. maybe you forgot to install, or copy it to the PC.  Or, maybe it is not in the loader's search path.  The typical search path are obvious places like c:\windows, .\system32\, or .\, next to the binary trying to load it.

If it is not supposed to be there, why is your code using it?  

This might be easy to answer, like you linked the full Advapi32.dll API, or are trying to use one of the desktop only APIs on a OneCore SKU.  If that is the case, then youi'll have to do something else, like how I used CM_* API versions instead of SetupAPI versions for OneCore.

If it not something you think your code should be using, again, you could be using the wrong API set.  You might not be leveraging the delay load correctly.  The new umbrella libs make it easy to fix the "wrong API set" issue.  

If you think it should be avoided by using delay load, make sure your linker is delay loading the correct API set.  You search by procedure name from the API sets, and then set that to delay load.  For example, if "FooFunction" from "foo.dll" is not really used but causes a loader failure as soon as your module loads, it is not being delay loaded.  Find what API set it belongs to, and delay load it.  FooFunction might be part of foo-1.dll API set.  Set that to delay load.  Then you won't get a loader failure right away while your module is loading, but it would still fail later if you happen to use it even indirectly.

  

How to Enable Application Verifier in Windbg

This is how you enable Application Verifier (appverif) if you are already in the debugger:

0:000> !gflag +vrf
Current NtGlobalFlag contents: 0x00000100
    vrf - Enable application verifier

You can then control verifier with the !avrf command.

This will display the current settings: 

0:000> !avrf Verifier package version >= 3.00 Application verifier settings (81000000): - no heap checking enabled! - SRWLock

Other notes:

If you see something like this, then verifier is not setup on the exe.

No type information found for `verifier!_DPH_HEAP_ROOT'.

Please fix the symbols for `verifier.dll'.

Spin Until the Debugger Is Attached

Here is a handy trick to make some code wait for a debugger to attach.  

Let's say you have some user mode code you need to debug and it has some kind of tricky activation flow that makes it hard to get a debugger on the process before the code executes.  

In my case, I was helping someone on my team debug some test failures.  Some weirdness was happing when the test activated an out-of-proc COM object.  The COM server was getting loaded into a COM surrogate dllhost.exe.  We added some more WPP tracing to see if we could narrow down the issue, and the was happening when the COM object was getting activated.

We tried to use named pipe debugging like I outlined before but it wasn't really applicable because it was using the surrogate instead of the svchost. 

You can also set up windbg to automatically attach to the children of the process that you are currently debugging, but that didn't help either.  The COM runtime was the one creating the process.  I can't remember exactly, but I think it was the RPC endpoint mapper doing it.

Then the thought I had was to just make the COM server sleep for long enough for me to attach a user-mode debugger for say 30 sec.  Our traces were showing the server's PID, or you can also use tlist.exe to find the PID.  Instead of waiting for a long timeout, I added some code that spins until a debugger is attached.

Here is the code that spins until a debugger attaches.

while (!IsDebuggerPresent()) {

   Sleep(1000);

} 

__debugbreak();

 

windbg: changing stepping by line instead of instruction

 In recently nightly builds of windbgx, I've noticed it has changed the initial default step behavior, or source mode.  Typically while source code debugging, when you press F10, or 'p', it steps by one line of code, which is called source mode.  Windbgx has recently been defaulting to stepping by instruction, which is called assembly mode.  A line of code is often several instructions, so you end up pressing F10 a lot to step through a number of lines of code which is generally not what you want if you have source while debugging.

The source stepping options are controlled by the 'l' command.  Here is the documentation, but basically you wan the 't' mode to step by lines of code instead of instructions.  Without the 't', the debugger is in assembly mode instead of source mode.

The command to go to source mode is the following:

> l+t

COM Access Violation (AV) Crashes Relating to Unloaded DLLs

My team uses a broadly used WinRT API.  Basically, all apps that have a device-related scenario use it.  This means buggy apps that crash will sometimes have our component featured in their Watson dumps.  Based on certain metrics, Watson will turn buckets turn into code bugs, so we have to triage them.  Aside: in case you were wondering, bugs from WER (Windows Error Reporting) service and dumps, do generate bugs and get fixed, so WER is useful.

