Windows 2000 has a set of flags stored in a systemwide global variable named NtGlobalFlag that enable various internal debugging, tracing, and validation support in the operating system. The system variable NtGlobalFlag is initialized from the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager in the value GlobalFlag at system boot time. By default, this registry value is 0, so it's likely that on your systems, you're not using any global flags. In addition, each image has a set of global flags that also turn on internal tracing and validation code (though the bit layout of these flags is entirely different than the systemwide global flags). These flags aren't documented or supported for customer use, but they can be useful tools for exploring the internal operation of Windows 2000.
Fortunately, the Platform SDK and the debugging tools contain a utility named Gflags.exe that allows you to view and change the system global flags (either in the registry or in the running system) as well as image global flags. Gflags has both a command-line and a GUI interface. To see the command-line flags, type gflags /?. If you run the utility without any switches, the dialog box shown in Figure 3-22 is displayed.
Figure 3-22 Setting system debugging options with Gflags
You can toggle between the settings in the registry (by clicking System Registry) and the current value of the variable in system memory (by clicking Kernel Mode). You must press the Apply button to make the changes. (You'll exit if you press the OK button.) Although you can change flag settings on a running system, most flags require a reboot to take effect, and there's no documentation on which do and which don't require rebooting. So when in doubt, reboot after changing a global flag.
The Image File Options choice requires that you fill in the filename of a valid executable image. This option is used to change a set of global flags that apply to an individual image (rather than to the whole system). In Figure 3-23, notice that the flags are different than the operating system ones shown in Figureá3-22.
Figure 3-23 Setting image global flags with Gflags
EXPERIMENT
Enabling Image Loader Tracing and Viewing NtGlobalFlagTo see an example of the detailed tracing information you can obtain by setting global flags, try running Gflags on a system booted with the kernel debugger that is connected to a host system running Kd or Windbg, or that is running LiveKd.
As an example, try enabling the Show Loader Snaps flag. To do this, select Kernel Mode, click the Show Loader Snaps check box, and click the Apply button. Then run an image on this machine, and in the kernel debugger you'll see volumes of output like the following:
LDR:áKERNEL32.dlláloaded.á-áCallingáinitároutineáatá77f01000 LDR:áRPCRT4.dlláloaded.á-áCallingáinitároutineáatá77e1b6d5 LDR:áADVAPI32.dlláloaded.á-áCallingáinitároutineáatá77dc1000 LDR:áUSER32.dlláloaded.á-áCallingáinitároutineáatá77e78037
You can use the !gflags and !gflag kernel debugger commands to view the state of the NtGlobalFlag kernel variable. The !gflags command lists all the flags, indicating which ones are enabled, whereas !gflag reports only the flags that are enabled.