Entrian Solutions

Setting a Visual Studio breakpoint on a Win32 API function in user32.dll

Thursday, March 5th, 2009 by

I recently had a problem with my Windows application causing the desktop icons to flicker.  I knew that the LockWindowUpdate API could cause that, but I also knew I didn’t use it.  Maybe one of the libraries I use (MFC?) was doing it.

So I wanted to set a Visual Studio breakpoint on that API’s location.  I tried
{,,user32.dll}_LockWindowUpdate@4 but that didn’t work.  I knew that {,,user32.dll}_SendMessageA@16 works for setting a breakpoint on SendMessage (which is also in user32.dll), so why doesn’t the same thing work for LockWindowUpdate?

It turns out that the function is called NtUserLockWindowUpdate as far as the debugger is concerned, so you need to use {,,user32.dll}_NtUserLockWindowUpdate@4

I don’t know which other APIs have that NtUser prefix, but I bet there are some.

Interestingly, the exported symbol as reported by Dependency Walker is called LockWindowUpdate – it’s only in the debug symbols that it’s NtUserLockWindowUpdate.  I used Dependency Walker to find the symbol’s address: my breakpoint for SendMessage was at 7D94B5BA and Dependency Walker told me that its export address was 1b5ba.  LockWindowUpdate was exported at 27d5c, so a quick bit of maths pointed me to 7D957D5C, and hence the real name of the function:


(By the way, Raymond Chen’s series of posts on LockWindowUpdate are required reading for anyone thinking of using it: What does LockWindowUpdate do?)

18 Responses to “Setting a Visual Studio breakpoint on a Win32 API function in user32.dll”

  1. Asher Says:

    I don’t know how these expressions work.

    When I type {,,user32.dll}_SendMessageA@16 into the watch window, I get the error “CXX0036: Error: bad context {…} specification”

  2. Richie Hindle Says:

    @Asher: You type the expression into the New Breakpoint dialog, not the Watch window.

  3. Innes Says:

    I want to do this kind of thing at the moment. When reading about the facility, I immediately thought “I’ll be amazed if this works”, and sure enough it doesn’t. I tried your ‘SendMessage’ breakpoint but no dice. I wonder what I could be doing wrong. The MS page on this is of course not much use: http://msdn.microsoft.com/en-us/library/d16ayc6z.aspx

  4. Innes Says:

    …and I got it working.

    I guess I should have read the words ‘native only’ on the MS page, and actually paid attention!

  5. Mehdi Says:

    Why dont take the function adress directly: declare a pointer to the api function where you want to put the breakpoint, in this case:

    BOOL (*ptFunction)(HWND) = ::LockWindowUpdate ;

    then debug your program, in the watch take the value of ptFunction and add it in the “Break at Function” dialog

  6. Richie Hindle Says:

    @Mehdi: I’m sure that would work, but it requires you to change your source code. Just adding “NtUser” to the name is much easier if it works – if it doesn’t, your method would be very useful!

  7. Justin Dearing Says:

    There is a much easier way to do this. If you set _NT_SYMBOL_PATH to contain the microsoft public symbol server and run the 32 bit version of dumpbin.exe /exports, it will list the decorated function names. You can’t use the 64 bit version, because 64 bit dll exports don’t have decorations anyway.

    One interesting thing about dumpbin is that the dlls you examine with it are subject to the same SYSWOW64 swapping as dlls actualloy loaded by LoadLibraryEx. E.g:

    dumpbin /exports c:\Windows\SysWOW64\advapi32.dll
    dumpbin /exports c:\Windows\system32\advapi32.dll
    Would be rerouted to each other idepending on which version of dumpbin you ran.

  8. Richie Hindle Says:

    @Justin: That’s a great tip – thanks very much!

  9. หนังโป Says:

    Whу people still make use of to read news papers
    when in this technological globe all is available
    on web?

  10. porn videos Says:

    It’ѕ going to bᥱ finish of mine ԁay, but before
    ending I am reading this wonderful piece of writing to
    increase mу knowledge.

  11. porn tube Says:

    Ηi there, eᴠerything is going nicely here and ⲟfcourse every one is sharing data, that’s genuinely excellent, keep up writing.

  12. sex Says:

    Sⲟmeone essentially lend a hand to make critically ɑrticles I might ѕtate.

    That is the very first time I frequented your website paցe
    and to this point? I amazed ᴡith tҺe analysis you made to create this particulaг publish amazing.
    Fantastic job!

  13. หนัง Says:

    Aw, this ᴡas a really nice post. Spendіng some time and ɑctual effort to produce a sᥙperb article… but what
    can I sаy… I procrastinate a whole lot аnd don’t manage to get nearly
    anything done.

  14. porn video Says:

    Hi tҺere Dear, are you genuineⅼy visiting this ԝeb sitе on a reguⅼar ƅasis, if so then you will without doubt
    get nice knowledge.

  15. หนังxออนไลน์ Says:

    When I oгiginaⅼly commented I appear to have clickеԀ on the -Ⲛotify
    mе when new comments are aɗⅾed- checkbox and now each time a comment is aɗded I recieve four emails with the same comment.

    Perhaps thеre is a means you are able to remove me from that service?

  16. คลิบโป้ Says:

    Eҳcellent weblоg right here! Additionaⅼly your site a lot up
    fast! What host are ʏoս the use of? Can I gᥱt your affiliate link for youг host?
    I wiѕh mʏ site loadeԀ up as quickly as yours lol

  17. หนังเอ็กซ์ Says:

    Ꮤhat’s up, this weekend is nice in support of me, as
    this time i am readіng tҺіs great infoгmative paгagraph here at my house.

  18. คลิป Says:

    I’m really imрressed together with your wrіting skiⅼls and also
    with the structurе on your blog. Is this a paid subject mɑtter ߋr did you modify іt your
    ѕelf? Either way stay up the excellent
    high quality wrіting, it is rare to peer a nice bⅼog like this one these days..

Leave a Reply