A number of AV crash bugs we see are related to our device watcher calling back into the app's handlers for the device events, which almost always means a lifetime management bug in the app.  

You can check the memory allocations to see if they are busy or free.  This applies more to the component that owns the object's memory.  I think I covered that before.  That will let you know if the object has already been released.  A lot of times you can still see the object's state after it has been freed, but the important part is that it has been released/freed already, so the object is not being ref counted correctly.  AppVerif has a handy COM set of checks which might help if you think you may have this problem in your code.  With smart pointers, it can be a little harder to see what is happening with the object's references.  If the object model is not too complicated, you can just find the bug with code inspection.

A super common reason for AVs like this is the DLL is unloaded.  COM aggressively unloads DLLs not being used by calling DllCanUnloadNow.  If the implementation has a bug, the DLL will get unloaded while objects and other COM operations are in flight.  Eventually, when COM tries to CoUnitialize an object that belongs to that DLL, it will AV.  This also applies to other COM things like when COM tries to marshal between apartments, etc.

 We see crashes like this fairly often:

0:049> .excr
rax=00007ff8f305cf70 rbx=0000026dfc5cc900 rcx=0000026dfc5cc900
rdx=0000000000012f06 rsi=0000026dfa091b00 rdi=0000026dfa091ae0
rip=00007ff990c9094d rsp=000000b92deff490 rbp=00000000800401fd
 r8=00007ff970a0b370  r9=000000b92deff5d0 r10=dee01e7974d59970
r11=000000b92deff5e0 r12=0000000000012f06 r13=00007ff970a0b370
r14=000000b92deff5d0 r15=00007ff8f305cf70
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
combase!CGIPTable::GetRequestedInterface+0x22 [inlined in combase!CGIPTable::GetInterfaceFromGlobal+0x1ed]:
00007ff9`90c9094d 488b00          mov     rax,qword ptr [rax] ds:00007ff8`f305cf70=????????????????
0:049> k
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr               Call Site
00 (Inline Function) --------`--------     combase!CGIPTable::GetRequestedInterface+0x22 [onecore\com\combase\dcomrem\giptbl.cxx @ 1615] 
01 000000b9`2deff490 00007ff9`7097515b     combase!CGIPTable::GetInterfaceFromGlobal+0x1ed [onecore\com\combase\dcomrem\giptbl.cxx @ 1660] 
02 000000b9`2deff560 00007ff9`70977823     Windows_Devices_Enumeration!Gip<Windows::Foundation::ITypedEventHandler<Windows::Devices::Enumeration::DeviceWatcher *,Windows::Devices::Enumeration::DeviceInformation *> >::Localize+0x6b [onecore\private\base\inc\devices\Git.h @ 167] 
03 (Inline Function) --------`--------     Windows_Devices_Enumeration!GitDelegate2<Windows::Foundation::ITypedEventHandler<Windows::Devices::Enumeration::DeviceWatcher *,Windows::Devices::Enumeration::DeviceInformation *>,Windows::Devices::Enumeration::IDeviceWatcher *,Windows::Devices::Enumeration::IDeviceInformation *>::GetHandler+0x11 [onecoreuap\base\devices\rtenum\dllsrv\GitDelegate.h @ 254] 
04 000000b9`2deff5a0 00007ff9`70976d95     Windows_Devices_Enumeration!GitDelegate2<Windows::Foundation::ITypedEventHandler<Windows::Devices::Enumeration::DeviceWatcher *,Windows::Devices::Enumeration::DeviceInformation *>,Windows::Devices::Enumeration::IDeviceWatcher *,Windows::Devices::Enumeration::IDeviceInformation *>::Invoke+0x23 [onecoreuap\base\devices\rtenum\dllsrv\GitDelegate.h @ 303] 
