Klaus' Log

Di 19 Januar 2021

How to enable PageHeap in Windows registry without having access to gflags.exe

Posted by Klaus Eisentraut in howto   

When I fuzz Windows Applications, I often enable PageHeap which helps to detect memory access error such as buffer overflows more reliably. If you have installed the full Windows Debugging Tools, then you can use a tool named gflags.exe which is I think is the official way to do this. It is as easy as running gflags.exe /p /enable notepad.exe /full, see here.

However, often I don't want or can't install software on the target under test and fortunately, having access to gflags.exe is not required for enabling PageHeap. It is just a registry setting in the Image File Execution registry settings. I always forget the cryptic registry option, so this blog post just documents the command which enables full PageHeap for notepad.exe by adding a registry entry:

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "GlobalFlag" /t REG_SZ /d "0x02000000" /f

Removing the global flags can be done by setting the value back to 0x00000000 (or to the value it was before).

Finally, some remarks and links:

  • You need to restart the process, otherwise the new image file execution options will not take effect. Please note that the process requires more memory now.
  • The flag must be of type REG_SZ, i.e. a string value. I don't know why Microsoft made this a string, in my opinion I would have used a REG_DWORD for setting some binary flags.
  • Here is the official reference of all global flags.
  • You can set some more flags and use a flag value of 0x02109870, too. This flag combination is stolen from the BugId github repository and explained below
REM 00000010 Enable heap tail checking
REM 00000020 Enable heap free checking
REM 00000040 Enable heap parameter checking
REM 00001000 Create user mode stack trace database
REM 00008000 Enable heap tagging by DLL
REM 00100000 Enable system critical breaks
REM 02000000 Enable page heap (full page heap)
REM ----------
REM 02109870 =

REM The following flags were considered but not enabled:
REM 00000080 Enable heap validation on call ## disabled because of overhead
REM 00000800 Enable heap tagging ## disabled because tags are not used.
REM 00000100 Enable application verifier ## disabled because of idunno
REM 00200000 Disable heap coalesce on free ## superfluous: page heap is enabled
REM 00400000 Enable close exception ## I don't think this is useful