SoftIce on Win XP SP1

0 Likes

Problem:

After installing XP SP1 SofICE is no longer working correctly.

Resolution:

There is no patch to fix SoftIce.

Softice can be made to function correctly.

There are several options for SoftICE support of Windows XP Service Pack 1

(Option 1 - (For 2.6 and later SoftICE users) - Use "NTSYMBOLS=ON" in your winice.dat and download, translate, and load the symbols for

ntoskrnl.exe. The downside to this is that a USB keyboard or USB mouse will not work in SoftICE.

(Option 2) - (For 2.7 and later SoftICE users) - Obtain a copy of osinfo_XPSP1.bat from:

ftp://ftp.compuware.com/pub/driverstudio/outgoing/OsInfo/osinfo_XPSP1.dat.

Rename that file to osinfo.dat. Copy the file to your \winnt\system32\drivers directory and reboot

- NOTE. Copying over the file is the only item required. You will NOT need to update your winice.dat with NTSYMBOLS=ON. You will most likely not need symbols.

(Additional Support Note)

- NOTE. There is an additional set of steps that may be required. You will know that the steps below

are required if a hook failure on NtTerminateProcess shows up in the SoftICE Command Window.

1 - Update osinfo.dat and start SoftICE

2 - Type in 'mod ntoskrnl'.

This will give you information on ntoskrnl.

The piece of information that we are interested in is the "Base" of ntoskrnl.

Make note of the base address.

3 - From the SoftICE command line type in

On Single Processor Kernels - '? (base address of ntoskrnl that we got from the mod command) 0xBDC32

On SMP Kernels - '? (base address of ntoskrnl that we got from the mod command) 0xDEBF2

Write this address down.

4 - Using regedit go to the "HKLM\System\CurrentControlSet\Services

tice\ key

5 - Add a dword value called 'Addr.NtTerminateProcess'

6 - Set the value of this entry to the address that was calculated in step 3 above. Do not include the 0x.

7 - Reboot and you are good to go.

NOTE: All references to 2.6 and/or 2.7 refer to all variants of SoftICE packaging. Namely DS 2.6, SIS 2.6, SoftICE 4.2.6 are all equivalent. Same goes for the 2.7 variants.

Old KB# 11811
Comment List
Anonymous
Related Discussions
Recommended