05 (Inline Function) --------`--------     Windows_Devices_Enumeration!Microsoft::WRL::EventSource<Windows::Foundation::ITypedEventHandler<Windows::Devices::Enumeration::DeviceWatcher *,Windows::Devices::Enumeration::DeviceInformation *>,Microsoft::WRL::InvokeModeOptions<-2> >::InvokeAll::__l2::<lambda_00d1300cb6cb75d6b2b5344e37267964>::operator()+0x36 [onecore\external\sdk\inc\wrl\event.h @ 964] 
06 000000b9`2deff5d0 00007ff9`70976cf4     Windows_Devices_Enumeration!Microsoft::WRL::InvokeTraits<-2>::InvokeDelegates<<lambda_00d1300cb6cb75d6b2b5344e37267964>,Windows::Foundation::ITypedEventHandler<Windows::Devices::Enumeration::DeviceWatcher *,Windows::Devices::Enumeration::DeviceInformation *> >+0x79 [onecore\internal\sdk\inc\wrl\internalevent.h @ 121] 
07 000000b9`2deff630 00007ff9`70981d3d     Windows_Devices_Enumeration!Microsoft::WRL::EventSource<Windows::Foundation::ITypedEventHandler<Windows::Devices::Enumeration::DeviceWatcher *,Windows::Devices::Enumeration::DeviceInformation *>,Microsoft::WRL::InvokeModeOptions<-2> >::DoInvoke<<lambda_00d1300cb6cb75d6b2b5344e37267964> >+0x78 [onecore\external\sdk\inc\wrl\event.h @ 954] 
08 (Inline Function) --------`--------     Windows_Devices_Enumeration!Microsoft::WRL::EventSource<Windows::Foundation::ITypedEventHandler<Windows::Devices::Enumeration::DeviceWatcher *,Windows::Devices::Enumeration::DeviceInformation *>,Microsoft::WRL::InvokeModeOptions<-2> >::InvokeAll+0x19 [onecore\external\sdk\inc\wrl\event.h @ 964] 
09 000000b9`2deff670 00007ff9`8ee2d946     Windows_Devices_Enumeration!Watcher<Windows::Devices::Enumeration::DeviceWatcher,Windows::Devices::Enumeration::IDeviceWatcher,Windows::Devices::Enumeration::IDeviceWatcher2,Windows::Devices::Enumeration::DeviceInformation,Windows::Devices::Enumeration::IDeviceInformation,Windows::Devices::Enumeration::IDeviceInformation2,DeviceInformationServer,Windows::Devices::Enumeration::DeviceInformationUpdate,Windows::Devices::Enumeration::IDeviceInformationUpdate,DeviceInformationUpdateServer,&RuntimeClass_Windows_Devices_Enumeration_DeviceWatcher>::Impl::DevQueryCallback+0x3ad [onecoreuap\base\devices\rtenum\dllsrv\Watcher.h @ 889] 
0a 000000b9`2deff710 00007ff9`91b9b0ea     cfgmgr32!TQuery::ServiceActionQueue+0xe2 [onecore\base\pnp\devquery\lib\query.cpp @ 245] 
0b 000000b9`2deff7a0 00007ff9`91b3ec06     ntdll!TppWorkpExecuteCallback+0x13a [minkernel\threadpool\ntdll\work.c @ 671] 
0c 000000b9`2deff7f0 00007ff9`8ff94ede     ntdll!TppWorkerThread+0x686 [minkernel\threadpool\ntdll\worker.c @ 1109] 
0d 000000b9`2deffae0 00007ff9`91b87c6b     kernel32!BaseThreadInitThunk+0x1e [clientcore\base\win32\client\thread.c @ 70] 
0e 000000b9`2deffb10 00000000`00000000     ntdll!RtlUserThreadStart+0x2b [minkernel\ntdll\rtlstrt.c @ 1152] 
0:049> .frame 0n0;dv /t /v
00 (Inline Function) --------`--------     combase!CGIPTable::GetRequestedInterface+0x22 [onecore\com\combase\dcomrem\giptbl.cxx @ 1615] 
@rbx              struct IUnknown * pUnk = 0x0000026d`fc5cc900
@r15              void * pVtableAddress = 0x00007ff8`f305cf70
<unavailable>     HRESULT hr = <value unavailable>
0:049> dps 0x0000026d`fc5cc900
0000026d`fc5cc900  00007ff8`f305cf70 <Unloaded_xxxxxxxxx.dll>+0xc2cf70
0000026d`fc5cc908  00000001`00000000
0000026d`fc5cc910  0000026d`fbdc9af0
0000026d`fc5cc918  00080000`00000000
0000026d`fc5cc920  00000000`00000008
0000026d`fc5cc928  00000008`4d454d4c
0000026d`fc5cc930  0000026d`fc4d3bf8

You can see that the handler's dll is already unloaded.

