Hi All,
Apologies if this is wrong forum or place to post in but unsure where else to post. I've had an interest in "debugging" as a means to see what's going on under the hood to fault find issues with Operating Systems but this is an area I'm very unfamiliar with and was hoping for some help/guidance.
I have a Windows 11 x64 VM which has an issue when it get's to the login screen, the screen blacks out and then the login screen appears again, I have discovered through looking in the Event Logs this is due to a third party VPN software which uses a PLAP (Pre Login Authentication Provider) module to allow it to create a button and run on the login screen, this was more so luck and there was no definitive way I was sure it was that, it seems to have some conflict with a recent Windows Update. I understand during Windows Kernel load it eventually calls winlogon.exe which calls LogonUI.exe to create the login window and "retrieve" the credentials to pass to LSASS so I assume debugging LogonUI.exe would potentially show what's happening to it.
So far I can do the following:
1.) Enabled kernel debugging on the VM and can get it to connect to a WinDbg instance on the host.
2.) Break
3.) Then !process 0 1 to list all running processes and list image name and ID along with more information which allows me to find the process id for LogonUI.exe
4.) .attach -v LogonUI.exe
5.) g (to resume from break)
Any attempt to ".attach" or ".attach -v" to LogonUI.exe and then continue results in and error saying "the parameter is incorrect", through reading the MS articles about how to set this up I did try and boot into Safe Mode to even try and simply attach to an instance of Notepad.exe but could not even get that to work.
Unsure if this is a way to get this to work or am I simply wasting my time?, Ideally I'm looking for a more definitive way in black and white to show me the issue is coming from the third party VPN app instead of just guessing.
Any help would be greatly appreciated.