1

I tried attaching to a process (which belongs to an antivirus) using windbg. I ran windbg as administrator but I get the following error when I try to attach to the process: 

Unable to examine process id 6128. Win32 error 0n5
Cannot debug pid 6128, Win32 error 0n5
Access is denied

Is there anything that I am overlooking? Thank you for your help

SivaDotRender
  • 1,581
  • 4
  • 21
  • 37
  • What version of Windows is this? Can you try "kernel debugging" the process? It's probably a kernel mode process and you're trying to debug it from user mode. – DrWatson Sep 24 '15 at 21:11
  • @DrWatson Its windows 7 enterprise SP1. I will try kernel mode debugging and let you know how it goes. – SivaDotRender Sep 24 '15 at 21:16
  • It tried that (locally) on my Windows 7 and it says "Local kernel debugging requires Windows XP, Administrative privileges, and is not supported by WOW64." :( – DrWatson Sep 24 '15 at 21:18
  • Is the process 32 or 64 bits? Also, are you using the 32-bit or or 64-bit version of WinDbg? – Dono Sep 24 '15 at 21:48
  • 1
    Anti-virus software usually protects its processes from interference, including debugging. There may be an option to turn this off, look for "tamper protection" or similar. If there is no option to disable tamper protection, there is probably no straightforward way to debug the process. – Harry Johnston Sep 24 '15 at 22:11
  • 1
    run ProcessMonitor in background and look which operation triggers the Access denied error: http://technet.microsoft.com/en-us/sysinternals/bb896645 – magicandre1981 Sep 25 '15 at 04:00
  • @DrWatson: for local kernel debugging you need SysInternals Livekd – Thomas Weller Sep 25 '15 at 09:47

1 Answers1

3

Even though you're logged on as an administrator, you may need to run windbg as an elevated administrator. Try right clicking the windbg icon and select "Run as administrator". Then attempt to attach to the process.

Also from Harry Johnston comment above:

Anti-virus software usually protects its processes from interference, including debugging. There may be an option to turn this off, look for "tamper protection" or similar. If there is no option to disable tamper protection, there is probably no straightforward way to debug the process.

Andres
  • 6,080
  • 13
  • 60
  • 110
Marc Sherman
  • 2,303
  • 14
  • 22
  • I also added Harry Johnston's comment which helped me resolve the issue. I my case, I was able to disable "tamper protection". – SivaDotRender Sep 28 '15 at 14:42