// or another example ///

:000> k
combase!CStdMarshal::DisconnectSrvIPIDs::__l29::<lambda_2a3a7b5175b0a5e47c77e1d8eff078e5>::operator()+0x7
combase!ObjectMethodExceptionHandlingAction<<lambda_2a3a7b5175b0a5e47c77e1d8eff078e5> >+0x24
combase!CStdMarshal::DisconnectSrvIPIDs+0x30d
combase!CStdMarshal::DisconnectWorker_ReleasesLock+0x2d7
combase!CStdMarshal::DisconnectSwitch_ReleasesLock+0x1c
combase!CStdMarshal::DisconnectAndReleaseWorker_ReleasesLock+0x32
combase!COIDTable::ThreadCleanup+0x117
combase!FinishShutdown::__l2::<lambda_3d4acc620ec77839d81caec938b15158>::operator()+0x5
combase!ObjectMethodExceptionHandlingAction<<lambda_3d4acc620ec77839d81caec938b15158> >+0x9
combase!FinishShutdown+0x78
combase!ApartmentUninitialize+0xc9
combase!wCoUninitialize+0x17d
combase!CoUninitialize+0xea
wuaueng!UHRunRemoteHandlerServer+0x25e
...

0:000> .exr -1
ExceptionAddress: 00007ffe8571a510 (combase!CStdMarshal::DisconnectSrvIPIDs::__l29::<lambda_2a3a7b5175b0a5e47c77e1d8eff078e5>::operator()+0x0000000000000007)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
Attempt to read from address 00007ffe59d74ee8
0:000> ln 00007ffe59d74ee8
(00007ffe`59d74ee8)   <Unloaded_xxxxxxxxxxx.dll>+0x1b4ee8

Howto: Enable Application Verifier Within WinDbg

!gflag debugger extention

A quick way to enable AppVerifier settings from the kernel debugger is to use !gflag debugger extension. This extension also enables Heaps, Handles and Locks checks only. Any process that is launched after the settings are enabled will run with these AppVerifier settings.

To enable lite pageheap, Handles and Locks checks on all apps that start from here on:

   kd>!gflag +vrf

To enable full pageheap

   kd>!gflag +hpa

To disable settings:

   kd>!gflag -vrf
   kd>!gflag -hpa

!avrf debugger extention

The !avrf extension controls the settings of Application Verifier and displays a variety of output produced by Application Verifier.

    !avrf
    !avrf -vs { Length | -a Address }
    !avrf -hp { Length | -a Address }
    !avrf -cs { Length | -a Address }
    !avrf -dlls [ Length ]
    !avrf -trm
    !avrf -ex [ Length ] 
    !avrf -threads [ ThreadID ]
    !avrf -tp [ ThreadID ]
    !avrf -srw  [ Address | Address Length ] [ -stats ]
    !avrf -leak  [ -m ModuleName] [ -r ResourceType] [ -a Address ] [ -t ]
    !avrf -trace TraceIndex 
    !avrf -cnt
    !avrf -brk [BreakEventType]  
    !avrf -flt [EventType Probability] 
    !avrf -flt break EventType 
    !avrf -flt stacks Length 
    !avrf -trg [ Start End | dll Module | all ] 
    !avrf -settings 
    !avrf -skp [ Start End | dll Module | all | Time ] 

Parameters

-vs { Length | -a Address }
Displays the virtual space operation log. Length specifies the number of records to display, starting with the most recent. Address specifies the virtual address. Records of the virtual operations that contain this virtual address are displayed.

-hp { Length | -a Address }
Displays the heap operation log. Address specifies the heap address. Records of the heap operations that contain this heap address are displayed.

-cs { Length | -a Address }
Displays the critical section delete log. Length specifies the number of records to display, starting with the most recent. Address specifies the critical section address. Records for the particular critical section are displayed when Address is specified.

-dlls [ Length ]
Displays the DLL load/unload log. Length specifies the number of records to display, starting with the most recent.

-trm
Displays a log of all terminated and suspended threads.

-ex [ Length ]
Displays the exception log. Application Verifier tracks all the exceptions in the application.

-threads [ ThreadID ]
Displays information about threads in the target process. For child threads, the stack size and the CreateThread flags specified by the parent are also displayed. If you provide a thread ID, information for only that thread is displayed.

-tp [ ThreadID ]
Displays the threadpool log. This log contains stack traces for various operations such as changing the thread affinity mask, changing thread priority, posting thread messages, and initializing or uninitializing COM from within the threadpool callback. If you provide a thread ID, information for that thread only is displayed.

-srw [ Address | Address Length ] [ -stats ]
Displays the Slim Reader/Writer (SRW) log. If you specify Address, records for the SRW lock at that address are displayed. If you specify Address and Length, records for SRW locks in that address range are displayed. If you include the -stats option, the SRW lock statistics are displayed.

-leak [ -m ModuleName] [ -r ResourceType] [ -a Address ] [ -t ]
Displays the outstanding resources log. These resources may or may not be leaks at any given point. If you specify Modulename (including the extension), all outstanding resources in the specified module are displayed. If you specify ResourceType, all outstanding resources of that resource type are displayed. If you specify Address, records of outstanding resources with that address are displayed. ResourceType can be one of the following:

Heap: Displays heap allocations using Win32 Heap APIs

Local: Displays Local/Global allocations

CRT: Displays allocations using CRT APIs

Virtual: Displays Virtual reservations

BSTR: Displays BSTR allocations

Registry: Displays Registry key opens

Power: Displays power notification objects

Handle: Displays thread, file, and event handle allocations

-trace TraceIndex Displays a stack trace for the specified trace index. Some structures use this 16-bit index number to identify a stack trace. This index points to a location within the stack trace database.

-cnt Displays a list of global counters.

-brk [ BreakEventType ] Specifies a break event. BreakEventType is the type number of the break event. For a list of possible types, and a list of the current break event settings, enter !avrf -brk.

-flt [ EventType Probability ] Specifies a fault injection. EventType is the type number of the event. Probability is the frequency with which the event will fail. This can be any integer between 0 and 1,000,000 (0xF4240). If you enter !avrf -flt with no additional parameters, the current fault injection settings are displayed.

-flt break EventType Causes Application Verifier to break into the debugger each time this fault, specified by EventType, is injected.

-flt stacks Length Displays Length number of stack traces for the most recent fault-injected operations.

-trg [ Start End | dll Module | all ] Specifies a target range. Start is the beginning address of the target range. End is the ending address of the target range. Module specifies the name (including the .exe or .dll extension, but not including the path) of a module to be targeted. If you enter -trg all, all target ranges are reset. If you enter -trg with no additional parameters, the current target ranges are displayed.

-skp [ Start End | dll Module | all | Time ] Specifies an exclusion range. Start is the beginning address of the exclusion range. End is the ending address of the exclusion range. Module specifies the name of a module to be targeted or excluded. Module specifies the name (including the .exe or .dll extension, but not including the path) of a module to be excluded. If you enter -skp all, all target ranges or exclusion ranges are reset. If you enter aTime value, all faults are suppressed for Time milliseconds after execution resumes.

Setting windbg to break in for C++ exceptions

Sometimes unhanded C++ exceptions will crash you program.

It might looks something like this:

(fc0.5204): C++ EH exception - code e06d7363 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
KERNELBASE!RaiseException+0x69:

windbg has gotten a lot better at handling exceptions.  A lot of times, you can just type:

> .excr

And it will reconstituted and set the context to the stack the threw; still, there are other factors that may prevent this from working like you'd want.

If that doesn't work, you can just use the trusty sx to set an exception handler

> sxe eh

Or if you have a specific structured exception number

> sxe number